Bug ID 972385: Adjust The SSRF disallowed hosts to new attack vector

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Fixed In:
16.1.0

Opened: Dec 09, 2020
Severity: 2-Critical

Symptoms

There is only a default 'disallow' action available for the SSRF host configuration API endpoint 'policies/ssrf-disallowed-hosts', whereas it is supposed to have 'allow' and 'resolve' options as well.

Impact

This results in the improper configuration of the SSRF hosts and the feature and functionality will be limited from a usability perspective.

Conditions

- AWAF enabled - SSRF feature enabled

Workaround

None

Fix Information

The rest endpoint 'policies/ssrf-hosts' have the 'allow', 'disallow' and 'resolve' options.

Behavior Change