Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP All
Known Affected Versions:
12.1.3, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.2, 11.6.1, 11.6.0, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1, 11.5.0
Opened: Oct 02, 2017 Severity: 3-Major
BIG-IP systems configured to perform OCSP Stapling may connect to an OCSP server using an unexpected source IP address. The source IP address picked by the BIG-IP system may be something that doesn't exist at all in its configuration. Additionally, the source IP address picked by the BIG-IP system may appear corrupted or invalid to an Administrator (for example: 0.0.0.112).
The BIG-IP system fails to perform OCSP Stapling, and the unusual traffic may trigger alarms on your network. The actual impact is limited, as clients who request validation of the certificate status and do not get it should be able to perform it on their own.
Required configuration: 1) The BIG-IP system is running a version prior to 13.0.0. 2) The BIG-IP system is deployed as an IPv4/IPv6 multihoming device. 3) The DNS Resolver used by the OCSP Stapling configuration belongs to a non-0 route domain. 4) The virtual servers performing OCSP Stapling belong to a non-0 route domain different than the one used by the DNS Resolver. 5) Virtual servers using OCSP Stapling include both IPv4 and IPv6 destinations. 6) The OCSP server FQDN resolves to an A record. With these conditions in place, the issue occurs when a client attempts a connection to one of the OCSP Stapling-enabled IPv6 virtual servers, and this needs to connect to an IPv4 OCSP server. The source IP address used by the BIG-IP system will be an IPv4 address containing the last 4 bytes of an IPv6 Self-IP address configured on the BIG-IP system.
Where possible, you can work around this issue by re-configuring the BIG-IP system so that some of the conditions required for this issue to occur no longer apply.
None