Bug ID 667353: Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5

Fixed In:
14.0.0, 13.1.0.6

Opened: May 31, 2017

Severity: 2-Critical

Symptoms

Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table - issue is due to TMM (self) abort due to memory corruption in one of the TMSTAT tables AFM uses for correlating dynamic signatures.

Impact

Traffic disrupted while tmm restarts.

Conditions

Following conditions suffice to trigger the TMM crash due to self abort in one of the TMSTAT tables: a) Generate a set of N dynamic signatures (few context). b) When attack stops, the current set of signatures are moved to 'past' attack state. c) If in between, TMM restarts (or receives MCP config again e.g via load), these past attack signatures are incorrectly created in tmstat table which is used only for the current attack signatures - this is the *cause* of the issue! d) New attack appears that somewhat overlap with the 'past' signatures and this causes the following TMSTAT table to be corrupted over period of time.

Workaround

There is no workaround at this time.

Fix Information

This issue is fixed, the past attack signatures are never created in the correlation stats table (even for conditions explicitly described above)

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips