Last Modified: Jun 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
17.5.0
Fixed In:
17.5.1
Opened: Apr 19, 2025 Severity: 3-Major
The PKCS11d daemon did not properly initialize the login state for each partition. It was previously assumed that a user was effectively “logged in” on startup, even though no explicit state indicated CKR_USER_NOT_LOGGED_IN. This worked with older HSMs and earlier AWS CloudHSM SDK3 primarily because those libraries did not strictly require an explicit CKR_USER_NOT_LOGGED_IN state; they would either auto-login or return CKR_USER_ALREADY_LOGGED_IN in most cases. However, newer AWS CloudHSM libraries (SDK5) and other current HSM vendors require a proper indication that the user is not logged in to handle re-login flows correctly.
Key creation fails.
Use SDK version 5 with BIG-IP.
None
- This fix is applied to all HSMs, not just AWS CloudHSM. Each partition starts in a well-defined, “not logged in” state. It only transitions to CKR_OK or CKR_USER_ALREADY_LOGGED_IN when the device confirms the user is authenticated. - The change sets the hsm_partitions.array[slot].login_status = CKR_USER_NOT_LOGGED_IN during session/partition initialization.