Bug ID 858301: HTTP RFC compliance now checks that the authority matches between the URI and Host header

Last Modified: Aug 05, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3

Fixed In:
16.0.0, 15.0.1.4, 13.1.3.4, 12.1.5.2

Opened: Dec 06, 2019
Severity: 3-Major
Related AskF5 Article:
K27551003

Symptoms

It is possible to have an absolute URI with an authority different from that in the Host header. The HTTP profile by default does not verify that these are the same.

Impact

HTTP requests with mismatched authority and Host headers are forwarded to back-end servers.

Conditions

HTTP profile is enabled. A request contains an absolute URI with an authority different from that in the Host header.

Workaround

None.

Fix Information

The HTTP RFC compliance option now rejects requests with an absolute URI that contains an authority different than that in the Host header. HTTP PSM's "invalid host" option now checks that the authorities match between the URI and Host header.

Behavior Change