Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: Sep 10, 2013 Severity: 2-Critical
The VE versions of BIG-IP running on certain versions of the VMWare Broadcom drivers incorrectly report no error for IP packets that do have an IP checksum error. As a result, some IP checksum errors are not reported in those scenarios. The workaround is to enable software-based checking, with the db-variable tm.tcpudpiprxchecksum, though this will have some performance impact.
BIG-IP will not detect Bad IP checksum DOS attacks is the underlying hypervisor has
BIG-IP Virtual Edition, running on any VMware hypervisor that has Broadcom BCM5709 and BCM5716 physical interfaces. There may be other hypervisors or physical interfaces that may cause this behavior.
"modify sys db tm.tcpudpiprxchecksum value software-reverify"
None