K33440533 : BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984

Security Advisory Description

When receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense (versions prior to 14.1.0), or a Bot Defense profile (versions 14.1.0 and later), may subject clients and web servers to Open Redirection attacks. (CVE-2021-22984)

Impact

When a virtual server that has Bot Defense enabled processes the type of request described in this security advisory, the Bot Defense feature incorrectly generates a HTTP 307 status code (Temporary Redirect). As a result, the client experiences an unexpected HTTP redirection, which can potentially be used for a phishing scam or stealing user credentials. In addition, the site in the client request URI unexpectedly receives the redirected request.