Last Modified: May 29, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 16.0.0, 16.0.0.1
Fixed In:
16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
Opened: Apr 17, 2020 Severity: 3-Major
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed. This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter. When it is set to 0, the size is determined automatically based on system memory. Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled. In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
N/A
Mitigated entries are kept in the hash table.