F5 BIG-IP Cookie Information Disclosure Vulnerability

Question

I ran into an issue, it says "F5 BIG-IP Cookie Information Disclosure Vulnerability".
I tried out both solutions as follows, the problem still didn't get resolved. 
Did I do something wrong? Is there someone able to help me on this? Thank you. (My f5 version is 9.44)&nbsp;

Configuring cookie encryption by using the BIG-IP Configuration utility
 a..Log in to the Configuration utility.
 b.Click Local Traffic.
 c.Click Profiles.
 d.From the Services drop-down menu, select HTTP.
 e.Click Create.
 f.Enter a name for the HTTP profile.
 g.In the Encrypt Cookies box, enter one or more cookie names.
 h.In the Cookie Encryption Passphrase box, enter a passphrase for the cookie.
 i.To confirm the passphrase for the cookie, in the Confirm Cookie Encryption Passphrase box, re-type the passphrase.
 j.Click Update.
 k.Associate the HTTP profile with the virtual server.&nbsp;

HTTP::cookie encrypt / decrypt
  I added a new iRule as following.
01 when CLIENT_ACCEPTED {&nbsp;
02   set cookiename "MyCookie" 
03   set encryption_passphrase "abcd1234" 
04 }&nbsp;
05 when HTTP_RESPONSE {&nbsp;
06   if { [HTTP::cookie exists $cookiename] } {&nbsp;
07     HTTP::cookie encrypt $cookiename $encryption_passphrase 
08   }&nbsp;
09 }&nbsp;
10 when HTTP_REQUEST {&nbsp;
11   if { [HTTP::cookie exists $cookiename] } {&nbsp;
12     set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase]&nbsp;
13     if { ($decrypted eq "") } {&nbsp;
14        Cookie wasn't encrypted, delete it&nbsp;
15       HTTP::cookie remove $cookiename 
16     }&nbsp;
17   }&nbsp;
18 } &nbsp;

nitass · Answer

the problem still didn't get resolved. Did I do something wrong?&nbsp;

did you see unencrypted cookie after applying the solution?&nbsp;

nitass_89166 · Answer

the problem still didn't get resolved. Did I do something wrong?&nbsp;

did you see unencrypted cookie after applying the solution?&nbsp;

jacky_tseng_140 · Answer

Nitass, Thanks for response. 
I use 3rd party tool to scan for vulnerability and it keeps saying the same message as 'title' even though I have tried out these two solutions. I was thinking maybe I did it incorrectly or it might have other solutions.

jacky_tseng_140 · Answer

Nitass, Thanks for response. 
I use 3rd party tool to scan for vulnerability and it keeps saying the same message as 'title' even though I have tried out these two solutions. I was thinking maybe I did it incorrectly or it might have other solutions.

nitass · Answer

have you ever used http analyzer tool such as httpwatch, httpfox? it may be useful to verify if cookie is already encrypted.&nbsp;
HttpFox&nbsp;
https://addons.mozilla.org/en-US/firefox/addon/httpfox/&nbsp;
hope this helps.&nbsp;

Forum Discussion

F5 BIG-IP Cookie Information Disclosure Vulnerability

10 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

F5 BIG-IP Cookie Remote Information Disclosure (20089)

CVE Vulnerability Information

F5 Releases Out of Band Disclosure in Conjunction With Rapid7

OWASP Automated Threats - OAT-014 Vulnerability Scanning

External Monitor Information and Templates