Applies To:

Show Versions Show Versions

sol14712: The BIG-IP APM access policy logout page may be vulnerable to XSS cookie tampering
Security AdvisorySecurity Advisory

Original Publication Date: 09/19/2013
Updated Date: 10/08/2013

The vulnerability described in this article has been resolved, or does not affect any F5 products. There will be no further updates, unless new information is discovered.

Description

The BIG-IP APM access policy logout page may be vulnerable to cross-site scripting (XSS).

Impact

XSS protection in the BIG-IP APM access policy logout page may be insufficient.

Status

F5 Product Development tracked this vulnerability as ID 407603 and has evaluated the currently-supported releases for potential vulnerability.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM None
10.0.0 - 10.2.4
11.0.0 - 11.4.1
None
BIG-IP AAM None 11.4.0 - 11.4.1
None
BIG-IP AFM None 11.3.0 - 11.4.1
None
BIG-IP Analytics None 11.0.0 - 11.4.1
None
BIG-IP APM 10.1.0 - 10.2.4
11.1.0 - 11.3.0
10.2.4 HF7 and later
11.1.0 HF9 and later
11.2.0 HF6 and later
11.2.1 HF6 and later
11.3.0 HF5 and later
11.4.0 - 11.4.1
Access Policy logout page
BIG-IP ASM None 10.0.0 - 10.2.4
11.0.0 - 11.4.1
None
BIG-IP Edge Gateway
None 10.1.0 - 10.2.4
11.0.0 - 11.4.1
None
BIG-IP GTM None 10.0.0 - 10.2.4
11.0.0 - 11.4.1
None
BIG-IP Link Controller None
10.0.0 - 10.2.4
11.0.0 - 11.4.1
None
BIG-IP PEM None
11.3.0 - 11.4.1
None
BIG-IP PSM None 10.0.0 - 10.2.4
11.0.0 - 11.4.1
None
BIG-IP WebAccelerator None 10.0.0 - 10.2.4
11.0.0 - 11.3.0
None
BIG-IP WOM None 10.0.0 - 10.2.4
11.0.0 - 11.3.0
None
ARX None 5.0.0 - 5.3.1
6.0.0 - 6.4.0
None
Enterprise Manager None 2.0.0 - 2.3.0
3.0.0 - 3.1.1
None
FirePass None 6.0.0 - 6.1.0
7.0.0
None
BIG-IQ Cloud None
4.0.0 - 4.1.0
None
BIG-IQ Security None
4.0.0 - 4.1.0
None

Recommended action

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table.

To mitigate this vulnerability, you can modify the logout web page to null the specific code identified at issue. To do so, perform the following procedure:

Impact of action: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the BIG-IP Configuration utility.
  2. Click Access Policy.
  3. Click Customization.
  4. Click Advanced Customization.
  5. From the Edit Mode menu, select Advanced.
  6. Select the resource type folder for Access Profiles.
  7. Select the subfolder that shares the name of the affected access policy.
  8. Select the Logout folder.
  9. Select the logout.inc file.
  10. Locate the following line, which is typically line 40 of an unmodified logout.inc file:

    var display_session = get_cookie("LastMRH_Session");

    The entire JavaScript code appears as follows:

    var display_session = get_cookie("LastMRH_Session");
    if(null != display_session) {
    document.getElementById("sessionDIV").innerHTML = '<BR>The session reference number: ' + display_session + '<BR><BR>';
    document.getElementById("sessionDIV").style.visibility = "visible";
    }

  11. Place the double forward slash characters (//) in front of each line.

    For example:

    // var display_session = get_cookie("LastMRH_Session");
    // if(null != display_session) {
    // document.getElementById("sessionDIV").innerHTML = '<BR>The session reference number: ' + display_session + '<BR><BR>';
    // document.getElementById("sessionDIV").style.visibility = "visible";
    // }

  12. Click Save Draft.
  13. Click Save.
  14. Click Apply Access Policy.
  15. Click Apply Access Policy.

Acknowledgments

F5 would like to acknowledge Tony Dimichele of BNP Paribas US for bringing this issue to our attention, and for following the highest standards of responsible disclosure.

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)