Last Modified: Dec 05, 2024
Affected Product(s):
BIG-IP LTM, TMOS
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4
Fixed In:
17.1.2, 16.1.5
Opened: Sep 11, 2023 Severity: 3-Major
The sys httpd auth-pam-validate-ip setting is 'on' by default. This setting restricts each client session to a single source IP address: the session is terminated if the source IP of the client changes during the session. If browsers connect to the Configuration Utility through a proxy, their source IP addresses might change during a session: in this case you might want to set auth-pam-validate-ip to 'off' to avoid session termination when mod_auth_pam detects a client IP change for one of the existing sessions tokens (see https://my.f5.com/manage/s/article/K13048). When auth-pam-validate-ip is set to 'off', the setting does not work as expected if the client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility. If the client IP address changes after a few HTTP requests and responses, instead of changing immediately after the user authentication, then the user is correctly allowed to continue their Configuration utility session.
A user trying to authenticate into the Configuration utility is redirected to the authentication page immediately after inserting their username and password, even if the username and password are accepted by the system.
- The "tmsh /sys httpd auth-pam-validate-ip" configuration setting is set to 'off'. OR - The same setting in the Configuration utility, the check box under "System > Preferences > Require A Consistent Inbound IP For the Entire Web Session", is cleared. - The client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.
If the users of the Configuration utility are behind a proxy that might change their IP address, use the same IP address for as long as possible (configure source address persistence on the proxy).
None