Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. TheSeverity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability, you can use an iRule to verify the target URL provided in the request. In the following procedure, the example iRule verifies the value of the SSO_ORIG_URI parameter based on a target host that you specify. After you determine an acceptable target host that is based on your configuration, you must define the target host in the WHITELIST section of the iRule. If the host in the request does not match the defined target host, the request is discarded and the connection is closed. To configure the iRule and associate it with a virtual server, perform the following procedure:

Note: The following example is configured to allow requests when the host portion matchesexample.com. You must replace** example.com** in the WHITELIST section with an acceptable target host, based on your configuration.

Impact of action: The following iRule generates logging which is purely informational. The logging level can be reduced without affecting functionality.

1. Log in to the Configuration utility.
2. Navigate to Local Traffic>iRules>** Create**.
3. In the Name box, type a name for the iRule.

For example:

multi_domain_sso_redirect

4. In the Definitionbox, enter the following text replacing example.com with your target host:

when HTTP_REQUEST {

Exit this event if the request isn’t a GET

if {[HTTP::method] ne “GET”}{return}

Exit this event if the request does not contain the SSO_ORIG_URI query parameter

set QUERY_URI [URI::query [HTTP::uri] SSO_ORIG_URI]
if {$QUERY_URI eq “”}{return}

Track failures

set FAIL 0

Decode the parameter

if {$FAIL == 0 and [catch {b64decode $QUERY_URI} DECODED_URI] != 0 or $DECODED_URI eq “”} {
log local0. [concat "Could not decode SSO_ORIG_URI: " $QUERY_URI]
set FAIL 1
}

Parse and case-fold the host portion

if {$FAIL == 0 and [scan $DECODED_URI {%[^:/]://%[^/]} PROTO HOST] != 2} {
log local0. [concat "Could parse decoded URI: " $DECODED_URI]
set FAIL 1
}
set HOST [string tolower $HOST]

WHITELIST Compare HOST to user defined target host(s).

if {$FAIL == 0 and $HOST ne “example.com”} {
log local0. [concat "Host did not match whitelist: " $HOST]
set FAIL 1
}

Discard requests that set FAIL

if {$FAIL != 0} {
TCP::close
return
}

Log success

log local0. [concat "SSO_ORIG_URI validated for host: " $HOST]
}

5. Click Finished.
6. Click Virtual Servers.
7. In the Name box, click the name of the affected virtual server.
8. Click the Resources tab.
9. In the iRules section, clickManage.
10. To move the iRule to the Enabledcolumn, from the Available column, select the iRule you previously created and then click the**<<** button.
11. Click Finished.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
• SOL9502: BIG-IP hotfix matrix
• SOL6664: Obtaining and installing OPSWAT hotfixes
• SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems