Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

        The BIG-IP ASM system may fail to mask sensitive parameter
            for an Allowed URL in the Referrer header and logs
                             25 September 2020


        AusCERT Security Bulletin Summary

Product:           BIG-IP ASM
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Read-only Data Access -- Unknown/Unspecified
                   Reduced Security      -- Unknown/Unspecified
Resolution:        Mitigation

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

K86285055:The BIG-IP ASM system may fail to mask sensitive parameter for an Allowed URL in the Referrer header and logs

Security Advisory

Original Publication Date: 25 Sep, 2020

Security Advisory Description

The BIG-IP ASM system may fail to mask a sensitive parameter for an Allowed

This issue occurs when all of the following conditions are met:

  o You configured an Allowed HTTP URL enabled with the following settings in a
    security policy:
       Check Flows to this URL
       URL is Entry Point
       URL is Referrer
  o You configured a parameter for this Allowed HTTP URL.
  o You enabled the Mask Value in Logs setting for this parameter. Prior to
    BIG-IP ASM 14.0.0, this setting is known as Sensitive Parameter.
  o The virtual server associated with the security policy receives a request
    matching the configured Allowed HTTP URL, and the request includes the
    configured parameter both in its query string as well as its Referrer


The BIG-IP ASM system does not mask the sensitive parameter in the request's
Referrer header. As a result, the value of the sensitive parameter is exposed
in logs and may be sent unmasked to remote log systems if configured.


As a result of this issue, you may encounter the following symptom:

  o When the system receives a client request with a configured sensitive
    parameter, for example, param:

    GET /test.phpparam=123 HTTP/1.1

    both the request query string and the Referrer header contain the sensitive
    parameter param, which causes the BIG-IP ASM system to mask only the value
    of the sensitive parameter in the request query string but not the Referrer

    GET /test.phpparam=*** HTTP/1.1

Security Advisory Status

F5 Product Development has assigned ID 848445 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

|Type of fix       |Fixes introduced |Related articles                        |
|                  |in               |                                        |
|Release           |16.0.0           |K2200: Most recent versions of F5       |
|                  |                 |software                                |
|Point release/    |         |K9502: BIG-IP hotfix and point release  |
|hotfix            |         |matrix                                  |

Security Advisory Recommended Actions


To work around this issue, you can define the sensitive parameter as a global
sensitive parameter instead of configuring it specific to an Allowed HTTP URL.
. To do so, perform the following procedure:

Impact of workaround: Defining a global sensitive parameter masks the value of
the Referrer header in all requests and all logs, regardless of whether or not
there is sensitive information in it. Depending on your application
environment, this may have an impact, especially when troubleshooting
application issues.

 1. Log in to the Configuration utility.
 2. Go to Security > Application Security > URLs > Allowed URLs > Allowed HTTP
 3. For Current edited policy, select the policy you want to modify.
 4. Select the affected Allowed HTTP URL.
 5. Select URL Parameters.
 6. Check the affected sensitive parameter and select Delete.
 7. Select OK to confirm the deletion.
 8. Go to Security > Application Security > Parameters > Sensitive Parameters.
 9. For Current edited policy, select the policy you want to modify.
10. Select Create.
11. Enter the name of the parameter in the Parameter Name setting.
12. Select Create to save the change.
13. Select Apply Policy to affect the change.

Supplemental Information

o K51812227: Understanding security advisory versioning
  o K41942608: Overview of AskF5 security advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967