Wednesday, 16 November 2016

F5 BIG-IP Cookie Remote Information Disclosure

F5 BIG-IP Cookie Remote Information Disclosure vulnerability can be closed by encrypting the cookies

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the Services menu, select HTTP.
  4. Click Create.
  5. Enter a name for the HTTP profile.
  6. In the Encrypt Cookies box, enter one or more cookie names.
    Note: If you want to specify more than one cookie for the BIG-IP LTM system to encrypt, separate the cookie names with a space.
    Note: In BIG-IP 10.x, cookie names must not contain the period ( ) character due to a known issue. For more information, refer to SOL12472: The Configuration utility returns an error message when the HTTP profile is configured with a period character in the 'Encrypt Cookies' field.

    Note: For BIG-IP persistent cookies, the default cookie name is BIGipServer<pool-name>.

    For example:

  7. In the Cookie Encryption Passphrase box, enter a passphrase for the cookie.
  8. In the Confirm Cookie Encryption Passphrase box, re-type the passphrase.
  9. Click Update.
  10. Associate the HTTP profile with the virtual server.