Last Modified: Feb 28, 2025
Affected Product(s):
BIG-IP GTM, LTM
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4
Fixed In:
17.5.0, 17.1.2
Opened: Jul 17, 2020 Severity: 1-Blocking Related Article:
K40226145
The BIG-IP Oracle health monitor marks pool members down. As a result, you may observe an error message similar to the following example in the /var/log/DBDaemon-0.log file: java.sql.SQLException: ORA-28040: No matching authentication protocol This occurs because the existing JDBC library ojdbc6.jar on the BIG-IP system used for Oracle database monitoring is not compatible with Oracle database version 12.2 or later. According to Oracle's documentation, Oracle database version 12.2 or later requires ojdbc8.jar. For more information, refer to the "Oracle JDBC FAQ" document at: https://www.oracle.com/database/technologies/faq-jdbc.html
You are unable to use the BIG-IP provided Oracle monitor to monitor the health of Oracle database server pool members.
-- You have Oracle monitor configured -- You have Oracle database running version 12.2 or later configured as your pool member.
F5 recommends that you use an alternative health monitor such as the TCP health monitor to continue monitoring your Oracle database pool members. Depending on your application environment, you may want to consider removing the profile parameter SQLNET.ALLOWED_LOGON_VERSION = 12 from the affected Oracle database pool member to allow legacy Oracle clients to connect to the Oracle database. SQLNET.ALLOWED_LOGON_VERSION is deprecated since 18c and replaced with the SQLNET.ALLOWED_LOGON_VERSION_SERVER To allow legacy Oracle clients to be connected to Oracle database on DB Server with version 18c and higher, add following line to sqlnet.ora SQLNET.ALLOWED_LOGON_VERSION_SERVER=11 and restart a service: lsnrctl stop && lsnrctl start Important: However doing so would expose the Oracle database to a potential security vulnerability. This vulnerability is called Stealth Password Cracking Vulnerability. This vulnerability affects Oracle 10g/11g clients including 11.2.0.3. That is why the client version needs to be 11.2.0.4 or higher. Please see the following bulletin from NIST’s national vulnerability database. https://nvd.nist.gov/vuln/detail/CVE-2012-3137 For more information, refer to the "Check for the SQLNET.ALLOWED_LOGON_VERSION Parameter Behavior" document at: https://docs.oracle.com/en/database/oracle/oracle-database/18/spmsu/check-for-sqlnet-allowed-logon-version-parameter-behavior.html
None