Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Cyril_M's avatar
Cyril_M
Icon for Altostratus rankAltostratus
Dec 30, 2019

DELETE method with AS3 is too powerful !

Am I the only one totally freaking out about the fact that with AS3, you just have to send a DELETE method to mgmt/shared/appsvcs/declare and everything is gone ?? All your production system could be...
application delivery
AS3
big-ip
devops
iControlLX
Chase_Abbott's avatar
Chase_Abbott
Icon for Admin rankAdmin
Dec 30, 2019

Using AS3 in conjunction with BIG-IQ does allow RBAC control over REST cmds. You can use prebuilt roles or create granular custom sets and select individual commands or command sets.

 

But yea, since AS3 is declarative and not iterative, it doesn't have the same order of operation that regular DELETE commands would limit damage with. It's up there with sending backups to /dev/null. You CAN do it, but should you? 😃

 

More here: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html

 

  Right Jason?

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Dec 30, 2019

    Chase is correct. This is the expected behavior for a declarative interface. With great power comes great responsibility, right? :)

     

    If that's too much power given the access controls that make sense in your environment, the imperative interfaces are still available.