Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. TheSeverity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.
To mitigate this vulnerability, you can create and apply an iRule to the affected BIG-IP APM virtual server to obfuscate the sessionid in URLs. To do so, perform the following procedure:
Impact of action: The impact of the suggested workaround depends on the specific environment. F5 recommends that you test changes during a maintenance window, with consideration to the possible impact on your specific environment.
For example:
sessionid_obfuscation
when HTTP_RESPONSE_RELEASE {
if { [HTTP::is_redirect] } {
log local0. “Redirect detected with Location header: [HTTP::header Location]”
set loc [HTTP::header Location]
if { $loc contains “F5SSO_SID” } {
set F5_sid [string range $loc [expr {[string last “F5SSO_SID” $loc] + 10}] [string length $loc]]
log local0. “F5_sid: $F5_sid”
set shasid [URI::encode [b64encode [sha512 $F5_sid]]]
table add -subtable “sha” $shasid $F5_sid indefinite indefinite
log local0. “adding sessionID $F5_sid to ssha subtable with value $shasid”
set newloc [string map [list $F5_sid $shasid] $loc]
log local0. “Location after obfuscation: $newloc”
HTTP::header replace Location $newloc
unset loc
unset newloc
}
}
}
when HTTP_REQUEST {
log local0. “received [HTTP::method] [HTTP::host] [HTTP::uri]”
if { [HTTP::uri] contains “F5Networks-SSO-Resp” } {
log local0. “[HTTP::uri] contains F5Networks-SSO-Resp”
set newuri2 [HTTP::uri]
set F5_hash_b64 [string range $newuri2 [expr {[string first “F5SSO_SID=” $newuri2] + [string length “F5SSO_SID=”]} ] [string length $newuri2] ]
log local0. “F5SSO_SID value in base64 is: $F5_hash_b64”
set lookup_sid [table lookup -subtable “sha” $F5_hash_b64]
log local0. “lookup_sid is: $lookup_sid”
set newuri2 [string map [list $F5_hash_b64 $lookup_sid] [HTTP::uri]]
HTTP::uri $newuri2
log local0. “URI with SID: $newuri2”
unset newuri2
unset lookup_sid
unset F5_hash_b64
}
if { [HTTP::host] == “www.primaryauth.com” } {
use virtual VS_internal_primaryauth
} elseif { [HTTP::host] == “www.site.com” } {
use virtual VS_internal_site1
}
}
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html