Our security team reported that multiple vulnerabilities has been detected on one of VIP: 1.2.3.4 (on BIG-IP LTM v12.1.2 version.)
Please refer the list as below
1.Cookie Does Not Contain The "secure" Attribute
2.Path-Based Vulnerability
3. Session Cookie Does Not Contain the "Secure" Attribute
4.Slow HTTP POST vulnerability
I also Referred this below article but "I don't find any kind of persistence profile enabled and also no custom http profile exist on this mentioned VIP ".
K30524234: The HTTPOnly and Secure attributes are enabled by default in the Cookie persistence profile
If cookies persistence not enabled on VIP, then is it something need to look at backend server (poolmember). please confirm me
F5 will add it's own cookie in one of the following scenerios
cookie persistence
ASM
APM
custom iRule adding a cookie
If you have confirmed BIGIP is not adding any of the cookie then it must be set by the application. Ask security team for the cookie names which do not have secure/HTTPonly attributes set. If those are not added by BIGIP it can be fixed by the DEV/server team. Alternatively, BIGIP can also fix it by adding custom iRule to set these attributes in the HTTP RESPONSE event.
