Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. TheSeverity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability, you can create and apply an iRule to the affected BIG-IP APM virtual server to obfuscate the sessionid in URLs. To do so, perform the following procedure:

Impact of action: The impact of the suggested workaround depends on the specific environment. F5 recommends that you test changes during a maintenance window, with consideration to the possible impact on your specific environment.

1. Log in to the Configuration utility.
2. Navigate to Local Traffic>iRules>** Create**.
3. In the Name box, type a name for the iRule.

For example:

sessionid_obfuscation

4. In the Definition box, type the following text:

when HTTP_RESPONSE_RELEASE {
if { [HTTP::is_redirect] } {
log local0. “Redirect detected with Location header: [HTTP::header Location]”
set loc [HTTP::header Location]
if { $loc contains “F5SSO_SID” } {

Using F5SSO_SID hashed value inside Location header

set F5_sid [string range $loc [expr {[string last “F5SSO_SID” $loc] + 10}] [string length $loc]]
log local0. “F5_sid: $F5_sid”

set shasid [URI::encode [b64encode [sha512 $F5_sid]]]

we create one subtable to access the hash from the sessionid

table add -subtable “sha” $shasid $F5_sid indefinite indefinite
log local0. “adding sessionID $F5_sid to ssha subtable with value $shasid”

set newloc [string map [list $F5_sid $shasid] $loc]
log local0. “Location after obfuscation: $newloc”
HTTP::header replace Location $newloc

unset loc
unset newloc
}
}
}

when HTTP_REQUEST {
log local0. “received [HTTP::method] [HTTP::host] [HTTP::uri]”
if { [HTTP::uri] contains “F5Networks-SSO-Resp” } {

Switch F5SSO_SID value back from hash to real value

log local0. “[HTTP::uri] contains F5Networks-SSO-Resp”
set newuri2 [HTTP::uri]
set F5_hash_b64 [string range $newuri2 [expr {[string first “F5SSO_SID=” $newuri2] + [string length “F5SSO_SID=”]} ] [string length $newuri2] ]
log local0. “F5SSO_SID value in base64 is: $F5_hash_b64”
set lookup_sid [table lookup -subtable “sha” $F5_hash_b64]
log local0. “lookup_sid is: $lookup_sid”
set newuri2 [string map [list $F5_hash_b64 $lookup_sid] [HTTP::uri]]
HTTP::uri $newuri2
log local0. “URI with SID: $newuri2”

unset newuri2
unset lookup_sid
unset F5_hash_b64
}

route traffic to internal APM VS accordingly

if { [HTTP::host] == “www.primaryauth.com” } {
use virtual VS_internal_primaryauth
} elseif { [HTTP::host] == “www.site.com” } {
use virtual VS_internal_site1
}
}

5. Click Finished.
6. Click Virtual Servers.
7. In the Namebox, click the name of the virtual server that is affected by this issue.
8. Click the Resources tab.
9. In the iRules section, clickManage.
10. To move the iRule to the Enabledcolumn, from the Available column, select the iRule you previously created, and click the**<<** button.
11. Click Finished.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)