Bug ID 927617: 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
16.0.1, 16.0.0, 15.1.1, 15.1.0, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5

Fixed In:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3

Opened: Jul 15, 2020
Severity: 2-Critical

Symptoms

A valid request that should be passed to the backend server is blocked.

Impact

A request is blocked that should not be.

Conditions

-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled. -- The cookie header that contain the valid cookie value is encoded to base64.

Workaround

Disable 'Base64 Decoding' for the desired cookie.

Fix Information

Requests with valid base64 encoding cookies are now correctly passed by the enforcer.

Behavior Change