Last Modified: Apr 24, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3
Opened: Feb 23, 2023 Severity: 3-Major
In the JWT configuration, missed adding the JWT to the provider while attempting to validate the issuer causes a NULL pointer.
apmd restart with core dump.
In the JWT configuration, missed adding the JWT to the provider and configured it as below: apm aaa oauth-provider /Common/duo_provider { authentication-uri https://api-c30441f1.duosecurity.com/oauth/v1/authorize introspect supported token-uri https://api-c30441f1.duosecurity.com/oauth/v1/token trusted-ca-bundle /Common/ca-bundle.crt type custom }
Adding correct configuration for JWT. apm aaa oauth-provider /Common/duo_provider { authentication-uri https://api-c30441f1.duosecurity.com/oauth/v1/authorize introspect supported manual-jwt-config-name /Common/duo_jwt token-uri https://api-c30441f1.duosecurity.com/oauth/v1/token trusted-ca-bundle /Common/ca-bundle.crt type custom use-auto-jwt-config false } The fix is to do proper NULL checks for JWT config before validating the issuer.
None