Bug ID 493740: tmsh allows cipher group creation with non-existent "require" or "exclude" cipher rule.

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP LTM, TMOS(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1

Opened: Dec 01, 2014

Severity: 3-Major

Symptoms

Using tmsh it is possible to create a cipher group referencing a non-existent cipher rule with tmsh even if this configuration is invalid.

Impact

The result is an invalid configuration that can break configuration synchronisation between BIG-IP peers in some cases (after upgrades, or full configuration reload, for example). Also, when navigating to the cipher group the GUI does not show it. The GUI may also show this error: "An error has occurred while trying to process your request. "

Conditions

Use tmsh to create a cipher group referencing a non-existent cipher rule using a command like this, where the 'require' or the 'exclude' directive comes after the 'allow' directive. The non-existent cipher rule is "no-exist" in these examples: tmsh create ltm cipher group test-group { allow add { f5-default } require add { no-exist } } tmsh create ltm cipher group test-group { allow add { f5-default } exclude add { no-exist } }

Workaround

Use the GUI to create a new cipher groups. When using tmsh, don't create a cipher group referencing a non-existent cipher rule.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips