F5 BIG-IP Cookie Remote Information Disclosure vulnerability can be closed by encrypting the cookies
- Log in to the Configuration utility.
- Navigate to Local Traffic > Profiles.
- From the Services menu, select HTTP.
- Click Create.
- Enter a name for the HTTP profile.
- In the Encrypt Cookies box, enter one or more cookie names.Note: If you want to specify more than one cookie for the BIG-IP LTM system to encrypt, separate the cookie names with a space.Note: In BIG-IP 10.x, cookie names must not contain the period ( . ) character due to a known issue. For more information, refer to SOL12472: The Configuration utility returns an error message when the HTTP profile is configured with a period character in the 'Encrypt Cookies' field.
Note: For BIG-IP persistent cookies, the default cookie name is BIGipServer<pool-name>.
For example:
BIGipServerhttp-pool - In the Cookie Encryption Passphrase box, enter a passphrase for the cookie.
- In the Confirm Cookie Encryption Passphrase box, re-type the passphrase.
- Click Update.
- Associate the HTTP profile with the virtual server.