Last Modified: Sep 13, 2023
Known Affected Versions:
14.1.2, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 14.1.3, 22.214.171.124, 14.1.4, 126.96.36.199, 15.1.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 16.0.0, 126.96.36.199, 16.0.1, 188.8.131.52
16.1.0, 184.108.40.206, 15.1.1, 220.127.116.11
Opened: Feb 17, 2020 Severity: 3-Major
When either DoS Application Profile or Bot Defense profiles are used, or a complex LTM policy is used, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload. Second effect is that the Bot Defense Profile and L7 DoS profile are always, not conditionally, considered internally as a profile that modifies a body that satisfies HTTP profile chunking configuration 'sustain' (default mode) triggering client-side chunking. This causes a response in the server-side that is unchunked to be always chunked in client-side with the mode set to 'sustain'.
-- Response payload sent by the backend server is uncompressed. -- Performance impact caused by response parsing.
One of these options: -- Bot Defense Profile is associated with the Virtual Server. -- DoS Profile is associated with the Virtual Server and has Application (L7) enabled. -- Policy is associated with the Virtual Server and has complex LTM Policy: multiple Policies, or additional rules.
For version 15.1.0 and later, you can use the following workaround: Disable the option for modification of Referer header: tmsh modify sys db asm.inject_referrer_hook value false Note: Using this brings back the impact of ID792341 (see https://cdn.f5.com/product/bugtracker/ID792341.html). For versions earlier than 15.1.0, there is no workaround.
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.