Bug ID 924857: Logout URL with parameters resets TCP connection

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1

Fixed In:
16.1.0, 16.0.1.2, 15.1.2, 14.1.4.5

Opened: Jul 07, 2020

Severity: 3-Major

Symptoms

TCP connection reset when 'Logout URI Include' configured.

Impact

TCP connection resets, reporting BIG-IP APM error messages. 'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error: -- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type. Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages: -- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.

Conditions

-- Access Policy with a valid 'Logout URI Include' string, e.g.: /logoff.html -- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.: /logoff.html?a=b

Workaround

None

Fix Information

The system now ignores unsupported query parameters.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips