Bug ID 972385: Adjust The SSRF disallowed hosts to new attack vector

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:
16.1.0

Opened: Dec 09, 2020

Severity: 2-Critical

Symptoms

There is only a default 'disallow' action available for the SSRF host configuration API endpoint 'policies/ssrf-disallowed-hosts', whereas it is supposed to have 'allow' and 'resolve' options as well.

Impact

This results in the improper configuration of the SSRF hosts and the feature and functionality will be limited from a usability perspective.

Conditions

- AWAF enabled - SSRF feature enabled

Workaround

None

Fix Information

The rest endpoint 'policies/ssrf-hosts' have the 'allow', 'disallow' and 'resolve' options.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips