Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5
Fixed In:
14.0.0, 13.1.0.6
Opened: May 31, 2017 Severity: 2-Critical
Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table - issue is due to TMM (self) abort due to memory corruption in one of the TMSTAT tables AFM uses for correlating dynamic signatures.
Traffic disrupted while tmm restarts.
Following conditions suffice to trigger the TMM crash due to self abort in one of the TMSTAT tables: a) Generate a set of N dynamic signatures (few context). b) When attack stops, the current set of signatures are moved to 'past' attack state. c) If in between, TMM restarts (or receives MCP config again e.g via load), these past attack signatures are incorrectly created in tmstat table which is used only for the current attack signatures - this is the *cause* of the issue! d) New attack appears that somewhat overlap with the 'past' signatures and this causes the following TMSTAT table to be corrupted over period of time.
There is no workaround at this time.
This issue is fixed, the past attack signatures are never created in the correlation stats table (even for conditions explicitly described above)