Last Modified: Apr 29, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4
Fixed In:
15.0.0, 13.1.1.5
Opened: Dec 21, 2018 Severity: 3-Major
Inconsistent validation for firewall address-list's nested address-lists causes load failure. The operation validates 'addresses' in the address-list but misses the case of modifying the address-list nested in the address-list. The system posts a message similar to the following: 01071a5a:3: Cannot configure mix of IPv4 and IPv6 address(es) in this object. Unexpected Error: Loading configuration process failed.
Missing validation for nested address-list modification allows an invalid configuration to be specified and saved into bigip*.conf, which causes load failure. Note: This might cause upgrade from v12.1.x to fail when the configuration contains a mix of IPv4 and IPv6 within an address-list.
-- Modify an address-list's address-lists to contain mixed IPv4 and IPv6 addresses. -- Save the configuration. -- Load the configuration.
Edit the bigip*.conf file to remove the mix of IPv4 and IPv6 addresses in the nested address-lists.
This release contains validation to nested address-lists to check for overlapping IP addresses in the same address family.
