Last updated on: December 19, 2022
QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.
F5 BIG IP encodes private IP addresses in the persistent cookies, which could be collected by the attacker and decoded back. The encoding and decoding process is documented on the Internet and is fairly simple. The low complexity of the attack gives it a CVSS score such that QID 86725 will be marked a PCI Fail.
F5 provided multiple remediation methods on their support web site.
For reference, please see the PCI-DSS v3.2 documentation in the PCI-DSS Documents Library.