Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP All
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.0.0
Opened: Apr 17, 2014 Severity: 3-Major Related Article:
K17459
In previous versions of iControl SOAP, access to the iControl portal could not be restricted to specific addresses or subnets.
This is a slight security risk. iControl SOAP users would still have needed to supply credentials, but the IP address of the user could not be restricted.
iControl SOAP access is not whitelisted to IP addresses or subnets.
In order to whitelist IP addresses or subnets, the following command has been added to tmsh. tmsh modify sys icontrol-soap allow add {<list of IP addresses or perl compatible regular expressions (PCRE) indicating specific subnets>} An IP address may be specified specifically (example: 1.1.1.1). An allowed subnet may be specified as well (example: 10.10.* to restrict iControl SOAP users restrict users to the 10.10.0.0\24 subnet).
Access to the iControl portal can now be restricted to specific addresses or subnets.