5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
52.2%
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. TheSeverity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.
To mitigate this vulnerability, you can use an iRule to verify the target URL provided in the request. In the following procedure, the example iRule verifies the value of the SSO_ORIG_URI parameter based on a target host that you specify. After you determine an acceptable target host that is based on your configuration, you must define the target host in the WHITELIST section of the iRule. If the host in the request does not match the defined target host, the request is discarded and the connection is closed. To configure the iRule and associate it with a virtual server, perform the following procedure:
Note: The following example is configured to allow requests when the host portion matchesexample.com. You must replace** example.com** in the WHITELIST section with an acceptable target host, based on your configuration.
Impact of action: The following iRule generates logging which is purely informational. The logging level can be reduced without affecting functionality.
For example:
multi_domain_sso_redirect
when HTTP_REQUEST {
if {[HTTP::method] ne “GET”}{return}
set QUERY_URI [URI::query [HTTP::uri] SSO_ORIG_URI]
if {$QUERY_URI eq “”}{return}
set FAIL 0
if {$FAIL == 0 and [catch {b64decode $QUERY_URI} DECODED_URI] != 0 or $DECODED_URI eq “”} {
log local0. [concat "Could not decode SSO_ORIG_URI: " $QUERY_URI]
set FAIL 1
}
if {$FAIL == 0 and [scan $DECODED_URI {%[^:/]://%[^/]} PROTO HOST] != 2} {
log local0. [concat "Could parse decoded URI: " $DECODED_URI]
set FAIL 1
}
set HOST [string tolower $HOST]
if {$FAIL == 0 and $HOST ne “example.com”} {
log local0. [concat "Host did not match whitelist: " $HOST]
set FAIL 1
}
if {$FAIL != 0} {
TCP::close
return
}
log local0. [concat "SSO_ORIG_URI validated for host: " $HOST]
}
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/10000/900/sol10942.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/6000/600/sol6664.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
52.2%