Bug ID 848445: Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4

Fixed In:
16.0.0, 15.1.0.5, 14.1.2.8

Opened: Nov 11, 2019
Severity: 3-Major
Related AskF5 Article:
K86285055

Symptoms

Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Impact

The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Conditions

Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Workaround

Can defined the parameters as global sensitive parameters.

Fix Information

After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer

Behavior Change