Bug ID 971217: AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6

Fixed In:
16.1.0, 15.1.6.1, 14.1.5

Opened: Dec 08, 2020
Severity: 3-Major

Symptoms

An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.

Impact

POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".

Conditions

-- HTTP Protocol Security Profile configured with the "Unparsable request content" check. -- Client sends HTTP POST request with Content-Length:0

Workaround

None.

Fix Information

POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations and will not incorrectly be reported.

Behavior Change

POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations within the AFM HTTP protocol security profile.