Last Modified: Oct 04, 2024
Affected Product(s):
BIG-IP LTM, TMOS
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1
Opened: Dec 01, 2014 Severity: 3-Major
Using tmsh it is possible to create a cipher group referencing a non-existent cipher rule with tmsh even if this configuration is invalid.
The result is an invalid configuration that can break configuration synchronisation between BIG-IP peers in some cases (after upgrades, or full configuration reload, for example). Also, when navigating to the cipher group the GUI does not show it. The GUI may also show this error: "An error has occurred while trying to process your request. "
Use tmsh to create a cipher group referencing a non-existent cipher rule using a command like this, where the 'require' or the 'exclude' directive comes after the 'allow' directive. The non-existent cipher rule is "no-exist" in these examples: tmsh create ltm cipher group test-group { allow add { f5-default } require add { no-exist } } tmsh create ltm cipher group test-group { allow add { f5-default } exclude add { no-exist } }
Use the GUI to create a new cipher groups. When using tmsh, don't create a cipher group referencing a non-existent cipher rule.
None