Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1
Fixed In:
11.5.0, 11.4.1 HF9, 11.2.1 HF16
Opened: Aug 23, 2013 Severity: 1-Blocking Related Article:
K14677
Administrative access to the system with remote authenticated accounts fails , and the following is seen in the security log (/var/log/secure): httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files]. This can eventually lead to lack of access to the BIG-IP system from all but the root account.
If the leak is allowed to accumulate to the point that no file descriptors are available, administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
Remote system authentication configured to use TACACS+. Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. Repeated automated access using iControl is the fastest route.
Several workaround options: 1. Use a system auth method other than TACACS+. 2. Use only SSH for administrative access. 3. Restart httpd as needed.
A TACACS+ system auth and file descriptors leak has been corrected.