Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.6.2 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.5.2 HF1
Opened: Feb 12, 2015 Severity: 3-Major
Sometime the firewall rule matching result is wrong if there are firewall rules configured with source or destination IPv6 address whose most significant bit is 1. Below are some examples of those IPv6 address: dfdf::/128, bbbb://64.
The firewall rule with those IPv6 addresses may accept or deny packets that do not match the rule.
Firewall rules are configured with source or destination IPv6 address whose most significant bit is 1.
None
Fixed the firewall rule compilation module to properly handle the processing of those IPv6 addresses whose most significant bit is 1.