Bug ID 838709: Enabling DoS stats also enables page-load-time

Last Modified: Jul 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP AVR(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.1.0, 15.1.0.1

Fixed In:
16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4

Opened: Oct 15, 2019
Severity: 2-Critical

Symptoms

If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Impact

In addition to collecting DoS statistics, JavaScript injection also occurs.

Conditions

Security :: reporting : settings : collect-all-dos-statistic is enabled.

Workaround

Can use iRules to control which pages should get the JavaScript injection. For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix Information

Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.

Behavior Change