For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

biggaraga's avatar
biggaraga
Icon for Nimbostratus rankNimbostratus
Jun 04, 2021

Authorization Header Defined as Unparsable by F5_ASM

One of our development teams is adding a new OAUTH token feature to an application. Sending the JSON call with the Authorization header creates an error within F5_ASM (ver 15.13): HTTP Validation U...
application delivery
ASM Advanced WAF
F5_ASM
JSON
jwt
AlexBCT's avatar
AlexBCT
Icon for Cumulonimbus rankCumulonimbus
Jun 05, 2021

Hi,

 

Any chance that you've run into this bug? https://support.f5.com/csp/article/K67111200

Version 15.1.3 is one of the affected versions

 

Hope this helps.

 

 

biggaraga's avatar
biggaraga
Icon for Nimbostratus rankNimbostratus
Jun 07, 2021
For clarification, my team has been reading through these: Disable the Unparsable request content violation You may disable the Unparsable request content violation in the affected security policies. Impact of workaround: The BIG-IP will no longer trigger violations for any unparseable content, not specifically limited to Authorization headers. Enable the 'ignore_authorization_header_decode_failure' internal parameter Consider enabling this internal parameter to ignore only failures to decode authorization headers, leaving the Unparsable request content violation enabled in the policy. There’s two options here, and we’re wondering if this is granular to do per policy or if we have to do for all policies. Could you give us clarity? Thanks