Last Modified: May 29, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
17.1.1, 17.1.0.2, 17.1.0.1, 17.1.0, 16.1.4, 15.1.9.1, 15.1.9
Opened: Jul 27, 2023 Severity: 2-Critical
Users are not able to access the Oauth old tokens after the fix for vulnerability that is, removal of hard coded encryption keys in Oauth.
Not able to use old tokens
Oauth feature with Opaque tokens configured and upgrade the version to 15.1.9 from previous versions.
From 15.1.9 the Oauth old tokens that were generated and used in earlier versions will not work. Due to the vulnerability CWE-798 the hard coded key encryption functionality usage has been removed and now the token generation will be dynamic so the old tokens which were used earlier are displayed as inactive when client runs a introspection. Suggestive workaround is to use purge now option in UI. (Access > Overview > OAuth Reports > Tokens) users have to remove the older tokens in oauthDB for every reboot.
None