SB2021042921 - Sessoin expiration failure in BIG-IP Advanced WAF and ASM
Published: April 29, 2021
Security Bulletin ID
SB2021042921
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Physical access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Insufficient Session Expiration (CVE-ID: N/A)
The vulnerability allows an attacker to gain unauthorized access to the system.
The vulnerability exists due to insufficient session expiration issue, as the Advanced WAF and BIG-IP ASM systems may not properly support the Post-Redirect-Get (PRG) application flow implemented on a back-end web server. After users log out of an application or site, they may log in again by clicking the browser Back button a multiple times.
This issue occurs when all of the following conditions are met:
- You enabled brute force protection in your security policy.
- You configure your security policy to use Client Side Integrity (CSI) or CAPTCHA challenge for brute force protection.
- You associated the security policy with the virtual server to protect the back-end web server with the PRG application flow.
Remediation
Install update from vendor's website.