Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3
Fixed In:
13.1.0, 13.0.1
Opened: Jun 01, 2017 Severity: 3-Major
After APM end users establish a session from one client IP address, if they roam and get a different client IP address, the DTLS tunnel will still be able to establish, because the system does not enforce 'Restrict to Single Client IP'.
The DTLS tunnel will be established, which allows the client to access internal network resources from forbidden subnet.
The client IP used to establish the session is different from the client IP used to establish DTLS tunnel and the 'Restrict to Single Client IP' setting is enabled.
Disable usage of DTLS tunnel.
The 'Restrict to Single Client IP' setting is enforced correctly for DTLS tunnel.