F5 Product Development has assigned ID 683241 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table.
Type of fix | Fixes introduced in | Related articles
Release | 14.1.0
11.5.6 | K2200: Most recent versions of F5 software
Point release/hotfix | 126.96.36.199
188.8.131.52 | K9502: BIG-IP hotfix and point release matrix
To mitigate this issue, you can enable the Expiration Time setting of the CSRF Protection for the affected security policy. When this setting is enabled, the CSRT is set with a default expiration time of 600 seconds, which should be more than a sufficient amount of time to reduce the feasibility of an attack. You can further reduce the expiration time; however, reducing the CSRT expiration may cause many false positives in some scenarios. To enable the Expiration Time setting of the CSRF Protection, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
F5 would like to acknowledge Niall Caffrey of the Edgescan company for bringing this issue to our attention and for following the highest standards of responsible disclosure.