Last Modified: Oct 16, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.0.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 12.0.0 HF1
Opened: Dec 01, 2014 Severity: 2-Critical Related Article:
K36717289
TCP4 filter allows non-SYN packet to create new connflow after sending RST.
New connflow might be created after RST is sent. Possible data being treated as valid SYN-Cookie by FPGA.
BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades, which have hardware SYN cookie protection enabled by default.
Change the sys db variable connection.syncookies.algorithm to 'software'.
BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades with hardware SYN cookie protection enabled by default no longer allow new connflow to be created after RST is sent.