Note: This issue has been addressed in BIG-IP APM 11.3.0 and later through the use of the x-frame-options header in the Access Policy pages. Modifying a BIG-IP APM 11.3.0 or later system dB variable settings forapm.xframeoptionsorapm.xframeoptions.allowfrom from their defaults may open the system to this vulnerability. For more information, refer to SOL16642: Overview of the apm.xframeoptions db key.
Recommended action
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.
F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.
To mitigate this vulnerability, you can modify the logon web page to include additional code to protect against clickjacking. To do so, perform the following procedure:
Impact of action: Performing the following procedure should not have a negative impact on your system.
You will see the following lines just below this title.
<html>
<head>
<meta http-equiv=“Content-Type” content=“text/html; charset=utf-8”>
<meta http-equiv=“pragma” content=“no-cache”>
<meta http-equiv=“cache-control” content=“no-cache”>
<title>%{session.server.network.name}</title>
<link rel=“stylesheet” type=“text/css” HREF=“/public/include/css/apm.css”>
<style id=“antiClickjack”>body{display:none !important;}</style>
Locate the functionsessionTimedOut ()(typically line 113 after completing the previous modification).
After function** sessionTimedOut ()**, add the following lines, starting at line 114.
** ** if (self === top) {
var antiClickjack = document.getElementById(“antiClickjack”);
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
Acknowledgments
F5 would like to acknowledge Tony Dimichele, with BNP Paribas US, for his efforts in identifying this issue.
Supplemental Information
CPE | Name | Operator | Version |
---|---|---|---|
big-ip apm | le | 11.2.1 |