Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5
Fixed In:
17.5.0, 17.1.1, 16.1.4
Opened: Dec 05, 2022 Severity: 3-Major
In some cases of WEBSSO same token is sent to different sessions in the backend.
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
None
BIG-IP now clears the cache tokens when sessions are different so that new tokens are generated for different sessions.