Supplemental Document : BIG-IP 11.5.10 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10

BIG-IP APM

  • 11.5.10

BIG-IP GTM

  • 11.5.10

BIG-IP Analytics

  • 11.5.10

BIG-IP Link Controller

  • 11.5.10

BIG-IP LTM

  • 11.5.10

BIG-IP AFM

  • 11.5.10

BIG-IP PEM

  • 11.5.10

BIG-IP ASM

  • 11.5.10
Updated Date: 09/19/2019

BIG-IP Release Information

Version: 11.5.10
Build: 13.0

Cumulative fixes from BIG-IP v11.5.9 that are included in this release
Cumulative fixes from BIG-IP v11.5.8 that are included in this release
Cumulative fixes from BIG-IP v11.5.7 that are included in this release
Cumulative fixes from BIG-IP v11.5.6 that are included in this release
Cumulative fixes from BIG-IP v11.5.5 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 that are included in this release
Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.5.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
794413-7 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471
796469-8 CVE-2019-6649 K05123525 ConfigSync Hardening
797885-8 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-7 CVE-2019-6649 K05123525 ConfigSync Hardening
799617-7 CVE-2019-6649 K05123525 ConfigSync Hardening
807477-7 CVE-2019-6650 K04280042 ConfigSync Hardening
810557-7 CVE-2019-6649 K05123525 ASM ConfigSync Hardening


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
679861-4 1-Blocking   Weak Access Restrictions on the AVR Reporting Interface



Cumulative fixes from BIG-IP v11.5.9 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-6 CVE-2018-5744 K00040234 BIND Update
749879-5 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
739970-5 CVE-2018-5390 K95343321 Linux kernel vulnerability: CVE-2018-5390
739947-5 CVE-2019-6610 K42465020 TMM may crash while processing APM traffic
739094-2 CVE-2018-5546 K54431371 APM Client Vulnerability: CVE-2018-5546
737574-5 CVE-2019-6621 K20541896 iControl REST input sanitization
737441-3 CVE-2018-5546 K54431371 Disallow hard links to svpn log files
722677-1 CVE-2019-6604 K26455071 High-Speed Bridge may lock up
722387-5 CVE-2019-6596 K97241515 TMM may crash when processing APM DTLS traffic
714181-2 CVE-2019-6603 K14632915 TMM may crash while processing TCP traffic
704184-5 CVE-2018-5529 K52171282 APM MAC Client create files with owner only read write permissions
693810-5 CVE-2018-5529 K52171282 CVE-2018-5529: APM Linux Client Vulnerability
671813 CVE-2016-10142 K57211290 CVE-2016-10142: IPv6 fragmentation attack
511589-1 CVE-2019-6602 K11818407 TMUI hardening
757027-6 CVE-2019-6465 K01713115 BIND Update
753796-5 CVE-2019-6640 K40443301 SNMP does not follow best security practices
750460-6 CVE-2019-6639 K61002104 Subscriber management configuration GUI
745358-6 CVE-2019-6607 K14812883 ASM GUI does not follow best practices
745165-6 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
742226-5 CVE-2019-6635 K11330536 TMSH platform_check utility does not follow best security practices
721924-5 2018-17539 K17264695 bgpd may crash processing extended ASNs
719554-5 CVE-2018-8897 K17403481 Linux Kernel Vulnerability: CVE-2018-8897
710827-6 CVE-2019-6598 K44603900 TMUI dashboard daemon stability issue
703835-6 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-6 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
699452-1 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices
643554-13 CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 K37526132 K44512851 K43570545 OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
606710-5 CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 K15479471 Mozilla NSS vulnerability CVE-2016-2834
540186-2 CVE-2019-6605 K45353544 TMM may crash while processing SSL traffic
603658-4 CVE-2019-6601 K25359902 AAM security hardening
530775-6 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output
701785-5 CVE-2017-18017 K18352029 Linux kernel vulnerability: CVE-2017-18017


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745387-6 3-Major   Resource-admin user roles can no longer get bash access
587107-1 3-Major   Allow iQuery to negotiate up to version TLS1.2
581840-2 3-Major K46576869 Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.
246726-3 3-Major K8940 System continues to process virtual server traffic after disabling virtual address
643034-4 4-Minor K52510343 Turn off TCP Proxy ICMP forwarding by default


TMOS Fixes

ID Number Severity Solution Article(s) Description
724680-1 2-Critical   OpenSSL Vulnerability: CVE-2018-0732
716391-5 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
693996-1 2-Critical K42285625 MCPD sync errors and restart after multiple modifications to file object in chassis
689437-4 2-Critical K49554067 icrd_child cores due to infinite recursion caused by incorrect group name handling
652877-1 2-Critical   Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
587698-1 2-Critical   bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
581851-5 2-Critical K16234725 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
555464-1 2-Critical   HA channel flapping will cause SessionDB memory leak on standby due to unexpired entries
505323-3 2-Critical K17349 NSM hangs in a loop, utilizing 100% CPU
481974-1 2-Critical K16338 Using an SCF to modify a self IP address might cause problems
457252-2 2-Critical   tmm crash when using sip_info persistence without a sip profile
757026-6 3-Major   BIND Update
726409-1 3-Major   Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
707740-1 3-Major   Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
707445-5 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
674145-5 3-Major   chmand error log message missing data
651155-5 3-Major   HSB continually logs 'loopback ring 0 tx not active'
601893-4 3-Major K89212666 TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
581921-6 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
561444-2 3-Major   LCD might display incorrect output.
527206-4 3-Major   Management interface may flap due to LOP sync error
485164-3 3-Major K40794733 MCPD cores when the Check Service Date in the license is not current.
465555-1 3-Major K53914592 GUI unable to open and configure iApp Application.
575176-4 4-Minor K58275035 Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
739927-6 2-Critical   Bigd crashes after a specific combination of logging operations
726239-1 2-Critical   interruption of traffic handling as sod daemon restarts TMM
686228-4 2-Critical K23243525 TMM may crash in some circumstances with VLAN failsafe
648037-4 2-Critical   LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
571651-2 2-Critical   Reset Nitrox3 crypto accelerator queue if it becomes stuck.
513310-4 2-Critical   TMM might core when a profile is changed.
468204-1 2-Critical   TMM can crash with SIGFPE assertion 'valid ctx crule_cnt' when a firewall iRule and OneConnect are used together.
756270-5 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
710028-6 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
705112 3-Major   DHCP server flows are not re-established after expiration
688586-1 3-Major   DTLS does not retransmit ServerHello message if it is lost
662816-4 3-Major K61902543 Monitor node log fd leak for certain monitor types
657883-4 3-Major K34442339 tmm cache resolver should not cache response with TTL=0
655432-3 3-Major K85522235 SSL renegotiation failed intermittently with AES-GCM cipher
654368-4 3-Major K15732489 ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
610138-5 3-Major K23284054 STARTTLS in SMTPS filter does not properly restrict I/O buffering
601178-4 3-Major   HTTP cookie persistence 'preferred' encryption
593530-3 3-Major K26430211 In rare cases, connections may fail to expire
578971-4 3-Major   When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
553521-2 3-Major   TMM crash when executing route lookup in tmsh for multicast destination
534890-3 3-Major K73310443 When using session tickets, the session id sent might be incorrect
499615-14 3-Major K49031780 RAM cache serves zero length documents.
684319-1 4-Minor   iRule execution logging
618024-4 4-Minor   software switched platforms accept traffic on lacp trunks even when the trunk is down
530877-6 4-Minor K13887095 TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.
222034-5 4-Minor   HTTP::respond in LB_FAILED with large header/body might result in truncated response


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756774-1 2-Critical   Aborted DNS queries to a cache may cause a TMM crash
739846-6 2-Critical   Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
692941-5 2-Critical   GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
649564-4 2-Critical   Crash related to GTM monitors with long RECV strings
726255-5 3-Major   dns_path lingering in memory with last_access 0 causing high memory usage
648286-3 3-Major   GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
629421-3 3-Major   Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
620215-2 3-Major   TMM out of memory causes core in DNS cache


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
625602-1 2-Critical   ASM Auto-Sync Device Group Does Not Sync
576123-1 2-Critical K23221623 ASM policies are created as inactive policies on the peer device


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
706642-5 2-Critical   wamd may leak memory during configuration changes and cluster events


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
546877-2 2-Critical K10934171 tmm assert 'tcp_set_persist: retransmit pending'
442884-2 3-Major   TMM assert 'spdy pcb initialized' in spdy_process()



Cumulative fixes from BIG-IP v11.5.8 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
723130-4 2-Critical K13996 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
750488-1 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750484-1 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750472-1 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750457-1 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
749774-6 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-6 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records



Cumulative fixes from BIG-IP v11.5.7 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
716992-5 CVE-2018-5539 K75432956 The ASM bd process may crash
693744-1 CVE-2018-5531 K64721111 CVE-2018-5531: vCMP vulnerability
687193-2 CVE-2018-5533 K45325728 TMM may leak memory when processing SSL Forward Proxy traffic
686305-4 CVE-2018-5534 K64552448 TMM may crash while processing SSL forward proxy traffic
630446-3 CVE-2016-0718 K52320548 Expat vulnerability CVE-2016-0718
710314-4 CVE-2018-5537 K94105051 TMM may crash while processing HTML traffic
710148-6 CVE-2017-1000111
CVE-2017-1000112
K60250153 CVE-2017-1000111 & CVE-2017-1000112
705476-6 CVE-2018-15322 K28003839 Appliance Mode does not follow design best practices
694901 CVE-2015-8710 K45439210 CVE-2015-8710: Libxml2 Vulnerability
688625-4 CVE-2017-11628 K75543432 PHP Vulnerability CVE-2017-11628
677088-6 CVE-2018-15321 K01067037 BIG-IP tmsh vulnerability CVE-2018-15321
674486-2 CVE-2017-9233 K03244804 Expat Vulnerability: CVE-2017-9233
662850-4 CVE-2015-2716 K50459349 Expat XML library vulnerability CVE-2015-2716
617273-4 CVE-2016-5300 K70938105 Expat XML library vulnerability CVE-2016-5300
582773-3 CVE-2018-5532 K48224824 DNS server for child zone can continue to resolve domain names after revoked from parent
708653-5 CVE-2018-15311 K07550539 TMM may crash while processing TCP traffic
605579-9 CVE-2012-6702 K65460334 iControl-SOAP expat client library is subjected to entropy attack
603758-4 CVE-2018-5540 K82038789 Big3D security hardening
597652-1 CVE-2015-3217 K20225390 CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match
591438-3 CVE-2015-8865 K54924436 PHP vulnerability CVE-2015-8865
673165-3 CVE-2017-7895 K15004519 CVE-2017-7895: Linux Kernel Vulnerability


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
674320-4 3-Major K11357182 Syncing a large number of folders can prevent the configuration getting saved on the peer systems
672988-4 3-Major K03433341 MCP memory leak when performing incremental ConfigSync
663924-4 3-Major   Qkview archives includes Kerberos keytab files
639575-3 3-Major   Using libtar with files larger than 2 GB will create an unusable tarball
633465-1 3-Major K09748643 Curl cannot be forced to use TLSv1.0 or TLSv1.1
631172-2 3-Major K54071336 GUI user logged off when idle for 30 minutes, even when longer timeout is set
605270-3 3-Major   On some platforms the SYN-Cookie status report is not accurate
600558-10 3-Major   Errors logged after deleting user in GUI
598039-8 3-Major   MCP memory may leak when performing a wildcard query
589856 3-Major   IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients
589338-2 3-Major   Linux host may lose dynamic routes on secondary blades
585547-4 3-Major   NTP configuration items are no longer collected by qkview
583502-3 3-Major K58243048 Considerations for transferring files from F5 devices
539832-2 3-Major   Zebos: extended community attributes are exchanged incorrectly in BGP updates.
522304-1 3-Major   Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group
516540-2 3-Major K17501 devmgmtd file object leak
508556-2 3-Major K17035 CSR missing SAN when renewing cert in GUI
457149-1 3-Major K15397 Remotely authenticated users may still obey local password policy
424542-2 3-Major   tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
660239-4 4-Minor   When accessing the dashboard, invalid HTTP headers may be present
645589 4-Minor   Password-less ssh access lost for non-admin users after tmsh load sys ucs
530530-4 4-Minor K07298903 tmsh sys log filter is displayed in UTC time
477700-2 4-Minor K04116117 Detail missing from power supply 'Bad' status log messages
464650-2 4-Minor   Failure of mcpd with invalid authentication context.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
618905-2 1-Blocking   tmm core while installing Safenet 6.2 client
682682-4 2-Critical   tmm asserts on a virtual server-to-virtual server connection
646643-4 2-Critical K43005132 HA standby virtual server with non-default lasthop settings may crash.
625198-4 2-Critical   TMM might crash when TCP DSACK is enabled
581746-4 2-Critical K42175594 MPTCP or SSL traffic handling may cause a BIG-IP outage
488908-3 2-Critical K16808 In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function.
474797-1 2-Critical   Nitrox crypto hardware may attempt soft reset while currently resetting
450765-1 2-Critical K17332 tmm segfault: hud_mptcp_handler HUDCTL_PERFORM_METHOD
713951-1 3-Major   tmm core files produced by nitrox_diag may be missing data
711281-1 3-Major   nitrox_diag may run out of space on /shared
691806-5 3-Major K61815412 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
680755-3 3-Major K27015502 max-request enforcement no longer works outside of OneConnect
676355-4 3-Major   DTLS retransmission does not comply with RFC in certain resumed SSL session
641512-2 3-Major K51064420 DNSSEC key generations fail with lots of invalid SSL traffic
619849-1 3-Major   In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
603609-5 3-Major   Policy unable to match initial path segment when request-URI starts with "//"
603550-4 3-Major K63164073 Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
596433-1 3-Major   Virtual with lasthop configured rejects request with no route to client.
593390-1 3-Major   Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
591666-1 3-Major   TMM crash in DNS processing on TCP virtual with no available pool members
589400-5 3-Major K33191529 With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
568743-2 3-Major   TMM core when dnssec queries to dns-express zone exceed nethsm capacity
466875-3 3-Major K15586 SNAT automap may select source address that is not attached to egress VLAN/interface
393647-1 3-Major K17287 Objects configured with a connection rate-limit and yellow status
716922-6 4-Minor   Reduction in PUSH flags when Nagle Enabled
708249-6 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
629033-1 4-Minor   BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello).
604272-3 4-Minor   SMTPS profile connections_current stat does not reflect actual connection count.
589039-3 4-Minor   Clearing masquerade MAC results in unexpected link-local self IP addresses.
481820-2 4-Minor   Internal misbehavior of the SPDY filter


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
645615-4 2-Critical K70543226 zxfrd may fail and restart after multiple failovers between blades in a chassis.
642039-4 2-Critical K20140595 TMM core when persist is enabled for wideip with certain iRule commands triggered.
587617-4 2-Critical   While adding GTM server, failure to configure new IP on existing server leads to gtmd core
721895-3 3-Major   Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
632423-1 3-Major K40256229 DNS::query can cause tmm crash if AXFR/IXFR types specified.
629530-8 3-Major K53675033 Under certain conditions, monitors do not time out.
625671-1 3-Major   The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
619398-3 3-Major   TMM out of memory causes core in DNS cache
657961 4-Minor K44031930 The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
672480-1 2-Critical   WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO
632798-3 2-Critical K30710317 Double-free may occur if Access initialization fails


Service Provider Fixes

ID Number Severity Solution Article(s) Description
559953-3 2-Critical   tmm core on long DIAMETER::host value


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
591828-3 3-Major K52750813 For unmatched connection, TCP RST may not be sent for data packet


Device Management Fixes

ID Number Severity Solution Article(s) Description
468710-3 3-Major K32093584 Using non-standard lettercasing for header name results in misleading error during commit of transaction



Cumulative fixes from BIG-IP v11.5.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
699803 CVE-2018-5510 K77671456 TMM may crash while processing IPv6 traffic
695901-4 CVE-2018-5513 K46940010 TMM may crash when processing ProxySSL data
681710-6 CVE-2017-6155 K10930474 Malformed HTTP/2 requests may cause TMM to crash
674189-5 CVE-2016-0718 K52320548 iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
670822-5 CVE-2017-6148 K55225440 TMM may crash when processing SOCKS data
649907-4 CVE-2017-3137 K30164784 BIND vulnerability CVE-2017-3137
649904-4 CVE-2017-3136 K23598445 BIND vulnerability CVE-2017-3136
644904-3 CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985
CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486
K55129614 tcpdump 4.9
643187-4 CVE-2017-3135 K80533167 BIND vulnerability CVE-2017-3135
612128-2 CVE-2016-6515 K31510510 OpenSSH vulnerability CVE-2016-6515
704490-2 CVE-2017-5754 K91229003 CVE-2017-5754 (Meltdown)
704483-2 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003 CVE-2017-5753 (Spectre Variant 1)
699455-1 CVE-2018-5523 K50254952 SAML export does not follow best practices
676457-1 CVE-2017-6153 K52167636 TMM may consume excessive resource when processing compressed data
672124-5 CVE-2018-5541 K12403422 Excessive resource usage when BD is processing requests
671497-3 CVE-2017-3142 K59448931 TSIG authentication bypass in AXFR requests
662663-5 CVE-2018-5507 K52521791 Decryption failure Nitrox platforms in vCMP mode
645101-3 CVE-2017-3731, CVE-2017-3732 K44512851 OpenSSL vulnerability CVE-2017-3732
643375-3 CVE-2018-5508 K10329515 TMM may crash when processing compressed data
635314-3 CVE-2016-1248 K22183127 vim Vulnerability: CVE-2016-1248
631688-3 CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 K55405388 K87922456 K63326092 K51444934 K80996302 Multiple NTP vulnerabilities
631204-3 CVE-2018-5521 K23124150 GeoIP lookups incorrectly parse IP addresses
627907-4 CVE-2017-6143 K11464209 Improve cURL usage
625372-1 CVE-2016-2179 K23512141 OpenSSL vulnerability CVE-2016-2179
622178-4 CVE-2017-6158 K19361245 Improve flow handling when Autolasthop is disabled
621337-4 CVE-2016-7469 K97285349 XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-4 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
618258-4 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
613225-4 CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 K90492697 OpenSSL vulnerability CVE-2016-6306
605039-1 CVE-2016-2775 K92991044 lwresd and bind vulnerability CVE-2016-2775
600248-5 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
600232-5 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
600223-5 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
599536-5 CVE-2017-6156 K05263202 IPsec peer with wildcard selector brings up wrong phase2 SAs
585424-4 CVE-2016-1979 K20145801 Mozilla NSS vulnerability CVE-2016-1979
572272-3 CVE-2018-5506 K65355492 BIG-IP - Anonymous Certificate ID Enumeration
353229-4 CVE-2018-5522 K54130510 Buffer overflows in DIAMETER
622662-4 CVE-2016-6306 K90492697 OpenSSL vulnerability CVE-2016-6306
617901-4 CVE-2018-5525 K00363258 GUI to handle file path manipulation to prevent GUI instability.
609691-5 CVE-2014-4617 K21284031 GnuPG vulnerability CVE-2014-4617
600205-5 CVE-2016-2178 K53084033 OpenSSL Vulnerability: CVE-2016-2178
600198-5 CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 K53084033 OpenSSL vulnerability CVE-2016-2178
598002-4 CVE-2016-2178 K53084033 OpenSSL vulnerability CVE-2016-2178
655021-4 CVE-2017-3138 K23598445 BIND vulnerability CVE-2017-3138
621935-4 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
601268-2 CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 K43267483 PHP vulnerability CVE-2016-5766


Functional Change Fixes

ID Number Severity Solution Article(s) Description
570570-2 3-Major   Default crypto failure action is now 'go-offline-downlinks'.


TMOS Fixes

ID Number Severity Solution Article(s) Description
707226-4 1-Blocking   DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
534824-2 1-Blocking K02954921 Incorrect key/certificate when creating clientSSL profile and modifying key/cert in the same transaction.
475599-3 1-Blocking   full "/shared" filesystem prevents tmsh from running
470945-1 2-Critical K16891 Memory leak in Export Policy operation
655649-5 3-Major K88627152 BGP last update timer incorrectly resets to 0
645179-4 3-Major   Traffic group becomes active on more than one BIG-IP after a long uptime
644184-6 3-Major K36427438 ZebOS daemons hang while AgentX SNMP daemon is waiting.
624692-1 3-Major   Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
621314-1 3-Major K55358710 SCTP virtual server with mirroring may cause excessive memory use on standby device
610417-4 3-Major K54511423 Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
584583-2 3-Major K18410170 Timeout error when using the REST API to retrieve large amount of data
563905 3-Major   Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
423928-1 3-Major K42630383 syslog messages over 8 KB in length cause logstatd to exit
524606-2 4-Minor   SElinux violations prevent cpcfg from touching /service/mcpd/forceload


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
621452-4 1-Blocking K58146172 Connections can stall with TCP::collect iRule
670804 2-Critical K03163260 Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
646604-4 2-Critical K21005334 Client connection may hang when NTLM and OneConnect profiles used together
622856-2 2-Critical   BIG-IP may enter SYN cookie mode later than expected
613524-1 2-Critical   TMM crash when call HTTP::respond twice in LB_FAILED
600982-7 2-Critical   TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
341928-6 2-Critical   CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.
685615-1 3-Major K24447043 Incorrect source mac for TCP Reset with vlangroup for host traffic
677525-4 3-Major   Translucent VLAN group may use unexpected source MAC address
664769-3 3-Major   TMM may restart when using SOCKS profile and an iRule
662881-4 3-Major K10443875 L7 mirrored packets from standby to active might cause tmm core when it goes active.
633691-2 3-Major   HTTP transaction may not finish gracefully due to TCP connection is closed by RST
604880-1 3-Major   tmm assert "valid pcb" in tcp.c
572234-4 3-Major   When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
517456-2 3-Major K00254480 Resetting virtual server stat increments cur_conns stat in clientssl profile
507554-2 3-Major K13741128 Uneven egress traffic distribution on trunk with odd number of members
496950-2 3-Major   Flows may not be mirrored successfully when static routes and gateways are defined.
494333-1 3-Major   In specific cases, persist cookie insert fails to insert a session cookie when using an iRule
435055-2 3-Major K17291 ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert)
248914-5 3-Major K00612197 ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
554774-3 4-Minor   Persist lookup across services might fail to return a matching record when multiple records exist.
511985-2 4-Minor   Large numbers of ERR_UNKNOWN appearing in the logs
495242 4-Minor   mcpd log messages: Failed to unpublish LOIPC object


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
562921-2 2-Critical   Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
663310-1 3-Major   named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files
654599-3 3-Major K74132601 The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
644220-1 4-Minor   Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
691670-1 2-Critical   Rare BD crash in a specific scenario
679603-4 2-Critical K15460886 bd core upon request, when profile has sensitive element configured.
706304-1 3-Major   ASU and other Update Check services overload F5 download server
697303-5 3-Major   BD crash
696265-1 3-Major K60985582 BD crash
695878-1 3-Major   Signature enforcement issue on specific requests
694922-1 3-Major   ASM Auto-Sync Device Group Does Not Sync
685207-4 3-Major   DoS client side challenge does not encode the Referer header.
683241-5 3-Major K70517410 Improve CSRF token handling
504917-2 3-Major   In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
693739-4 2-Critical   VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
499800-2 2-Critical   Customized logout page is not displayed after logon failure
702490-6 3-Major   Windows Credential Reuse feature may not work
692369-1 3-Major   TMM crash caused by SSOv2 form based due to null config
689826-4 3-Major K95422068 Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
684937-4 3-Major K26451305 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-4 3-Major K22904904 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
678976-4 3-Major K24756214 Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
610582-8 3-Major   Device Guard prevents Edge Client connections
590345-4 3-Major   ACCESS policy running iRule event agent intermittently hangs
563135-2 3-Major   SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
541622-3 3-Major   APD/APMD Crashes While Verifying CAPTCHA
436489-3 3-Major   Session variables defined within the "Relay State" parameter of an SP initiated SSO session may fail.


Service Provider Fixes

ID Number Severity Solution Article(s) Description
696049-5 3-Major   High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
447570-1 2-Critical   tmm sigsegv



Cumulative fixes from BIG-IP v11.5.5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
684879-4 CVE-2017-6164 K02714910 TMM may crash while processing TLS traffic
653993-1 CVE-2017-6132 K12044607 A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880-2 CVE-2017-6214 K81211720 Kernel Vulnerability: CVE-2017-6214
652516-2 CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 K31603170 Multiple Linux Kernel Vulnerabilities
648865-3 CVE-2017-6074 K82508682 Linux kernel vulnerability: CVE-2017-6074
644693-6 CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 K15518610 Fix for multiple CVE for openjdk-1.7.0
641360-4 CVE-2017-0303 K30201296 SOCKS proxy protocol error
630475-3 CVE-2017-6162 K13421245 TMM Crash
626360-4 CVE-2017-6163 K22541983 TMM may crash when processing HTTP2 traffic
624903-2 CVE-2017-6140 K55102452 Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
610255-3 CVE-2017-6161 K62279530 CMI improvement
580026-4 CVE-2017-6165 K74759095 HSM logging error
573778-5 CVE-2016-1714 K75248350 QEMU vulnerability CVE-2016-1714
563154-3 CVE-2015-2925 CVE-2015-5307 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 K31026324 K94105604 K90230486 Multiple Linux Kernel vulnerabilities
560109-4 CVE-2017-6160 K19430431 Client capabilities failure
540174-2 CVE-2015-5364 CVE-2015-5366 K17307 K17309 CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1623.html
655059-1 CVE-2017-6134 K37404773 TMM Crash
648217-2 CVE-2017-6074 K82508682 CVE-2017-6074: Linux Kernel Vulnerability
638137-3 CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 K51201255 CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
614147-4 CVE-2017-6157 K02692210 SOCKS proxy defect resolution
614097-4 CVE-2017-6157 K02692210 HTTP Explicit proxy defect resolution
613127-5 CVE-2016-5696 K46514822 Linux TCP Stack vulnerability CVE-2016-5696
600069-4 CVE-2017-0301 K54358225 Portal Access: Requests handled incorrectly
592485-1 CVE-2015-5157 CVE-2015-8767 K17326 Linux kernel vulnerability CVE-2015-5157
582813-4 CVE-2016-0774 K08440897 Linux Kernel CVE-2016-0774
540018-3 CVE-2014-3940 CVE-2014-3184 CVE-2015-0239 K16429 K15685 K15912 Multiple Linux Kernel Vulnerabilities
533413-3 CVE-2011-5321 CVE-2015-3636 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922 K51518670 CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1221.html
527563-5 CVE-2015-1805 CVE-2015-3331 CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 K17458 K16819 K17551 K17543 K17241 Kernel Vulnerabilities
492732-1 CVE-2014-3184 K15912 Linux kernel driver vulnerabilities CVE-2014-3184, CVE-2014-3185, CVE-2014-3611, CVE-2014-3645, and CVE-2014-3646


Functional Change Fixes

ID Number Severity Solution Article(s) Description
651772-6 3-Major   IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
545263-2 3-Major   Add SSL maximum aggregate active handshakes per profile and per global
441079-4 3-Major K55242686 BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
225634-6 3-Major   The rate class feature does not honor the Burst Size setting.


TMOS Fixes

ID Number Severity Solution Article(s) Description
641013-4 2-Critical   GRE tunnel traffic pinned to one TMM
625824-4 2-Critical   iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
542097-6 2-Critical   Update to RHEL6 kernel
448409-5 2-Critical K15491 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
667278-6 3-Major   DSC connections between BIG-IP units may fail to establish
623930-1 3-Major   vCMP guests with vlangroups may loop packets internally
621273-5 3-Major   DSR tunnels with transparent monitors may cause TMM crash.
617628-3 3-Major   SNMP reports incorrect value for sysBladeTempTemperature OID
612721 3-Major   FIPS: .exp keys cannot be imported when the local source directory contains .key file
601709-4 3-Major K02314881 I2C error recovery for BIG-IP 4340N/4300 blades
467195-1 3-Major   Allow special characters importing SSL Key and Certificate except backslash.
460176-3 3-Major   Hardwired failover asserts active even when standalone


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
659899-4 2-Critical K10589537 Rare, intermittent system instability observed in dynamic load-balancing modes
597978-5 2-Critical   GARPs may be transmitted by active going offline
515915-3 2-Critical K47804233 Server side timewait close state causes long establishment under port reuse
503125-2 2-Critical   Excessive MPI net traffic can cause tmm panics on chassis systems
658214-4 3-Major K20228504 TCP connection fail intermittently for mirrored fastl4 virtual server
613369-5 3-Major   Half-Open TCP Connections Not Discoverable
611278-1 3-Major   Connections to a BIG-IP system's Self-IP address may fail when the VLAN cmp-hash is altered
587705-6 3-Major K98547701 Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
554295-5 3-Major   CMP disabled flows are not properly mirrored
542009-3 3-Major K01162427 tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.
536563-4 3-Major   Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
528198-1 3-Major   reject in iRule event FLOW_INIT may not respond with a RST
520604-6 3-Major K52431550 Route domain creation may fail if simultaneously creating and modifying a route domain
494977-1 3-Major   Rare outages possible when using config sync and node-based load balancing
488921-3 3-Major   BIG-IP system sends unnecessary gratuitous ARPs
452443-3 3-Major   DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
568347-3 2-Critical   BD Memory corruption
669394-1 3-Major K23432927 CS redirects to incorrect URL
520038-2 3-Major   Added/updated signatures are added to certain corrupted Manual user-defined sets.
441075-6 3-Major   Newly added or updated signatures are erroneously added to Manual user-defined signature sets.


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
679235-3 2-Critical   Inspection Host NPAPI Plugin for Safari can not be installed
666454-4 2-Critical K05520115 Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
620829-5 3-Major K34213161 Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
597214-6 3-Major   Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
445483-2 3-Major   SSO does not work with Password with '+' character for Citrix Storefront integration mode



Cumulative fixes from BIG-IP v11.5.4 Hotfix 4 that are included in this release


Functional Change Fixes

None


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
656902 2-Critical   Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile
655756 2-Critical   TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.
587691-2 2-Critical K41679973 TMM crashes upon SSL handshake cancellation.



Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
616772-3 CVE-2014-3568 K15724 CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager)
616765-3 CVE-2013-6449 K15147 CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager)
636702-1 CVE-2016-9444 K40181790 BIND vulnerability CVE-2016-9444
636700-2 CVE-2016-9147 K02138183 BIND vulnerability CVE-2016-9147
636699-3 CVE-2016-9131 K86272821 BIND vulnerability CVE-2016-9131
632618 CVE-2016-3717 K29154575 ImageMagick vulnerability CVE-2016-3717
631582-3 CVE-2016-9250 K55792317 Administrative interface enhancement
624570-4 CVE-2016-8864 K35322517 BIND vulnerability CVE-2016-8864
624457-2 CVE-2016-5195 K10558632 Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
616864-4 CVE-2016-2776 K18829561 BIND vulnerability CVE-2016-2776
616498-3 CVE-2009-3245 K15404 CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager)
616491-3 CVE-2006-3738 K6734 CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager)
611830 CVE-2016-7468 K13053402 TMM may crash when processing TCP traffic
611469-6 CVE-2016-7467 K95444512 Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-5 CVE-2016-9252 K46535047 Improper handling of IP options
596340-4 CVE-2016-9244 K05121675 F5 TLS vulnerability CVE-2016-9244
591328-3 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591327-3 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591325-3 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K75152412 OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-6 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K23230229 OpenSSL vulnerabilities
508057-2 CVE-2015-0411 K44611310 MySQL Vulnerability CVE-2015-0411
635412-1 CVE-2017-6137 K82851041 Invalid mss with fast flow forwarding and software syn cookies
623119-3 CVE-2016-4470 K55672042 Linux kernel vulnerability CVE-2016-4470
622496-3 CVE-2016-5829 K28056114 Linux kernel vulnerability CVE-2016-5829
604442-3 CVE-2016-6249 K12685114 iControl log
601938-5 CVE-2016-7474 K52180214 MCPD stores certain data incorrectly
597023-5 CVE-2016-4954 K82644737 NTP vulnerability CVE-2016-4954
594496-4 CVE-2016-4539 K35240323 PHP Vulnerability CVE-2016-4539
593447-3 CVE-2016-5024 K92859602 BIG-IP TMM iRules vulnerability CVE-2016-5024
591455-3 CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 K24613253 NTP vulnerability CVE-2016-2516
591447-4 CVE-2016-4070 K42065024 PHP vulnerability CVE-2016-4070
587077-4 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 K37603172 Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
526514-2 CVE-2016-3687 K26738102 Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
524279-4 CVE-2015-4000 K16674 CVE-2015-4000: TLS vulnerability
520924-3 CVE-2016-5020 K00265182 Restricted roles for custom monitor creation
475743-2 CVE-2017-6128 K92140924 Improve administrative login efficiency
416734-2 CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 K15867 Multiple Perl Vulnerabilities
635933-2 CVE-2004-0790 K23440942 The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
599285-5 CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 K51390683 PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
597010-5 CVE-2016-4955 K03331206 NTP vulnerability CVE-2016-4955
596997-5 CVE-2016-4956 K64505405 NTP vulnerability CVE-2016-4956
591767-4 CVE-2016-1547 K11251130 NTP vulnerability CVE-2016-1547
573343-4 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 K01324833 NTP vulnerability CVE-2015-8158


Functional Change Fixes

ID Number Severity Solution Article(s) Description
633723-1 3-Major   New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
620712 3-Major   Added better search capabilities on the Pool Members Manage & Pool Create page.
561348-2 3-Major   krb5.conf file is not synchronized between blades and not backed up
541549-3 3-Major   AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-1 3-Major   OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
511818-5 3-Major   Support RSASSA-PSS signature algorithm in server SSL certificate
454492-2 3-Major   Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures


TMOS Fixes

ID Number Severity Solution Article(s) Description
638935-1 2-Critical   Monitor with send/receive string containing double-quote may cause upgrade to fail.
624263-1 2-Critical   iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
614865 2-Critical   Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-3 2-Critical   TMM crash on invalid memory access to loopback interface stats object
605476 2-Critical   statsd can core when reading corrupt stats files.
601527-1 2-Critical   mcpd memory leak and core
600396-1 2-Critical   iControl REST may return 404 for all requests in AWS
570663-2 2-Critical   Using iControl get_certificate_bundle_v2 causes a memory leak
562959-3 2-Critical   In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
559980 2-Critical   Change console baud rate requires reboot to take effect
551661-3 2-Critical   Monitor with send/receive string containing double-quote may fail to load.
483373-1 2-Critical   Incorrect bash prompt for created admin role users
467847-1 2-Critical   passphrase visible in audit log
440752-2 2-Critical   qkview might loop writing output file if MCPD fails during execution
355806-2 2-Critical   Starting mcpd manually at the command line interferes with running mcpd
631627-3 3-Major   Applying BWC over route domain sometimes results in tmm not becoming ready on system start
631530 3-Major K32246335 TAI offset not adjusted immediately during leap second
628164-1 3-Major K20766432 OSPF with multiple processes may incorrectly redistribute routes
624931 3-Major   getLopSensorData "sensor data reply too short" errors with FND300 DC PSU
621417-2 3-Major   sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
621242-2 3-Major   Reserve enough space in the image for future upgrades.
620659-1 3-Major   The BIG-IP system may unecessarily run provisioning on successive reboots
616242-1 3-Major K39944245 basic_string::compare error in encrypted SSL key file if the first line of the file is blank
615934 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
614675 3-Major   GUI or iControl SOAP API call 'LocalLB::ProfileClientSSL::create_v2' creates invalid profile
608320-2 3-Major   iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604237-1 3-Major   Vlan allowed mismatch found error in VCMP guest
596814-2 3-Major   HA Failover fails in certain valid AWS configurations
595773-6 3-Major   Cancellation requests for chunked stats queries do not propagate to secondary blades
560510-4 3-Major   Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
558858-1 3-Major K80079953 Unexpected loss of communication between slots of a vCMP Guest
556277-4 3-Major   Config Sync error after hotfix installation (chroot failed rsync error)
534021-1 3-Major   HA on AWS uses default AWS endpoint (EC2_URL).
533813-2 3-Major   Internal Virtual Server in partition fails to load from saved config
502714-6 3-Major K75031635 Deleting files and file object references in a single transaction might cause validation errors
502049-3 3-Major   Qkview may store information in the wrong format
502048-3 3-Major   Qkview may store information in the wrong format
499537-2 3-Major K58243048 Qkview may store information in the wrong format
491406-2 3-Major   TMM SIGSEGV in sctp_output due to NULL snd_dst
460833-2 3-Major   MCPD sync errors and restart after multiple modifications to file object in chassis
420438-2 3-Major   Default routes from standby system when HA is configured in NSSA
393270-3 3-Major   Configuration utility may become non-responsive or fail to load.
605661-1 4-Minor   Update TZ data
601927-4 4-Minor K52180214 Security hardening of control plane
599191-1 4-Minor   One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-1 4-Minor K20937139 ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
551208-3 4-Minor   Nokia alarms are not deleted due to the outdated alert_nokia.conf.
516841-3 4-Minor   Unable to log out of the GUI in IE8
500452-3 4-Minor K28520025 PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
471827-2 4-Minor   Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist
457951-3 4-Minor K19305339 openldap/ldap.conf file is not part of ucs backup archive.
442231-1 5-Cosmetic   Pendsect log entries have an unexpected severity


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
637181-2 2-Critical   VIP-on-VIP traffic may stall after routing updates
622166-1 2-Critical K75571433 HTTP GET requests with HTTP::cookie iRule command receive no response
619071-1 2-Critical   OneConnect with verified accept issues
616215-1 2-Critical   TMM can core when using LB::detach and TCP::notify commands in an iRule
611704-1 2-Critical   tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605865-1 2-Critical   Debug TMM produces core on certain ICMP PMTUD packets
603667-1 2-Critical   TMM may leak or corrupt memory when configuration changes occur with plugins in use
597966-1 2-Critical   ARP/neighbor cache nexthop object can be freed while still referenced by another structure
588351-3 2-Critical   IPv6 fragments are dropped when packet filtering is enabled.
578045-5 2-Critical   The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks
576897-2 2-Critical   Using snat/snatpool in related-rule results in crash
575011-9 2-Critical K21137299 Memory leak. Nitrox3 Hang Detected.
574153-3 2-Critical   If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.
565409-3 2-Critical   Invalid MSS with HW syncookies and flow forwarding
559973-5 2-Critical   Nitrox can hang on RSA verification
526367-2 2-Critical   tmm crash
488686-4 2-Critical K24980114 Large file transfer hangs when HTTP is in passthrough mode
484214-3 2-Critical   Nitrox got stuck when processed certain SSL records
477195-1 2-Critical   OSPFv3 session gets stuck in loading state
469770-3 2-Critical   System outage can occur with MPTCP traffic.
411233-2 2-Critical   New pool members take all requests until lb_value catches up.
629771 3-Major   the TCP::unused_port does erroneous accept IPV4_COMPAT addresses
621465 3-Major   The minimum IP packet fragment size is now 1 and not 24
617862-3 3-Major   Fastl4 handshake timeout is absolute instead of relative
617824-1 3-Major   "SSL::disable/enable serverside" + oneconnect reuse is broken
610609-4 3-Major   Total connections in bigtop, SNMP are incorrect
610429-2 3-Major   X509::cert_fields iRule command may memory with subpubkey argument
608551-2 3-Major   Half-closed congested SSL connections with unclean shutdown might stall.
608024-2 3-Major   Unnecessary DTLS retransmissions occur during handshake.
607304-1 3-Major   TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606575-2 3-Major   Request-oriented OneConnect load balancing ends when the server returns an error status code.
604977-4 3-Major K08905542 Wrong alert when DTLS cookie size is 32
604496-1 3-Major   SQL (Oracle) monitor daemon might hang.
603723-1 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603606-1 3-Major   tmm core
600827-3 3-Major K21220807 Stuck Nitrox crypto queue can erroneously be reported
598874-1 3-Major   GTM Resolver sends FIN after SYN retransmission timeout
597089-3 3-Major   Connections are terminated after 5 seconds when using ePVA full acceleration
592871-1 3-Major   Cavium Nitrox PX/III stuck queue diagnostics missing.
592784 3-Major   Compression stalls, does not recover, and compression facilities cease.
591789 3-Major   IPv4 fragments are dropped when packet filtering is enabled.
591659-2 3-Major K47203554 Server shutdown is propagated to client after X-Cnection: close transformation.
591476-6 3-Major K53220379 Stuck crypto queue can erroneously be reported
588572-2 3-Major   Unnecessary re-transmission of packets on higher ICMP PMTU.
588569-2 3-Major   Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
588115-4 3-Major   TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
587892 3-Major   Multiple iRule proc names might clash, causing the wrong rule to be executed.
586738-3 3-Major   The tmm might crash with a segfault.
584310 3-Major K83393638 TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-7 3-Major   Fragmented packets may cause tmm to core under heavy load
583957-3 3-Major   The TMM may hang handling pipelined HTTP requests with certain iRule commands.
579926-2 3-Major   HTTP starts dropping traffic for a half-closed connection when in passthrough mode
579843-4 3-Major   tmrouted may not re-announce routes after a specific succession of failover states
572281-3 3-Major   Variable value in the nesting script of foreach command get reset when there is parking command in the script
568543-2 3-Major   Syncookie mode is activated on wildcard virtuals
556117-1 3-Major   client-ssl profile is case-sensitive when checking server_name extension
555432-2 3-Major   Large configuration files may go missing on secondary blades
554761-4 3-Major   Unexpected handling of TCP timestamps under syncookie protection.
549329-2 3-Major K02020031 L7 mirrored ACK from standby to active box can cause tmm core on active
545450-2 3-Major   Log activation/deactivation of TM.TCPMemoryPressure
537326-4 3-Major   NAT available in DNS section but config load fails with standalone license
528734-1 3-Major K04711825 TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.
519746-2 3-Major   ICMP errors may reset FastL4 connections unexpectedly
512119-3 3-Major   Improved UDP DNS packet truncation
508486-1 3-Major   TCP connections might stall if initialization fails
503214-11 3-Major   Under heavy load, hardware crypto queues may become unavailable.
500003-3 3-Major   Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
499478-3 3-Major K16850453 Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate
483257-2 3-Major K17051 Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP
468820-2 3-Major   MPTCP Flows may hang whan an MTU mismatch occurs on the network.
468300-3 3-Major   Filters may not work correctly with websockets or CONNECT
464801-1 3-Major   Intermittent tmm core
455553-8 3-Major   ICMP PMTU handling causes multiple retransmissions
442539-3 3-Major   OneConnect security improvements.
442455-4 3-Major   Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces.
437256-1 3-Major   clientssl profile has no key/cert pair
423392-7 3-Major   tcl_platform is no longer in the static:: namespace
598860-5 4-Minor   IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587966-5 4-Minor K77283304 LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
538708-2 4-Minor   TMM may apply SYN cookie validation to packets before generating any SYN cookies
536868-2 4-Minor   Packet Sizing Issues after Receipt of PMTU
486485-2 4-Minor   TCP MSS is incorrect after ICMP PMTU message.
356841-2 5-Cosmetic   Don't unilaterally set Connection: Keep-Alive when compressing


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
603598-1 2-Critical   big3d memory under extreme load conditions
642330-4 3-Major   GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.
624193 3-Major   Topology load balancing not working as expected
613576-9 3-Major   QOS load balancing links display as gray
589256-4 3-Major K71283501 DNSSEC NSEC3 records with different type bitmap for same name.
487144-1 3-Major   tmm intermittently reports that it cannot find FIPS key
615187 4-Minor   Missing hyperlink to GSLB virtual servers and servers on the pool member page.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
614441-1 1-Blocking K04950182 False Positive for illegal method (GET)
602749 2-Critical   Memory exhaustion when asking for missing page of learning suggestion occurrences
577668-2 2-Critical   ASM Remote logger doesn't log 64 KB request.
499347 2-Critical   JSON UTF16 content could be blocked by ASM as Malformed JSON
616169-1 3-Major   ASM Policy Export returns HTML error file
615695 3-Major   Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2
603945-3 3-Major   BD config update should be considered as config addition in case of update failure
576591-3 3-Major   Support for some future credit card number ranges
562775-3 3-Major   Memory leak in iprepd
366605-2 3-Major   response_log_size_limit does not limit the log size.
463314-1 4-Minor   Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
565085-4 3-Major   Analytics profile allows invalid combination of entities for Alerts setup
560114-2 3-Major   Monpd is being affected by an I/O issue which makes some of its threads freeze
491185-3 3-Major   URL Latencies page: pagination limited to 180 pages


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
618324-3 2-Critical   Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-1 2-Critical   Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-2 2-Critical   APM ACL construction may cause TMM to core if TMM is out of memory
536683-1 2-Critical   tmm crashes on "ACCESS::session data set -secure" in iRule
511478-1 2-Critical   Possible TMM crash when evaluating expression for per-request policy agents.
428068-2 2-Critical   Insufficiently detailed causes for session deletion.
625376-2 3-Major   In some cases, download of PAC file by edge client may fail
613613 3-Major   Incorrect handling of form that contains a tag with id=action
612419-3 3-Major   APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
610243-1 3-Major   HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication
610180-5 3-Major   SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
604767-6 3-Major   Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601407 3-Major   Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards
600116 3-Major   DNS resolution request may take a long time in some cases
598981-1 3-Major K06913155 APM ACL does not get enforced all the time under certain conditions
598211-3 3-Major   Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-6 3-Major   VPN establishment may fail when computer wakes up from sleep
597429 3-Major   eam maintains lock on /var/log/apm.1 after logrotate
592869 3-Major   Syntax Error when reimporting exported content containing acl-order 0
592414-3 3-Major   IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
590820-5 3-Major   Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
586718-5 3-Major   Session variable substitutions are logged
586006-5 3-Major   Failed to retrieve CRLDP list from client certificate if DirName type is present
582440-1 3-Major   Linux client does not restore route to the default GW on Ubuntu 15.10
568445-7 3-Major   User cannot perform endpoint check or launch VPN from Firefox on Windows 10
565167-3 3-Major   Additional garbage data being logged on user name and domain name for NTLM authentication
563349-2 3-Major   On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established
561798-3 3-Major   Windows edge client may show scripting error on certain 3rd party authentication sites
556088-2 3-Major   In a chassis system with APM provisioned mcpd daemon on secondary blade will restart.
553063-4 3-Major   Epsec version rolls back to previous version on a reboot
553037 3-Major   iOS Citrix Receiver web interface mode cannot launch the apps
551260-3 3-Major   When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
525429-13 3-Major   DTLS renegotiation sequence number compatibility
508337-5 3-Major   In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access
451301-2 3-Major   HTTP iRules break Citrix HTML5 functionality
450314-1 3-Major   Portal Access / JavaScript code which uses reserved keywords for object field names may not work correctly
447565-4 3-Major K33692321 Renewing machine-account password does not update the serviceId for associated ntlm-auth.
424368-3 3-Major   parent.document.write(some_html_with_script) hangs up parent frame for IE browsers
389484-5 3-Major   OAM reporting Access Server down with JDK version 1.6.0_27 or later
584373-1 4-Minor   AD/LDAP resource group mapping table controls are not accessible sometimes


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
467542-1 2-Critical   TMM core in AAM assembly code during high memory utilization
474445-3 3-Major   TMM crash when processing unexpected HTTP response in WAM


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
619757-4 2-Critical   iSession causes routing entry to be prematurely freed


Service Provider Fixes

ID Number Severity Solution Article(s) Description
649933-5 3-Major   Fragmented RADIUS messages may be dropped
550434-4 3-Major   Diameter connection may stall if server closes connection before CER/CEA handshake completes
489957-8 3-Major   RADIUS::avp command fails when AVP contains multiple attribute (VSA).


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
596134-1 2-Critical   TMM core with PEM virtual server
472106-1 2-Critical   TMM crash in a rare case of flow optimization



Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-5 CVE-2016-5745 K64743453 NAT64 vulnerability CVE-2016-5745
599168-5 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-5 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
596488-5 CVE-2016-5118 K82747025 GraphicsMagick vulnerability CVE-2016-5118.
570716-1 CVE-2016-5736 K10133477 BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
569467-2 CVE-2016-2084 K11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
565169-1 CVE-2013-5825 CVE-2013-5830 K48802597 Multiple Java Vulnerabilities
591806-4 CVE-2016-3714 K03151140 ImageMagick vulnerability CVE-2016-3714
579955-4 CVE-2016-7475 K01587042 BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
577826-3 CVE-2016-1286 K62012529 BIND vulnerability CVE-2016-1286
573124-5 CVE-2016-5022 K06045217 TMM vulnerability CVE-2016-5022
572495-4 CVE-2016-5023 K19784568 TMM may crash if it receives a malformed packet CVE-2016-5023
563670-5 CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 K86772626 OpenSSL vulnerabilities
539923-2 CVE-2016-1497 K31925518 BIG-IP APM access logs vulnerability CVE-2016-1497
457811-1 CVE-2013-6438 CVE-2014-0098 K15300 CVE-2013-6438 : HTTPD Vulnerability
452318-2 CVE-2014-0050 K15189 Apache Commons FileUpload vulnerability CVE-2014-0050
591918-6 CVE-2016-3718 K61974123 ImageMagick vulnerability CVE-2016-3718
591908-6 CVE-2016-3717 K29154575 ImageMagick vulnerability CVE-2016-3717
591894-6 CVE-2016-3715 K10550253 ImageMagick vulnerability CVE-2016-3715
591881-5 CVE-2016-3716 K25102203 ImageMagick vulnerability CVE-2016-3716
582952 CVE-2011-5321 CVE-2012-6647 CVE-2012-6657 CVE-2013-0190 CVE-2013-0228 CVE-2013-1860 CVE-2013-2596 CVE-2013-2851 CVE-2013-4483 CVE-2013-4591 CVE-2013-6367 CVE-2013-6381 CVE-2013-6383 CVE-2013-7339 CVE-2014-0055 CVE-2014-0077 K31300371 Linux kernel vulnerability CVE-2013-4483
580596-5 CVE-2013-0169 CVE-2016-6907 CVE-2019-6593 K14190 K39508724 K10065173 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
579220-2 CVE-2016-1950 K91100352 Mozilla NSS vulnerability CVE-2016-1950
564111-2 CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 K05428062 Multiple PCRE vulnerabilities
550596-2 CVE-2016-6876 K52638558 RESOLV::lookup iRule command vulnerability CVE-2016-6876
541231-1 CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 K16704 K16707 Resolution of multiple curl vulnerabilities
486791-3 CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 K16939 Resolution of multiple wireshark vulnerabilities
616382 CVE-2016-0705 K93122894 OpenSSL Vulnerability (TMM)
580340-4 CVE-2016-2842 K52349521 OpenSSL vulnerability CVE-2016-2842
580313-4 CVE-2016-0799 K22334603 OpenSSL vulnerability CVE-2016-0799
579975-4 CVE-2016-0702 K79215841 OpenSSL vulnerability
579829-4 CVE-2016-0702 K79215841 OpenSSL vulnerability CVE-2016-0702
579237-4 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
579085-3 CVE-2016-0797 K40524634 OpenSSL vulnerability CVE-2016-0797
578570-3 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
577828-4 CVE-2016-2088 K59692558 BIND vulnerability CVE-2016-2088
577823-3 CVE-2016-1285 K46264120 BIND vulnerability CVE-2016-1285
567379-2 CVE-2013-4397 K16015326 libtar vulnerability CVE-2013-4397
565895-3 CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 K17235 Multiple PCRE Vulnerabilities
551287-3 CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 K16715 Multiple LibTIFF vulnerabilities
481806-4 CVE-2013-4002 K16872 Java Runtime Environment vulnerability CVE-2013-4002
437285-4 CVE-2013-3571 CVE-2012-0219 CVE-2010-2799 K14919 Multiple socat vulnerabilities
416372-3 CVE-2012-2677 K16946 Boost memory allocator vulnerability CVE-2012-2677
570667-10 CVE-2016-0701 CVE-2015-3197 K64009378 OpenSSL vulnerabilities


Functional Change Fixes

ID Number Severity Solution Article(s) Description
583631-1 1-Blocking   ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
445633-2 2-Critical   Config sync of SecurID config file fails on secondary blades
560405-5 3-Major   Optional target IP address and port in the 'virtual' iRule API is not supported.
532685-5 3-Major   PAC file download errors disconnect the tunnel
490936-1 3-Major   SSLv2 based handshake causing handshake failures
544325-2 4-Minor K83161025 BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).
483508-2 4-Minor K70333230 Large values may display as negative numbers for 32-bit integer variables in the MIB


TMOS Fixes

ID Number Severity Solution Article(s) Description
572600 1-Blocking   mcpd can run out of file descriptors
538761-1 1-Blocking   scriptd may core when MCP connection is lost
596603-5 2-Critical   AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
583936-1 2-Critical   Removing ECMP route from BGP does not clear route from NSM
582295 2-Critical K62302950 ospfd core dump when redistributing NSSA routes in a HA failover
574116-3 2-Critical   MCP may crash when syncing configuration between device groups
568889-5 2-Critical K22989000 Some ZebOS daemons do not start on blade transition secondary to primary.
564427-1 2-Critical   Use of iControl call get_certificate_list_v2() causes a memory leak.
563064-5 2-Critical   Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
561814-4 2-Critical   TMM Core on Multi-Blade Chassis
559034-3 2-Critical   Mcpd core dump in the sync secondary during config sync
557144-1 2-Critical   Dynamic route flapping may lead to tmm crash
556380-3 2-Critical   mcpd can assert on active connection deletion
539784-2 2-Critical   HA daemon_heartbeat mcpd fails on load sys config
529141-4 2-Critical K95285012 Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error
510979-2 2-Critical   Password-less SSH access after tmsh load of UCS may require password after install.
507499-2 2-Critical   TMM can watchdog under extreme memory pressure.
506199-8 2-Critical   VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
505071-2 2-Critical   Delete and create of the same object can cause secondary blades' mcpd processes to restart.
490801-3 2-Critical   mod_ssl: missing support for TLSv1.1 and TLSv1.2
595874-3 3-Major   Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.
586878-1 3-Major   During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
583285-2 3-Major K24331010 BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
579284-5 3-Major   Potential memory corruption in MCPd
579047 3-Major   Unable to update the default http-explicit profile using the GUI.
576305-1 3-Major   Potential MCPd leak in IPSEC SPD stats query code
575735-1 3-Major   Potential MCPd leak in global CPU info stats code
575726-1 3-Major   MCPd might leak memory in vCMP interface stats.
575716-1 3-Major   MCPd might leak memory in VCMP base stats.
575708-1 3-Major   MCPd might leak memory in CPU info stats.
575671-1 3-Major   MCPd might leak memory in host info stats.
575619-1 3-Major   Potential MCPd leak in pool member stats query code
575608-1 3-Major   MCPd might leak memory in virtual server stats query.
575587-1 3-Major   Potential MCPd leak in BWC policy class stats query code
575027-3 3-Major   Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
574045-3 3-Major   BGP may not accept attributes using extended length
573529 3-Major   F-bit is not set in IPv6 OSPF Type-7 LSAs
571344-2 3-Major   SSL Certificate with special characters might cause exception when GUI retrieves items list page.
571210-3 3-Major   Upgrade, load config, or sync might fail on large configs with large objects.
571019-2 3-Major   Topology records can be ordered incorrectly.
570053-1 3-Major K78448635 HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
569356-5 3-Major K91428939 BGP ECMP learned routes may use incorrect VLAN for nexthop
569236-2 3-Major K24331010 BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
565534-3 3-Major K40254066 Some failover configuration items may fail to take effect
563475-1 3-Major K00301400 ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
562044-1 3-Major   Statistics slow_merge option does not work
560975-1 3-Major   iControl can remove hardware SSL keys while in use
559939-3 3-Major K30040319 Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
558779-5 3-Major   SNMP dot3 stats occassionally unavailable
558573-3 3-Major K65352421 MCPD restart on secondary blade after updating Pool via GUI
557281-3 3-Major   The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
556252 3-Major   sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis
555905-1 3-Major   sod health logging inconsistent when device removed from failover group or device trust
555039-1 3-Major K24458124 VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
554563-2 3-Major   Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
554340-2 3-Major   IPsec tunnels fail when connection.vlankeyed db variable is disabled
553795-3 3-Major   Differing cert/key after successful config-sync
553649 3-Major   The SNMP daemon might lock up and fail to respond to SNMP requests.
551927-3 3-Major   ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
551742-1 3-Major   Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
549971-3 3-Major   Some changes to virtual servers' profile lists may cause secondary blades to restart
549543-2 3-Major K37436054 DSR rejects return traffic for monitoring the server
548385-1 3-Major K25231211 iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
547942 3-Major   SNMP ipAdEntAddr indicates floating vlan IP rather than local IP
547532-6 3-Major   Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
542742-3 3-Major K07038540 SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
541316-5 3-Major K41175594 Unexpected transition from Forced Offline to Standby to Active
540996-4 3-Major   Monitors with a send attribute set to 'none' are lost on save
539125-1 3-Major   SNMP: ifXTable walk should produce the available counter values instead of zero
530242-4 3-Major K08654415 SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs
529484-3 3-Major   Virtual Edition Kernel Panic under load
527168-3 3-Major   In GUI System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535
527145-3 3-Major K53232218 On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
520408-1 3-Major   TMM ASSERTs due to subkey_record field corruption in the SessionDB.
517209-6 3-Major K81807474 tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
517020-4 3-Major   SNMP requests fail and subsnmpd reports that it has been terminated.
515667-6 3-Major   Unique truncated SNMP OIDs.
512954-1 3-Major   ospf6d might leak memory distribute-list is used
510580-3 3-Major   Interfaces might be re-enabled unexpectedly when loading a partition
508076-1 3-Major   Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name.
496679-3 3-Major   Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.
491716-3 3-Major   SNMP attribute type incorrect for certain OIDs
487625-4 3-Major   Qkview might hang
486725-1 3-Major   GUI creating key files with .key extensions in the name causing errors
486512-8 3-Major   audit_forwarder sending invalid NAS IP Address attributes
483228-8 3-Major   The icrd_child process generates core when terminating
478215-5 3-Major   The command 'show ltm pool detail' returns duplicate members in some cases
474194-4 3-Major   iControl GlobalLB::PoolMember get_all_statistics and get_monitor_association cause memory leaks
453949-3 3-Major   small memory leak observed in audit_forwarder
451494-1 3-Major   SSL Key/Certificate in different partition with Subject Alternative Name (SAN)
446493-3 3-Major   foreign key index error on local traffic-only group
425980-2 3-Major   Blade number not displayed in CPU status alerts
421971-7 3-Major   Renewing certificates with SAN input in the GUI leads to error.
418664-3 3-Major K21485342 Configuration utility CSRF vulnerability
405635-5 3-Major   Using the restart cm trust-domain command to recreate certificates required by device trust.
405611-2 3-Major K61045143 Configuration utility CSRF vulnerability
400456-2 3-Major   HTTP monitors with long send or receive strings may not save or update
372118-1 3-Major   import_all_from_archive_file and import_all_from_archive_stream does not create file objects.
339825-2 3-Major   Management.KeyCertificate.install_certificate_from_file failing silently
553174-2 4-Minor   Unable to query admin IP via SNMP on VCMP guest
551481-4 4-Minor   'tmsh show net cmetrics' reports bandwidth = 0
551349-1 4-Minor K80203854 Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade
548053-1 4-Minor K33462128 User with 'Application Editor' role set cannot modify 'Description' field using the GUI.
536746-2 4-Minor K88051173 LTM : Virtual Address List page uses LTM : Nodes List search filter.
535544-7 4-Minor   Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled
533480-4 4-Minor K43353404 qkview crash
519216-3 4-Minor   Abnormally high CPU utilization from external SSL/OpenSSL monitors
511332-1 4-Minor K35266322 Cannot view Pools list by Address
481003-1 4-Minor   'General database error' trying to view Local Traffic :: Pools :: Pool List.
468949-1 4-Minor   audit_forwarded started error message
466612-2 4-Minor   Missing sys DeviceModel OID for VIPRION C2200 chassis
452487-5 4-Minor   Incremental sync causes incorrect accounting of member count of pools
447364-2 4-Minor   BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU
401893-2 4-Minor   Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
572133-3 5-Cosmetic   tmsh save /sys ucs command sends status messages to stderr
524281-1 5-Cosmetic   Error updating daemon ha heartbeat
470627-4 5-Cosmetic   Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE
458563-3 5-Cosmetic   A 'status down' message is logged when enabling a pool member that was previously disabled
388274-2 5-Cosmetic   LTM pool member link in a route domain is wrong in Network Map.
291469-3 5-Cosmetic K10643 SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
555549-2 1-Blocking   'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline.
579919 2-Critical   TMM may core when LSN translation is enabled
565810-5 2-Critical K93065637 OneConnect profile with an idle or strict limit-type might lead to tmm core.
562566-3 2-Critical K39483533 Mirrored persistence entries retained after expiration
558612-3 2-Critical   System may fail when syncookie mode is activated
554967-2 2-Critical   Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
552937-2 2-Critical   HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
552151-1 2-Critical   Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
549868-2 2-Critical K48629034 10G interoperability issues reported following Cisco Nexus switch version upgrade.
544375-2 2-Critical   Unable to load certificate/key pair
540568-4 2-Critical   TMM core due to SIGSEGV
534795-6 2-Critical   Swapping VLAN names in config results in switch daemon core and restart.
517613-2 2-Critical   ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps
483665-3 2-Critical   Restrict the permissions for private keys
478812-4 2-Critical   DNSX Zone Transfer functionality preserved after power loss
468791-3 2-Critical   Crash when using FIX tag maps and a FIX message arrives without a SenderCompID.
466007-3 2-Critical K02683895 DNS Express daemon, zxfrd, can not start if its binary cache has filled /var
459671-1 2-Critical   iRules source different procs from different partitions and executes the incorrect proc.
454583-4 2-Critical   SPDY may cause the TMM to crash if it aborts while there are stalled streams.
592854-2 3-Major   Protocol version set incorrectly on serverssl renegotiation
585412-1 3-Major   SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
584717 3-Major   TCP window scaling is not applied when SYN cookies are active
580303-2 3-Major   When going from active to offline, tmm might send a GARP for a floating address.
579371-1 3-Major K70126130 BIG-IP may generate ARPs after transition to standby
576296-1 3-Major   MCPd might leak memory in SCTP profile stats query.
575626-6 3-Major K04672803 Minor memory leak in DNS Express stats error conditions
575612-4 3-Major   Potential MCPd leak in policy action stats query code
571573-3 3-Major K20320811 Persistence may override node/pmbr connection limit
571183-3 3-Major   Bundle-certificates Not Accessible via iControl REST.
570617-5 3-Major   HTTP parses fragmented response versions incorrectly
569642-3 3-Major   Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
569349-3 3-Major   Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
569288-4 3-Major   Different LACP key may be used in different blades in a chassis system causing trunking failures
566361-2 3-Major K11543589 RAM Cache Key Collision
563591-3 3-Major   reference to freed loop_nexthop may cause tmm crash.
563419-3 3-Major   IPv6 packets containing extended trailer are dropped
563227-4 3-Major K31104342 When a pool member goes down, persistence entries may vary among tmms
558602-2 3-Major   Active mode FTP data channel issue when using lasthop pool
557783-3 3-Major K14147369 TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
557645-1 3-Major   Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
556560-1 3-Major K80741043 DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
556103-2 3-Major   Abnormally high CPU utilization for external monitors
554977-1 3-Major K64401960 TMM might crash on failed SSL handshake
553688-3 3-Major   TMM can core due to memory corruption when using SPDY profile.
552931-2 3-Major   Configuration fails to load if DNS Express Zone name contains an underscore
552865-5 3-Major K34035224 SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
551189-2 3-Major   Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
550782-2 3-Major   Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
550689-3 3-Major   Resolver H.ROOT-SERVERS.NET Address Change
549406-3 3-Major K63010180 Destination route-domain specified in the SOCKS profile
548680-3 3-Major   TMM may core when reconfiguring iApps that make use of iRules with procedures.
548583-5 3-Major   TMM crashes on standby device with re-mirrored SIP monitor flows.
548563-3 3-Major   Transparent Cache Messages Only Updated with DO-bit True
547732-3 3-Major   TMM may core on using SSL::disable on an already established serverside connection
542654 3-Major K52195938 bigd may experience a heartbeat failure when tcp-half-open monitors are used
541126-1 3-Major   Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed
540893-3 3-Major   Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.
540213-4 3-Major   mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary
536191-3 3-Major   Transparent inherited TCP monitors may fail on loading configuration
534111-2 3-Major   [SSL] Config sync problems when modifying cert in default client-ssl profile
533820-3 3-Major   DNS Cache response missing additional section
531979-4 3-Major   SSL version in the record layer of ClientHello is not set to be the lowest supported version.
530812-5 3-Major   Legacy DAG algorithm reuses high source port numbers frequently
529899-3 3-Major   Installation may fail with the error "(Storage modification process conflict.)".
527742-1 3-Major K15550890 The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system
524641-4 3-Major K11504283 Wildcard NAPTR record after deleting the NAPTR records
523471-3 3-Major   pkcs11d core when connecting to SafeNet HSM
521711-3 3-Major K14555354 HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual
519217-2 3-Major K89004553 tmm crash: valid proxy
516816-2 3-Major   RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
515322-2 3-Major   Intermittent TMM core when using DNS cache with forward zones
513530-3 3-Major   Connections might be reset when using SSL::disable and enable command
513213-4 3-Major   FastL4 connection may get RSTs in case of hardware syncookie enabled.
509416-4 3-Major   Suspended 'after' commands may result in unexpected behaviors
505089-3 3-Major   Spurious ACKs result in SYN cookie rejected stat increment.
500786-4 3-Major   Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
490174-3 3-Major   Improved TLS protocol negotiation with clients supporting TLS1.3
469627-2 3-Major   When persistence is overriden from cookie to some other persistence method, the cookie should not be sent.
468471-1 3-Major   The output of DNS::edns0 subnet address command is not stored properly in a variable
463202-6 3-Major   BIG-IP system drops non-zero version EDNS requests
458348-3 3-Major   RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
457109-3 3-Major   Traffic misclassified and matching wrong rule in CPM policy.
452900-3 3-Major   IP iRules may cause TMM to segfault in low memory scenarios
452659-1 3-Major   DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
445471-1 3-Major   DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
419217-1 3-Major   LTM policy fails to decompress compressed http requests
417006-5 3-Major   Thales HSM support on Chassis cluster-mode.
406001-5 3-Major   Host-originated traffic cannot use a nexthop in a different route domain
372473-3 3-Major   mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
336255-8 3-Major K52011109 OneConnect Connection Limits with Narrow Source Address Masks
546747-4 4-Minor K72042050 SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets
541134-3 4-Minor K51114681 HTTP/HTTPS monitors transmit unexpected data to monitored node.
499795-3 4-Minor   "persist add" in server-side iRule event can result in "Client Addr" being pool member address
492780-3 4-Minor K37345003 Elliptic Curves Extension in ServerHello might cause failed SSL connection.
458872-1 4-Minor   Check SACK report before treating as dupack


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
569972-3 2-Critical   Unable to create gtm topology records using iControl REST
569521-2 2-Critical   Invalid WideIP name without dots crashes gtmd.
561539-1 2-Critical   [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.
539466-3 2-Critical   Cannot use self-link URI in iControl REST calls with gtm topology
533658-3 2-Critical   DNS decision logging can trigger TMM crash
471467-1 2-Critical   gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
569472-3 3-Major   TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
559975-4 3-Major   Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
551767-2 3-Major K03432500 GTM server 'Virtual Server Score' not showing correctly in TMSH stats
546640-1 3-Major   tmsh show gtm persist <filter option> does not filter correctly
540576-2 3-Major K29095826 big3d may fail to install on systems configured with an SSH banner
552352-3 4-Minor K18701002 tmsh list display incorrectly for default values of gtm listener translate-address/translate-port


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
560748 2-Critical   BIG-IQ discovery fails
451089-1 2-Critical   ASM REST: Incorrect/Duplicate REST id for policy after a copy is made
449231-1 2-Critical   ASM REST: Updating multiple items in a list only make one change
589298 3-Major   TMM crash with a core dump
585045 3-Major   ASM REST: Missing 'gwt' support for urlContentProfiles
582683-1 3-Major   xpath parser doesn't reset a namespace hash value between each and every scan
574214-2 3-Major   Content Based Routing daemon (cbrd) logging control
573406-2 3-Major   ASU cannot be completed if license was last activated more than 18 months before
572922-3 3-Major   Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.
566758-3 3-Major   Manual changes to policy imported as XML may introduce corruption for Login Pages
559541-3 3-Major   ICAP anti virus tests are not initiated on XML with when should
559055 3-Major   Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
531809-1 3-Major   FTP/SMTP traffic related bd crash


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
578353-1 2-Critical   Statistics data aggregation process is not optimized
529900-4 2-Critical K88373692 AVR missing some configuration changes in multiblade system
472969-3 2-Critical   If you try to create more than 264 AVR profiles, avrd might crash.
569958-3 3-Major   Upgrade for application security anomalies
557062-3 3-Major   The BIG-IP ASM configuration fails to load after an upgrade.
488989-4 3-Major   AVRD does not print out an error message when the external logging fails
454071-1 5-Cosmetic   'Show all' button has no effect or becomes hidden for short period of time


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
581770-1 1-Blocking   Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6
580817-4 2-Critical   Edge Client may crash after upgrade
579909-3 2-Critical   Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
579559-4 2-Critical   DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
578844-3 2-Critical   tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
575609-4 2-Critical   Zlib accelerated compression can result in a dropped flow.
574318-4 2-Critical   Unable to resume session when switching to Protected Workspace
572563-4 2-Critical   PWS session does not launch on Internet Explorer after upgrade
571090-1 2-Critical   When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
569306-5 2-Critical   Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
565056-5 2-Critical K87617654 Fail to update VPN correctly for non-admin user.
562919-1 2-Critical   TMM cores in renew lease timer handler
559138-4 2-Critical   Linux CLI VPN client fails to establish VPN connection on Ubuntu
556774-1 2-Critical   EdgeClient cannot connect through captive portal
555272-3 2-Critical   Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade
513083-2 2-Critical   d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server.
586056 3-Major   Machine cert checker doesn't work as expected if issuer or AltName is specified
581834-3 3-Major   Firefox signed plugin for VPN, Endpoint Check, etc
580421-4 3-Major   Edge Client may not register DLLs correctly
576069-1 3-Major   Rewrite can crash in some rare corner cases
575499-3 3-Major   VPN filter may leave renew_lease timer active after teardown
575292-2 3-Major   DNS Relay proxy service does not respond to SCM commands in timely manner
574781-3 3-Major   APM Network Access IPV4/IPV6 virtual may leak memory
573581-2 3-Major   DNS Search suffix are not restored properly in some cases after VPN establishment
573429-2 3-Major   APM Network Access IPv4/IPv6 virtual may leak memory
572893-5 3-Major   error "The modem (or other connecting device) is already in use or is not configured properly"
571003-4 3-Major   TMM Restarts After Failover
570640-4 3-Major   APM Cannot create symbolic link to sandbox. Error: No such file or directory
570064-4 3-Major   IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
569255-5 3-Major K81130213 Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
566908-3 3-Major K54435973 Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
566646-2 3-Major   Portal Access could respond very slowly for large text files when using IE < 11
565231-1 3-Major   Importing a previously exported policy which had two object names may fail
564521-2 3-Major   JavaScript passed to ExternalInterface.call() may be erroneously unescaped
564496-2 3-Major   Applying APM Add-on License Does Not Change Effective License Limit
564482-3 3-Major   Kerberos SSO does not support AES256 encryption
564262-3 3-Major K21518043 Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
564253-6 3-Major   Firefox signed plugin for VPN, Endpoint Check, etc
563443-3 3-Major   WebSSO plugin core dumps under very rare conditions.
558946-3 3-Major   TMM may core when APM is provisioned and access profile is attached to the virtual
558870-4 3-Major K12012384 Protected workspace does not work correctly with third party products
558631-6 3-Major K81306414 APM Network Access VPN feature may leak memory
556597-3 3-Major   CertHelper may crash when performing Machine Cert Inspection
555457-4 3-Major K16415235 Reboot is required, but not prompted after F5 Networks components have been uninstalled
554993-1 3-Major   Profile Stats Not Updated After Standby Upgrade Followed By Failover
554626 3-Major K14263316 Database logging truncates log values greater than 1024
554228-4 3-Major   OneConnect does not work when WEBSSO is enabled/configured.
554074-3 3-Major   If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.
554041-4 3-Major   No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
553925-3 3-Major   Manual upgrade of Edge Client fails in some cases on Windows
552498-2 3-Major   APMD basic authentication cookie domains are not processed correctly
550536-4 3-Major   Incorrect information/text (in French) is displayed when the Edge Client is launched
549086-3 3-Major   Windows 10 is not detected when Firefox is used
536575-2 3-Major   Session variable report can be blank in many cases
531983-4 3-Major   [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
528548-1 3-Major   @import "url" is not recognized by client-side CSS patcher
528139-4 3-Major   Windows 8 client may not be able to renew DHCP lease
520088-1 3-Major   Citrix HTML5 Receiver does not properly display initial tour and icons
519059-2 3-Major   [PA] - Failing to properly patch webapp link, link not working
518550-5 3-Major   Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
516219-2 3-Major   User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled
492122-4 3-Major K42635442 Now Windows Logon Integration does not recreate temporary user for logon execution each time
488811-4 3-Major   F5-prelogon user profile folder are not fully cleaned-up
487859-2 3-Major K42022001 Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
473344-7 3-Major   Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
472446-4 3-Major   Customization group template file might cause mcpd to restart
464687-1 3-Major   Copying Access Profile with Machine Cert Agent check fails
462268-1 3-Major   long session var processing in variable assignment agent
461084-2 3-Major K48281763 Kerberos Auth might fail if client request contains Authorization header
458737-1 3-Major   non-printable characters are escaped before hexencoding
409323-2 3-Major   OnDemand cert auth redirect omits port information
404141-3 3-Major   Standby system offers option to Apply Access Policy even though it has been synced
399732-2 3-Major   SAML Error: Invalid request received from remote client is too big
580429-3 4-Minor   CTU does not show second Class ID for InstallerControll.dll
572543-4 4-Minor   User is prompted to install components repeatedly after client components are updated.
541156-3 4-Minor   Network Access clients experience delays when resolving a host


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
575631-2 3-Major   Potential MCPd leak in WAM stats query code
551010-3 3-Major   Crash on unexpected WAM storage queue state


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
552198-3 3-Major K27590443 APM App Tunnel/AM iSession Connection Memory Leak
547537-4 3-Major   TMM core due to iSession tunnel assertion failure


Service Provider Fixes

ID Number Severity Solution Article(s) Description
572224 3-Major   Buffer error due to RADIUS::avp command when vendor IDs do not match


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
575582-1 3-Major   MCPd might leak memory in FW network attack stats.
575571-1 3-Major   MCPd might leak memory in FW DOS SIP attack stats query.
575569-1 3-Major   MCPd might leak memory in FW DOS DNS stats query.
575565-1 3-Major   MCPd might leak memory in FW policy rule stats query.
575564-1 3-Major   MCPd might leak memory in FW rule stats query.
575557-2 3-Major   MCPd might leak memory in FW rule stats.
575321-1 3-Major   MCPd might leak memory in firewall stats.
569337-4 3-Major   TCP events are logged twice in a HA setup
561433-6 3-Major   TMM Packets can be dropped indiscriminately while under DoS attack
556694-6 3-Major   DoS Whitelist IPv6 addresses may "overmatch"


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
577814 3-Major   MCPd might leak memory in PEM stats queries.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
540571-4 2-Critical   TMM cores when multicast address is set as destination IP via iRules and LSN is configured
482202-2 2-Critical   Very long FTP command may be ignored.
515736-5 3-Major   LSN pool with small port range may not use all ports


Device Management Fixes

ID Number Severity Solution Article(s) Description
453640-2 2-Critical   Java core when modifying global-settings



Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
518275-3 CVE-2016-4545 K48042976 The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file


Functional Change Fixes

ID Number Severity Solution Article(s) Description
577811 3-Major   SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
576314 2-Critical   SNMP traps for FIPS device fault inconsistent among versions.
574262 3-Major   Rarely encountered lockup for N3FIPS module when processing key management requests.
574073 3-Major   Support for New Platform: BIG-IP 10350 FIPS with NEBS support



Cumulative fixes from BIG-IP v11.5.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
542314-7 CVE-2015-8099 K35358312 TCP vulnerability - CVE-2015-8099
536481-8 CVE-2015-8240 K06223540 F5 TCP vulnerability CVE-2015-8240
567475-4 CVE-2015-8704 K53445000 BIND vulnerability CVE-2015-8704
560910-3 CVE-2015-3194 K86772626 OpenSSL Vulnerability fix
560180-3 CVE-2015-8000 K34250741 BIND Vulnerability CVE-2015-8000
554624-1 CVE-2015-5300 CVE-2015-7704 K10600056 K17566 NTP CVE-2015-5300 CVE-2015-7704
553902-3 CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 K17516 Multiple NTP Vulnerabilities
546080-4 CVE-2016-5021 K99998454 Path sanitization for iControl REST worker
545786-2 CVE-2015-7393 K75136237 Privilege escalation vulnerability CVE-2015-7393
545762-1 CVE-2015-7394 K17407 CVE-2015-7394
540849-4 CVE-2015-5986 K17227 BIND vulnerability CVE-2015-5986
540846-4 CVE-2015-5722 K17181 BIND vulnerability CVE-2015-5722
540767-1 CVE-2015-5621 K17378 SNMP vulnerability CVE-2015-5621
533156-2 CVE-2015-6546 K17386 CVE-2015-6546
472093-2 CVE-2015-8022 K12401251 APM TMUI Vulnerability CVE-2015-8022
445327-1 CVE-2013-5878 CVE-2013-5884 CVE-2013-5893 CVE-2013-5896 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0376 CVE-2014-0411 CVE-2014-0416 CVE-2014-0422 CVE-2014-0423 CVE-2014-0428 K53146535 OpenJDK 1.7 vulnerabilities
556383-2 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 K31372672 Multiple NSS Vulnerabilities
534633-1 CVE-2015-5600 K17113 OpenSSH vulnerability CVE-2015-5600
525232-10 CVE-2015-4024 CVE-2014-8142 K16826 PHP vulnerability CVE-2015-4024
485917-5 CVE-2004-1060 K15792 BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
427174-6 CVE-2013-1620 CVE-2013-0791 K15630 SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620
560948-3 CVE-2015-3195 K12824341 OpenSSL vulnerability CVE-2015-3195
553454-3 CVE-2015-2730 K15955144 Mozilla NSS vulnerability CVE-2015-2730
515345-4 CVE-2015-1798 K16505 NTP Vulnerability
430799-5 CVE-2010-5107 K14741 CVE-2010-5107 openssh vulnerability
567484-4 CVE-2015-8705 K86533083 BIND Vulnerability CVE-2015-8705


Functional Change Fixes

ID Number Severity Solution Article(s) Description
557221 2-Critical K36385016 Inbound ISP link load balancing will use pool members for only one ISP link per data center
539130-7 3-Major K70695033 bigd may crash due to a heartbeat timeout
530133 3-Major   Support for New Platform: BIG-IP 10350 FIPS
498992-9 3-Major   Troubleshooting enhancement: improve logging details for AWS failover failure.
439013-5 3-Major K15162 IPv6 link-local vlan tag handling incorrect
425331-1 3-Major   On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID
226043-5 3-Major   Add support for multiple addresses for audit-forwarder.
479147-5 4-Minor   Cannot create VXLAN tunnels with the same local-address and different multicast addresses.


TMOS Fixes

ID Number Severity Solution Article(s) Description
546260-1 1-Blocking   TMM can crash if using the v6rd profile
544980-1 1-Blocking   BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
510393-2 1-Blocking   TMM may occasionally restart with a core file when deployed VCMP guests are stopped
465142-5 1-Blocking K16633 iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common
397431-8 1-Blocking   Improved security for Apache.
562427 2-Critical   Trust domain changes do not persist on reboot.
555686-2 2-Critical   Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
544913-2 2-Critical K17322 tmm core while logging from TMM during failover
544481-4 2-Critical   IPSEC Tunnel fails for more than one minute randomly.
530903-5 2-Critical   HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade
523434-5 2-Critical K85242410 mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
520380-4 2-Critical K41313442 save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
513151-7 2-Critical   VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID.
511559-6 2-Critical   Virtual Address advertised while unavailable
510559-5 2-Critical   Add logging to indicate that compression engine is stalled.
507602-4 2-Critical K17166 Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
504508-4 2-Critical K16773 IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
503600-3 2-Critical K17149 TMM core logging from TMM while attempting to connect to remote logging server
482373-5 2-Critical   Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction
468473-5 2-Critical K16193 Monitors with domain username do not save/load correctly
460165-5 2-Critical   General Database Error when accessing Clusters or Templates page
365219-3 2-Critical   Trust upgrade fails when upgrading from version 10.x to version 11.x.
355199-5 2-Critical   ePVA flow not removed when connection closed
556284-3 3-Major K55622762 iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
553576-2 3-Major K17356 Intermittent 'zero millivolt' reading from FND-850 PSU
550694 3-Major K60222549 LCD display stops updating and Status LED turns/blinks Amber
547047-1 3-Major K31076445 Older cli-tools unsupported by AWS
545745-3 3-Major   Enabling tmm.verbose mode produces messages that can be mistaken for errors.
542860-5 3-Major   TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
542320 3-Major   no login name may appear when running ssh commands through management port
539822-1 3-Major   tmm may leak connflow and memory on vCMP guest.
538133-1 3-Major   Only one action per sensor is displayed in sensor_limit_table and system_check
536939-1 3-Major   Secondary blade may restart services if configuration elements are deleted using a * wildcard.
534582-3 3-Major K10397582 HA configuration may fail over when standby has only base configuration loaded.
533826-4 3-Major   SNMP Memory Leak on a VIPRION system.
532559-2 3-Major   Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.
531986-2 3-Major   Hourly AWS VE license breaks after reboot with default tmm route/gateway.
529524-5 3-Major K15345631 IPsec IKEv1 connectivity issues
528881-5 3-Major   NAT names with spaces in them do not upgrade properly
528498-2 3-Major   Recently-manufactured hardware may not be identified with the correct model name and SNMP OID
528276-6 3-Major K39167163 The device management daemon can crash with a malloc error
527431-2 3-Major   Db variable to specify audit forwarder port
526974-5 3-Major   Data-group member records map empty strings to 'none'.
526817-6 3-Major   snmpd core due to mcpd message timer thread not exiting
524490-7 3-Major K17364 Excessive output for tmsh show running-config
524333-5 3-Major K55005622 iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out.
524300-1 3-Major K71003856 The MOS boot process appears to hang.
523922-6 3-Major   Session entries may timeout prematurely on some TMMs
523867-2 3-Major   'warning: Failed to find EUDs' message during formatting installation
523642-4 3-Major   Power Supply status reported incorrectly after LBH reset
523527-10 3-Major K43121346 Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.
522871-4 3-Major K13764703 [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
522837-3 3-Major   MCPD can core as a result of another component shutting down prematurely
521144-7 3-Major K16799 Network failover packets on the management interface sometimes have an incorrect source-IP
519510-4 3-Major K17164 Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
519081-6 3-Major   Cannot use tmsh to load valid configuration created using the GUI.
518283-4 3-Major K16524 Cookie rewrite mangles 'Set-Cookie' headers
517714-2 3-Major   logd core near end of its life cycle
517388-6 3-Major   Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
516995-8 3-Major   NAT traffic group inheritance does not sync across devices
516322-5 3-Major   The BIG-IP system may erroneously remove an iApp association from the virtual server.
514844-3 3-Major K17099 Fluctuating/inconsistent number of health monitors for pool member
514726-5 3-Major K17144 Server-side DSR tunnel flow never expires
514724-4 3-Major   crypto-failsafe fail condition not cleared when crypto device restored
512618-2 3-Major   Continuous "Invalid sadb message" upon issuing "racoonctl -l show-sa esp"
511145-2 3-Major   IPsec Policy Link not functional.
510425-7 3-Major K28822214 DNS Express zone RR type-count statistics are missing in some cases
510381-5 3-Major   bcm56xxd might core when restarting due to bundling config change.
509600-5 3-Major   Global rule association to policy is lost after loading config.
507853-10 3-Major   MCP may crash while performing a very large chunked query and CPU is highly loaded
504803-4 3-Major   GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'.
504494-4 3-Major K43624250 Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.
501437-6 3-Major   rsync daemon does not stop listening after configsync-ip set to none
497304-10 3-Major   Unable to delete reconfigured HTTP iApp when auto-sync is enabled
495865-4 3-Major K15116582 iApps/tmsh cannot reconfigure pools that have monitors associated with them.
495862-7 3-Major   Virtual status becomes yellow and gets connection limit alert when all pool members forced down
493246-1 3-Major K17414 SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
491556-10 3-Major K16573 tmsh show sys connection output is corrected
489113-7 3-Major K16375 PVA status, statistics not shown correctly in UI
485939-8 3-Major K16822 OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
485702-7 3-Major   Default SNMP community 'public' is re-added after the upgrade
484861-10 3-Major K16919 A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
484534-5 3-Major   interface STP state stays in blocked when added to STP as disabled
483699-5 3-Major K16888 No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list
483104-6 3-Major K17365 vCMP guests report platform type as 'unknown'
481089-6 3-Major   Request group incorrectly deleted prior to being processed
479553-6 3-Major   Sync may fail after deleting a persistence profile
479543-8 3-Major   Transaction will fail when deleting pool member and related node
476288-5 3-Major   Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
473037-7 3-Major K16896 BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
470788-4 3-Major K34193654 Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot
470756-8 3-Major   snmpd cores or crashes with no logging when restarted by sod
464225-6 3-Major K16541 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users
463468-9 3-Major   failed tmsh command generate double logs
462187-6 3-Major K16379 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users
458104-6 3-Major K16795 LTM UCS load merge trunk config issue
455980-6 3-Major K17210 Home directory is purged when the admin changes user password.
455651-6 3-Major K40300934 Improper regex/glob validation in web-acceleration and http-compression profiles
454392-1 3-Major   Added support for BIG-IP 10350N NEBS platform.
439299-5 3-Major   iApp creation fails with non-admin users
433466-5 3-Major   Disabling bundled interfaces affects first member of associated unbundled interfaces
410101-4 3-Major   HSBe2 falls off the PCI bus
375246-11 3-Major   Clarification of pool member session enabling versus pool member monitor enabling
549023 4-Minor   warning: Failed to find EUDs
548268-3 4-Minor   Disabling an interface on a blade does not change media to NONE
503841-4 4-Minor   Slow performance with delete_string_class_member in iControl-SOAP
492163-6 4-Minor K12400 Applying a monitor to pool and pool member may cause an issue.
473163-9 4-Minor   RAID disk failure and alert.conf log message mismatch results in no trap
465675-5 4-Minor K07816405 Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
434096-5 4-Minor   TACACS log forwarder truncates logs to 1 KB
413708-7 5-Cosmetic K31302478 BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
536690-1 1-Blocking K82591051 Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)
540473-5 2-Critical   peer/clientside/serverside script with parking command may cause tmm to core.
538255-2 2-Critical   SSL handshakes on 4200/2200 can cause TMM cores.
537988-3 2-Critical K76135297 Buffer overflow for large session messages
534804-3 2-Critical   TMM may core with rate limiting enabled and service-down-action reselect on poolmembers
534052-5 2-Critical K17150 VLAN failsafe triggering on standby leaks memory
533388-8 2-Critical   tmm crash with assert "resume on different script"
530505-2 2-Critical   IP fragments can cause TMM to crash when packet filtering is enabled
529920-6 2-Critical   Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
528739-5 2-Critical K47320953 DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.
527011-4 2-Critical   Intermittent lost connections with no errors on external interfaces
520413-12 2-Critical   TMM may crash when using woodside congestion control
517590-1 2-Critical   Pool member not turning 'blue' when monitor removed from pool
517465-3 2-Critical   tmm crash with ssl
514108-7 2-Critical   TSO packet initialization failure due to out-of-memory condition.
509646-6 2-Critical   Occasional connections reset when using persistence
503343-9 2-Critical   TMM crashes when cloned packet incorrectly marked for TSO
497299-7 2-Critical   Thales install fails if the BIG-IP system is also configured as the RFS
489451-2 2-Critical K17278 TMM might panic due to OpenSSL failure during handshake generation
483719-4 2-Critical K16260 vlan-groups configured with a single member VLAN result in memory leak
481677-5 2-Critical   A possible TMM crash in some circumstances.
481162-6 2-Critical K16458 vs-index is set differently on each blade in a chassis
477064-5 2-Critical K17268 TMM may crash in SSL
472585-5 2-Critical   tmrouted crashes after a series configuration changes
470235-1 2-Critical   The HTTP explicit proxy may leak memory in some cases
459100-6 2-Critical K16452 TMM may crash when offloading one-way UDP FastL4 flow
456766-2 2-Critical K17351 SSL Session resumption with hybrid handshake might fail
456175-3 2-Critical   Memory issues possible with really long interface names
451059-8 2-Critical   SSL server does not check and validate Change Cipher Spec payload.
569718-3 3-Major   Traffic not sent to default pool after pool selection from rule
553311-1 3-Major K13710973 Route pool configuration may cause TMM to produce a core file
552532-3 3-Major K73453525 Oracle monitor fails with certain time zones.
552385 3-Major   Virtual servers using an SSL profile and two UDP profiles may not be accepted
547815-2 3-Major K57983796 Potential DNS Transparent Cache Memory Leak
545704-3 3-Major   TMM might core when using HTTP::header in a serverside event
544028-3 3-Major K21131221 Verified Accept counter 'verified_accept_connections' might underflow.
543993-4 3-Major   Serverside connections may fail to detach when using the HTTP and OneConnect profiles
543220-3 3-Major K12153351 Global traffic statistics does not include PVA statistics
538603-3 3-Major K03383492 TMM core file on pool member down with rate limit configured
537964-3 3-Major K17388 Monitor instances may not get deleted during configuration merge load
537553-3 3-Major   tmm might crash after modifying virtual server SSL profiles in SNI configuration
533966-4 3-Major   Double loopback nexthop release might cause TMM core.
532107-5 3-Major K16716213 [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
530761-4 3-Major   TMM crash in DNS processing on a TCP virtual
528407-6 3-Major K72235143 TMM may core with invalid lasthop pool configuration
528188-4 3-Major   Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address
528007-5 3-Major   Memory leak in ssl
527027-3 3-Major   DNSSEC Unsigned Delegations Respond with Parent Zone Information
527024-2 3-Major   DNSSEC Unsigned Delegations Respond with Parent Zone Information
526810-8 3-Major   Crypto accelerator queue timeout is now adjustable
525958-10 3-Major   TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
525322-6 3-Major   Executing tmsh clientssl-proxy cached-certs crashes tmm
524960-5 3-Major K17434 'forward' command does not work if virtual server has attached pool
523513-5 3-Major   COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
521036-4 3-Major   Dynamic ARP entry may replace a static entry in non-primary TMM instances.
520405-2 3-Major   tmm restart due to oversubscribed DNS resolver
517790-11 3-Major   When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
517510-5 3-Major   HTTP monitor might add extra CR/LF pairs to HTTP body when supplied
517282-6 3-Major K63316585 The DNS monitor may delay marking an object down or never mark it down
517124-6 3-Major   HTTP::retry incorrectly converts its input
516598-6 3-Major K82721850 Multiple TCP keepalive timers for same Fast L4 flow
516432-4 3-Major K21467711 DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.
516320-5 3-Major   TMM may have a CPU spike if match cross persist is used.
515482-6 3-Major K93258439 Multiple teardown conditions can cause crash
515072-7 3-Major K17101 Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
514419-7 3-Major   TMM core when viewing connection table
514246-6 3-Major   connflow_precise_check_begin does not check for NULL
513319-7 3-Major   Incorrect of failing sideband connections from within iRule may leak memory
513243-5 3-Major K17561 Improper processing of crypto error condition might cause memory issues.
512490-10 3-Major   Increased latency during connection setup when using FastL4 profile and connection mirroring.
512148-7 3-Major K17154 Self IP address cannot be deleted when its VLAN is associated with static route
511517-8 3-Major K17111 Request Logging profile cannot be configured with HTTP transparent profile
511057-7 3-Major K60014038 Config sync fails after changing monitor in iApp
510921-6 3-Major K23548911 Database monitors do not support IPv6 nodes
510164-4 3-Major K53351133 DNS Express zone RR statistics are correctly reset after zxfrd restart
507109-6 3-Major   inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade
505705-6 3-Major   Expired mirrored persistence entries not always freed using intra-chassis mirroring
504827-3 3-Major   Use of DHCP relay virtual server might result in tmm crash 'top filter'.
503257-13 3-Major   Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
502747-13 3-Major   Incoming SYN generates unexpected ACK when connection cannot be recycled
498334-6 3-Major K16867 DNS express doesn't send zone notify response
495588-4 3-Major   Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases
493140-6 3-Major K16969 Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.
493117-12 3-Major K16986 Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
490740-9 3-Major   TMM may assert if HTTP is disabled by another filter while it is parked
490429-4 3-Major K17206 The dynamic routes for the default route might be flushed during operations on non-default route domains.
475649-6 3-Major K17430 HTTP::respond in explicit proxy scenarios may cause TMM crash due to assert
475125-2 3-Major K17428 Use of HTTP::retry may cause TMM crash
472748-4 3-Major   SNAT pool stats are reflected in global SNAT stats
471059-7 3-Major   Malformed cookies can break persistence
467551-5 3-Major K17011 TCP syncookie and Selective NACK (profile option) causes traffic to be dropped
464651-7 3-Major K16636 Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.
458822-5 3-Major   Cluster status may be incorrect on secondary blades
453720-6 3-Major   clientssl profile validation fails to detect config with no cert/key name and no cert/key
452246-4 3-Major K17075 The correct cipher may not be chosen on session resumption.
447043-11 3-Major K17095 Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
442869-7 3-Major   GUI inaccessible on chassis when var/log/audit log is full
441638-9 3-Major K14972 CACHE::header insert fails with 'Out of bounds' error for 301 Cache response
441058-5 3-Major K17366 TMM can crash when a large number of SSL objects are created
429011-8 3-Major K15554 No support for external link down time on network failover
424831-4 3-Major K14573 State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
418890-5 3-Major K92193116 OpenSSL bug can prevent RSA keys from rolling forward
364994-14 3-Major K16456 TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
348000-16 3-Major   HTTP response status 408 request timeout results in error being logged.
534458-4 4-Minor K17196 SIP monitor marks down member if response has different whitespace in header fields.
532799-4 4-Minor K14551525 Static Link route to /32 pool member can end using dst broadcast MAC
513288-2 4-Minor   Management traffic from nodes being health monitored might cause health monitors to fail.
503560-5 4-Minor   Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
446830-2 4-Minor   Current Sessions stat does not increment/decrement correctly.
446755-5 4-Minor K70440102 Connections with ramcache and clientssl profile allowing non-SSL traffic may stall


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
469033-15 2-Critical   Large big3d memory footprint.
437025-5 2-Critical K15698 big3d might exit during loading of large configs or when a connection to mcpd is dropped.
529460-5 3-Major K17209 Short HTTP monitor responses can incorrectly mark virtual servers down.
517582-5 3-Major   [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.
514731-4 3-Major K17100 GTM Fails to change GTM server with IPv4 'Address Translation enabled
510888-8 3-Major   [LC] snmp_link monitor is not listed as available when creating link objects
494305-6 4-Minor K36360597 [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.
494070-4 4-Minor K59225090 BIG-IP DNS cannot use a loopback address with fallback IP load balancing
451211-3 4-Minor   Error using GUI when setting debug option on GTM SIP monitor.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
555057-1 2-Critical   ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
555006-1 2-Critical   ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
552139-3 2-Critical K61834804 ASM limitation in the pattern matching matrix builtup
540424-1 2-Critical   ASM REST: DESC modifier for $orderby option does not affect results
515728-4 2-Critical   Repeated BD cores.
478351-2 2-Critical K17319 Changing management IP can lead to bd crash
475551-5 2-Critical   Flaw in CSRF protection mechanism
547000-3 3-Major K47219203 Enforcer application might crash on XML traffic when out of memory
544831 3-Major   ASM REST: PATCH to custom signature set's attackTypeReference are ignored
542511-1 3-Major K97242554 'Unhandled keyword ()' error message in GUI and/or various ASM logs
540390-1 3-Major   ASM REST: Attack Signature Update cannot roll back to older attack signatures
538195-5 3-Major   Incremental Manual sync does not allow overwrite of 'newer' ASM config
535188-5 3-Major   Response Pages custom content with \n instead of \r\n on policy import.
534246-4 3-Major   rest_uuid should be calculated from the actual values inserted to the entity
530598-2 3-Major   Some Session Tracking data points are lost on TMM restart
529610-4 3-Major K32565535 On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
528071-2 3-Major   ASM periodic updates (cron) write errors to log
526162-6 3-Major K52335623 TMM crashes with SIGABRT
521183-3 3-Major   Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5
519053-4 3-Major   Request is forwarded truncated to the server after answering challenge on a big request
514313-3 3-Major K00884154 Logging profile configuration is updated unnecessarily
502852-4 3-Major   Deleting an in-use custom policy template
498189-6 3-Major   ASM Request log does not show log messages.
491371-4 3-Major K17285 CMI: Manual sync does not allow overwrite of 'newer' ASM config
491352-4 3-Major   Added ASM internal parameter to add more XML memory
484079-5 3-Major K90502502 Change to signature list of manual Signature Sets does not take effect.
478674-10 3-Major K08359230 ASM internal parameters for high availability timeout was not handled correctly
471766-3 3-Major   Number of decoding passes configuration
470779-3 3-Major   The Enforcer should exclude session awareness violations when counting illegal requests.
466423-1 3-Major   ASM REST: Partial PATCH to User-Defined Signature-Set Filter Resets Other Fields to Defaults
442313-6 3-Major   Content length header leading whitespaces should not be counted as digits
440913-2 3-Major   Apply Policy Fails After Policy Diff and Merge


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
458823-2 2-Critical   TMM Crash can lead to crash of other processes
535246 3-Major K17493 Table values are not correctly cleaned and can occupy entire disk space.
530952-4 3-Major   MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
530356-1 3-Major   Some AVR tables that hold ASM statistics are not being backed up in upgrade process.
529903-2 3-Major   Incorrect reports on multi-bladed systems
519252-1 3-Major   SIP statistics upgrade
474613-2 3-Major   Upgrading from previous versions
472125-3 3-Major   IP Intelligence report data is not roll-forwarded between installations as it should
537435-4 4-Minor   Monpd might core if asking for export report by email while monpd is terminating


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
553330-2 1-Blocking   Unable to create a new document with SharePoint 2010
555507-3 2-Critical K88973987 Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
537227-6 2-Critical   EdgeClient may crash if special Network Access configuration is used
532340-2 2-Critical   When FormBased SSO or SAML SSO are configured, tmm may restart at startup
530622-2 2-Critical   EAM plugin uses high memory when serving very high concurrent user load
502269-2 2-Critical   Large post requests may fail using form based SSO.
480272-8 2-Critical K17117 During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
459584-2 2-Critical K11596702 TMM crashes if request URI is empty or longer than 4096 bytes.
437611-3 2-Critical K16104 ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204
558859 3-Major   Control insertion to log_session_details table by Access policy logging level.
551764-1 3-Major K14954742 [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
549588-3 3-Major   EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
544992-2 3-Major   Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp)
539270-2 3-Major   A specific NTLM client fails to authenticate with BIG-IP
539229-4 3-Major   EAM core while using Oracle Access Manager
537614-2 3-Major   Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
532761-1 3-Major   APM fails to handle compressed ICA file in integration mode
528808-2 3-Major   Source NAT translation doesn't work when APM is disabled using iRule
526637-1 3-Major   tmm crash with APM clientless mode
522791-1 3-Major K45123459 HTML rewriting on client might leave 'style' attribute unrewritten.
482177-2 3-Major K16777 Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO
467256-1 3-Major K25633150 Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat
462598-3 3-Major K17184 Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
446860-6 3-Major   APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
533723-7 4-Minor   [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
491080-2 4-Minor K92821195 Memory leak in access framework
473685-2 4-Minor   Websso truncates cookie domain value


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
525478-3 3-Major K80413728 Requests for deflate encoding of gzip documents may crash TMM
517013-2 3-Major   CSS minification can on occasion remove necessary whitespace
506557-5 3-Major K45240941 IBR tags might occasionally be all zeroes.
506315-10 3-Major   WAM/AAM is honoring OWS age header when not honoring OWS maxage.
501714-4 3-Major   System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS.
476476-9 3-Major   Occasional inability to cache optimized PDFs and images
384072-5 3-Major K10442159 Authorization requests not being cached when allowed.


Service Provider Fixes

ID Number Severity Solution Article(s) Description
528955-2 3-Major   TMM may core when using Request Adapt profile
523854-4 3-Major K35305250 TCP reset with RTSP Too Big error when streaming interleaved data


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
540484-4 2-Critical K04005785 "show sys pptp-call-info" command can cause tmm crash
533562-5 2-Critical K15320373 Memory leak in CGNAT can result in crash
515646-9 2-Critical K17339 TMM core when multiple PPTP calls from the same client
494743-8 2-Critical K17389 Port exhaustion errors on VIPRION 4800 when using CGNAT
494122-6 2-Critical K02533962 Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades
490893-9 2-Critical K16762 Determinstic NAT State information incomplete for HSL log format
500424-5 3-Major   dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
486762-2 3-Major K05172346 lsn-pool connection limits may be invalid when mirroring is enabled
480119-5 3-Major K16112 Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.



Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
534630-3 CVE-2015-5477 K16909 Upgrade BIND to address CVE 2015-5477
530829-2 CVE-2015-5516 K00032124 UDP traffic sent to the host may leak memory under certain conditions.
529509-4 CVE-2015-4620 K16912 BIND Vulnerability CVE-2015-4620
527799-10 CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 K16674 K16915 K16914 OpenSSL library in APM clients updated to resolve multiple vulnerabilities
527630-2 CVE-2015-1788 K16938 CVE-2015-1788 : OpenSSL Vulnerability
523032-5 CVE-2015-3456 K16620 qemu-kvm VENOM vulnerability CVE-2015-3456
506034-5 CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 K16393 NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
532522-4 CVE-2015-1793 K16937 CVE-2015-1793
531576-2 CVE-2016-7476 K87416818 TMM vulnerability CVE-2016-7476
520466-3 CVE-2015-3628 K16728 Ability to edit iCall scripts is removed from resource administrator role
516618-4 CVE-2013-7424 K16472 glibc vulnerability CVE-2013-7424
513382-2 CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 K16317 Resolution of multiple OpenSSL vulnerabilities
527639-5 CVE-2015-1791 K16914 CVE-2015-1791 : OpenSSL Vulnerability
527638-5 CVE-2015-1792 K16915 OpenSSL vulnerability CVE-2015-1792
527637-5 CVE-2015-1790 K16898 PKCS #7 vulnerability CVE-2015-1790
527633-5 CVE-2015-1789 K16913 OpenSSL vulnerability CVE-2015-1789
500091-3 CVE-2015-0204 K16139 CVE-2015-0204 : OpenSSL Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
503652-1 2-Critical K17162 Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
502443-9 2-Critical K16457 After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
520705-4 3-Major   Edge client contains multiple duplicate entries in server list
490537-4 3-Major   Persistence Records display in GUI might cause system crash with large number of records
374067-2 3-Major K14098 Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections


TMOS Fixes

ID Number Severity Solution Article(s) Description
516184 1-Blocking   IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default values
542898 2-Critical   Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
513454-2 2-Critical   An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts
509503-3 2-Critical   tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
507327-2 2-Critical   Programs that read stats can leak memory on errors reading files
495335-4 2-Critical K17436 BWC related tmm core
479460-4 2-Critical   SessionDb may be trapped in wrong HA state during initialization
420107-3 2-Critical   TMM could crash when modifying HTML profile configuration
364978-2 2-Critical   Active/standby system configured with unit 2 failover objects
546410-1 3-Major K02151433 Configuration may fail to load when upgrading from version 10.x.
540638 3-Major   GUI Device Management Overview to display device_trust_group
535806-4 3-Major   Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
533458-2 3-Major   Insufficient data for determining cause of HSB lockup.
533257-1 3-Major   tmsh config file merge may fail when AFM security log profile is present in merged file
530122 3-Major   Improvements in building hotfix images for hypervisors.
527021-2 3-Major   BIG-IQ iApp statistics corrected for empty pool use cases
526419-2 3-Major   Deleting an iApp service may fail
524326-3 3-Major   Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
524126-3 3-Major K02142351 The DB variable provision.tomcat.extramb is cleared on first boot.
523125-1 3-Major K17350 Disabling/enabling blades in cluster can result in inconsistent failover state
520640-1 3-Major K31002924 The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
519877-3 3-Major   External pluggable module interfaces not disabled correctly.
519068-2 3-Major   device trust setup can require restart of devmgmtd
518039-2 3-Major   BIG-IQ iApp statistics corrected for partition use cases
517580-2 3-Major K16787 OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
516669-2 3-Major K34602919 Rarely occurring SOD core causes failover.
513974-4 3-Major K16691 Transaction validation errors on object references
513916-4 3-Major K80955340 String iStat rollup not consistent with multiple blades
513649-3 3-Major   Transaction validation errors on object references
510119-3 3-Major   HSB performance can be suboptimal when transmitting TSO packets.
509782-2 3-Major K16780 TSO packets can be dropped with low MTU
509504-4 3-Major K17500 Excessive time to save/list a firewall rule-list configuration
507575-3 3-Major   An incorrectly formated NAPTR creation via iControl can cause an error.
507331-6 3-Major   Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.
506041-5 3-Major K01256304 Folders belonging to a device group can show up on devices not in the group
502238-2 3-Major K16736 Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
501517-5 3-Major   Very large configuration can cause transaction timeouts on secondary blades
499260-2 3-Major   Deleting trust-domain fails when standby IP is in ha-order
497564-5 3-Major   Improve High Speed Bridge diagnostic logging on transmit/receive failures
483683-7 3-Major K16210 MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
481696-5 3-Major   Failover error message 'sod out of shmem' in /var/log/ltm
473348-5 3-Major K16654 SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
472365-5 3-Major   The vCMP worker-lite system occasionally stops due to timeouts
470184-1 3-Major K17284 In Configuration Utility, unable to view or edit objects in Local Traffic :: iRules :: Data Group List
455264-2 3-Major K54105052 Error messages are not clear when adding member to device trust fails
451602-6 3-Major   DPD packet drops with keyed VLAN connections
441100-1 3-Major   Partition behavior of iApps corrected
436682-6 3-Major   Optical SFP modules shows a higher optical power output for disabled switch ports
410398-8 3-Major   sys db tmrouted.rhifailoverdelay does not seem to work
405752-2 3-Major   TCP Half Open monitors sourced from specific source ports can fail
362267-2 3-Major K17488 Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
359774-5 3-Major   Pools in HA groups other than Common
355661-2 3-Major K85476133 sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
523863-1 4-Minor   istats help not clear for negative increment
475647-3 4-Minor   VIPRION Host PIC firmware version 7.02 update
465009-2 4-Minor   VIPRION B2100-series LOP firmware version 2.10 update
464043-4 4-Minor   Integration of Firmware for the 2000 Series Blades
460456-3 4-Minor   FW RELEASE: Incorporate 5000, 5050, 5250 BIOS 2.06.214.0
460444-3 4-Minor   VIPRION B4300 BIOS version 2.03.052.0 update
460428-3 4-Minor   BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update
460422-3 4-Minor   BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms.
460406-3 4-Minor   VIPRION B2100-series BIOS version 1.06.043.0 update
460397-3 4-Minor   FW RELEASE: Incorporate B2250 BIOS 1.26.012.0
447075-3 4-Minor   CuSFP module plugged in during links-down state will cause remote link-up
443298-3 4-Minor   FW Release: Incorporate VIPRION 2250 LOP firmware v1.20


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
522784-3 1-Blocking   After restart, system remains in the INOPERATIVE state
420341-5 1-Blocking K17082 Connection Rate Limit Mode when limit is exceeded by one client also throttles others
419458-3 1-Blocking   HTTP is more efficient in buffering data
530963-3 2-Critical   BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
530769 2-Critical   F5 SFP+ module becomes unpopulated after mcpd is restarted in a clustered environment.
528432-1 2-Critical   Control plane CPU usage reported too high
527826-1 2-Critical K31622556 IP Intelligence update failed: Missing SSL certificate
527649-1 2-Critical   Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.
523079-1 2-Critical   Merged may crash when file descriptors exhausted
521548-5 2-Critical   Possible crash in SPDY
521336-1 2-Critical   pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
499422-2 2-Critical K31310380 An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
478592-5 2-Critical K16798 When using the SSL forward proxy feature, clients might be presented with expired certificates.
474601-4 2-Critical   FTP connections are being offloaded to ePVA
468375-2 2-Critical K16779 TMM crash when MPTCP JOIN arrives in the middle of a flow
450814-9 2-Critical   Early HTTP response might cause rare 'server drained' assertion
443157-1 2-Critical   zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db
431283-3 2-Critical   iRule binary scan may core TMM when the offset is large
402412-10 2-Critical   FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
545821 3-Major   Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
530795-1 3-Major   In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
524666-2 3-Major   DNS licensed rate limits might be unintentionally activated.
522147-1 3-Major   'tmsh load sys config' fails after key conversion to FIPS using web GUI
521813-3 3-Major   Cluster is removed from HA group on restart
521774-2 3-Major K17420 Traceroute and ICMP errors may be blocked by AFM policy
521538-3 3-Major K08025400 Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
521522-2 3-Major K21981142 Traceroute through BIG-IP may display destination IP address at BIG-IP hop
521408-2 3-Major   Incorrect configuration in BigTCP Virtual servers can lead to TMM core
520540-2 3-Major   Specific iRule commands may generate a core file
518086-1 3-Major   Safenet HSM Traffic failure after system reboot/switchover
518020-10 3-Major K16672 Improved handling of certain HTTP types.
517556-2 3-Major   DNSSEC unsigned referral response is improperly formatted
515759-2 3-Major K92401129 Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
515139-4 3-Major K17067 Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics
514604-2 3-Major   Nexthop object can be freed while still referenced by another structure
512383-4 3-Major K68275911 Hardware flow stats are not consistently cleared during fastl4 flow teardown.
512062 3-Major K21528300 A db variable to disable verification of SCTP checksum when ingress packet checksum is zero
510638-2 3-Major K37513511 [DNS] Config change in dns cache resolver does not take effect until tmm restart
507529 3-Major   Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
507127-1 3-Major   DNS cache resolver is inserted to a wrong list on creation.
504899-1 3-Major   Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
504105-3 3-Major   RR-DAG enabled UDP ports may be used as source ports for locally originated traffic
501516-4 3-Major   If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
497584-5 3-Major   The RA bit on DNS response may not be set
496758-4 3-Major K16465 Monitor Parameters saved to config in a certain order may not construct parameters correctly
488600-1 3-Major   iRule compilation fails on upgrade
479682-5 3-Major K16862 TMM generates hundreds of ICMP packets in response to a single packet
478617-7 3-Major K16451 Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478439-5 3-Major K16651 Unnecessary re-transmission of packets on higher ICMP PMTU.
478257-6 3-Major   Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
476097-3 3-Major K15274113 TCP Server MSS option is ignored in verified accept mode
468472-6 3-Major   Unexpected ordering of internal events can lead to TMM core.
465590-4 3-Major K17531 Mirrored persistence information is not retained while flows are active
462714-3 3-Major K66236389 Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
460627-5 3-Major K17059 SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
455762-3 3-Major K17094 DNS cache statistics incorrect
454018-6 3-Major K16540 Nexthop to tmm0 ref-count leakage could cause TMM core
452439-4 3-Major K15574 TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads
451960-3 3-Major   HTTPS monitors do not work with FIPS keys
449848-5 3-Major   Diameter Monitor not waiting for all fragments
442686-1 3-Major   DNSX Transfers Occur on DNSX authoritative server change
422107-7 3-Major K17415 Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
422087-4 3-Major K16326 Low memory condition caused by Ram Cache may result in TMM core
375887-5 3-Major K17282 Cluster member disable or reboot can leak a few cross blade trunk packets
374339-5 3-Major   HTTP::respond/redirect might crash TMM under low-memory conditions
352925-4 3-Major K16288 Updating a suspended iRule and TMM process restart
342013-5 3-Major K27445955 TCP filter doesn't send keepalives in FIN_WAIT_2
514729-1 4-Minor   10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
515797-2 2-Critical   Using qos_score command in RULE_INIT event causes TMM crash
526699-5 3-Major K40555016 TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
516685-1 3-Major   ZoneRunner might fail to load valid zone files.
516680-1 3-Major   ZoneRunner might fail when loading valid zone files.
515033-1 3-Major   [ZRD] A memory leak in zrd
515030-2 3-Major K74820030 [ZRD] A memory leak in Zrd
514236-2 3-Major   [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses
496775-6 3-Major K16194 [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor
471819-1 3-Major   The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
465951-1 3-Major K12562945 If net self description size =65K, gtmd restarts continuously
225443-6 3-Major   gtmparse fails to load if you add unsupported SIP monitor parameters to the config
479084-3 4-Minor   ZoneRunner can fail to respond to commands after a VE resume.
353556-2 4-Minor   big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
524428-2 2-Critical   Adding multiple signature sets concurrently via REST
524004-2 2-Critical   Adding multiple signatures concurrently via REST
520280-2 2-Critical   Perl Core After Apply Policy Action
516523-1 2-Critical   Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group
487420-3 2-Critical   BD crash upon stress on session tracking
532030-2 3-Major   ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
526856-2 3-Major   "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
523261-2 3-Major   ASM REST: MCP Persistence is not triggered via REST actions
523260-2 3-Major K52028045 Apply Policy finishes with coapi_query failure displayed
523201-1 3-Major   Expired files are not cleaned up after receiving an ASM Manual Synchronization
520796-2 3-Major   High ASCII characters availability for policy encoding
520585-1 3-Major   Changing Security Policy Application Language Is Not Validated or Propagated Properly
516522-2 3-Major K04420402 After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.
514061-1 3-Major K17562 False positive scenario causes SMTP transactions to hang and eventually reset.
512668-2 3-Major   ASM REST: Unable to Configure Clickjacking Protection via REST
510499-1 3-Major K17544 System Crashes after Sync in an ASM-only Device Group.
506407-1 3-Major K04420402 Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
533098 3-Major K68715215 Traffic capture filter not catching all relevant transactions
531526-1 3-Major K17560 Missing entry in SQL table leads to misleading ASM reports
525708-2 3-Major K17555 AVR reports of last year are missing the last month data
519022-1 3-Major K01334306 Upgrade process fails to convert ASM predefined scheduled-reports.


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
525920 1-Blocking   VPE fails to display access policy
492149-2 1-Blocking   Inline JavaScript with HTML entities may be handled incorrectly
488736-6 1-Blocking   Fixed problem with iNotes 9 Instant Messaging
482266-1 1-Blocking   Windows 10 support for Network Access / BIG-IP Edge Client
482241-5 1-Blocking   Windows 10 cannot be properly detected
437670-2 1-Blocking   Race condition in APM windows client on modifying DNS search suffix
526833 2-Critical   Reverse Proxy produces JS error: 'is_firefox' is undefined
526754-3 2-Critical   F5unistaller.exe crashes during uninstall
525562-2 2-Critical   Debug TMM Crashes During Initialization
520298-1 2-Critical   Java applet does not work
520145-2 2-Critical   [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
519864-2 2-Critical   Memory leak on L7 Dynamic ACL
518260-4 2-Critical   Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
517988-1 2-Critical   TMM may crash if access profile is updated while connections are active
517146-2 2-Critical   Log ID 01490538 may be truncated
516075-5 2-Critical   Linux command line client fails with on-demand cert
514220-2 2-Critical   New iOS-based VPN client may fail to create IPv6 VPN tunnels
513581 2-Critical   Occasional TMM crash when HTTP payload is scanned through SWG
509490-1 2-Critical   [IE10]: attachEvent does not work
507681-9 2-Critical   Window.postMessage() does not send objects in IE11
506223-1 2-Critical   A URI in request to cab-archive in iNotes is rewritten incorrectly
497118-6 2-Critical   Tmm may restart when SAML SLO is triggered
487399-3 2-Critical   VDI plugin crashes when View client disconnects prematurely
474058-7 2-Critical K16689 When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions
471874-6 2-Critical K16850 VDI plugin crashes when trying to respond to client after client has disconnected
452163-1 2-Critical   Cross-domain functionality is broken in AD Query
451469-3 2-Critical   APM User Identity daemon doesn't generate core
540778 3-Major   Multiple SIGSEGV with core and failover with no logged indicator
539013-2 3-Major   DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
537000-3 3-Major   Installation of Edge Client can cause Windows 10 crash in some cases
534755-2 3-Major   Deleting APM virtual server produces ERR_NOT_FOUND error
532096-3 3-Major   Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
531883-3 3-Major   Windows 10 App Store VPN Client must be detected by BIG-IP APM
531483-1 3-Major   Copy profile might end up with error
530697-3 3-Major   Windows Phone 10 platform detection
529392-3 3-Major   Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
528726-2 3-Major   AD/LDAP cache size reduced
528675-3 3-Major   BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
526617-2 3-Major   TMM crash when logging a matched ACL entry with IP protocol set to 255
526578-2 3-Major   Network Access client proxy settings are not applied on German Windows
526492-3 3-Major   DNS resolution fails for Static and Optimized Tunnels on Windows 10
526275-2 3-Major   VMware View RSA/RADIUS two factor authentication fails
526084-1 3-Major   Windows 10 platform detection for BIG-IP EDGE Client
525384-3 3-Major   Networks Access PAC file now can be located on SMB share
524909-3 3-Major   Windows info agent could not be passed from Windows 10
523431-1 3-Major   Windows Cache and Session Control cannot support a period in the access profile name
523390-1 3-Major   Minor memory leak on IdP when SLO is configured on bound SP connectors.
523329 3-Major   When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions.
523327-3 3-Major   In very rare cases Machine Certificate service may fail to find private key
523222-7 3-Major   Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
521835-1 3-Major   [Policy Sync] Connectivity profile with a customized logo fails
521773-1 3-Major K10105099 Memory leak in Portal Access
521506-3 3-Major   Network Access doesn't restore loopback route on multi-homed machine
520642-2 3-Major   Rewrite plugin should check length of Flash files and tags
520390-2 3-Major   Reuse existing option is ignored for smtp servers
520205-2 3-Major   Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
520118-3 3-Major   Duplicate server entries in Server List.
519966-1 3-Major   APM "Session Variables" report shows user passwords in plain text
519415-4 3-Major   apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
519198-2 3-Major   [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
518981-1 3-Major   RADIUS accounting STOP message may not include long class attributes
518583-3 3-Major   Network Access on disconnect restores redundant default route after looped network roaming for Windows clients
517564-2 3-Major   APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
517441-4 3-Major   apd may crash when RADIUS accounting message is greater than 2K
516839-7 3-Major   Add client type detection for Microsoft Edge browser
516462-3 3-Major   Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
515943-1 3-Major   "Session variables" report may show empty if session variable value contains non-English characters
514912-2 3-Major   Portal Access scripts had not been inserted into HTML page in some cases
513969-2 3-Major   UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
513953-2 3-Major K17122 RADIUS Auth/Acct might fail if server response size is more than 2K
513706-3 3-Major K16958 Incorrect metric restoration on Network Access on disconnect (Windows)
513283 3-Major   Mac Edge Client doesnt send client data if access policy expired
513165-1 3-Major   SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute
513098-2 3-Major K17180 localdb_mysql_restore.sh failed with exit code
512345-6 3-Major K17380 Dynamic user record removed from memcache but remains in MySQL
512245 3-Major   Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
511961-2 3-Major   BIG-IP Edge Client does not display logon page for FirePass
511854-3 3-Major K85408112 Rewriting URLs at client side does not rewrite multi-line URLs
511648-3 3-Major K16959 On standby TMM can core when active system sends leasepool HA commands to standby device
511441-2 3-Major K17564 Memory leak on request Cookie header longer than 1024 bytes
510709-3 3-Major   Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
507116-3 3-Major K17030 Web-application issues and/or unexpected exceptions.
505755-4 3-Major K11043155 Some scripts on dynamically loaded html page could be not executed.
500938-4 3-Major   Network Access can be interrupted if second NIC is disconnected
500450-2 3-Major   ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
498782-5 3-Major K17104 Config snapshots are deleted when failover happens
495702-3 3-Major K40419383 Mac Edge Client cannot be downloaded sometimes from management UI
495336-5 3-Major K39768154 Logon page is not displayed correctly when 'force password change' is on for local users.
494565-3 3-Major K65181614 CSS patcher crashes when a quoted value consists of spaces only
494189-3 3-Major   Poor performance in clipboard channel when copying
493006 3-Major   Export of huge policies might endup with 'too many pipes opened' error
492701-2 3-Major   Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
492305-2 3-Major   Recurring file checker doesn't interrupt session if client machine has missing file
490830-3 3-Major   Protected Workspace is not supported on Windows 10
488105-2 3-Major   TMM may generate core during certain config change.
483792-6 3-Major   when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
483286-2 3-Major   APM MySQL database full as log_session_details table keeps growing
482699-2 3-Major   VPE displaying "Uncaught TypeError"
482269-2 3-Major   APM support for Windows 10 out-of-the-box detection
482251-2 3-Major K95824957 Portal Access. Location.href(url) support.
480761-2 3-Major   Fixed issue causing TunnelServer to crash during reconnect
479451-2 3-Major K16737 Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth
478492-5 3-Major K17476 Incorrect handling of HTML entities in attribute values
478333-4 3-Major   Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions
474779-2 3-Major   EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
474698-5 3-Major   BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
473255-2 3-Major K41869058 Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
472256-4 3-Major K17259 tmsh and tmctl report unusually high counter values
472062-2 3-Major K17480 Unmangled requests when form.submit with arguments is called in the page
471117-3 3-Major K17546 iframe with JavaScript in 'src' attribute not handled correctly in IE11
468441-2 3-Major   OWA2013 may work incorrectly via Portal Access in IE10/11
468433-2 3-Major K16860 OWA2013 may work incorrectly via Portal Access in IE10/11
468137-12 3-Major   Network Access logs missing session ID
466745-2 3-Major   Cannot set the value of a session variable with a leading hyphen.
457902-5 3-Major   No EAM- log stacktrace in /var/log/apm on EAM crash event.
457760-6 3-Major   EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
457603-3 3-Major K25117932 Cookies handling issue with Safari on iOS6, iOS7
457525-3 3-Major K17359 When DNS resolution for AppTunnel resource fails, the resource is removed
454086-4 3-Major K15832 Portal Access issues with Firefox version 26.0.0 or later
452527-2 3-Major K17178 Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode
442528-5 3-Major   Demangle filter crash
440841-4 3-Major   sso and apm split tunnelling log message is at notice level
438969-2 3-Major   HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain
437744-7 3-Major K15186 SAML SP service metadata exported from APM may fail to import.
425882-4 3-Major   Windows EdgeClient's configuration file could be corrupted on system reboot/sleep
424936-1 3-Major   apm_mobile_ppc.css has duplicate 1st line
423282-7 3-Major K17116 BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
420512-1 3-Major   All Messages report does not display any data when the Log Levels are selected to filter data based on Log levels
416115-13 3-Major   Edge client continues to use old IP address even when server IP address changed
408851-3 3-Major   Some Java applications do not work through BIG-IP server
402793-13 3-Major   APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
532394-1 4-Minor   Client to log value of "SearchList" registry key.
524756-1 4-Minor   APM Log is filled with errors about failing to add/delete session entry
517872-2 4-Minor   Include proxy hostname in logs in case of name resolution failure
513201-5 4-Minor   Edge client is missing localization of some English text in Japanese locale
510596-5 4-Minor   Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty
510459-2 4-Minor   In some cases Access does not redirect client requests
507321-2 4-Minor   JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
504461-3 4-Minor   Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.
497627-2 4-Minor K58125050 Tmm cores while using APM network access and no leasepool is created on the BIG-IP system.
482145-4 4-Minor   Text in buttons not centered correctly for higher DPI settings
464547-5 4-Minor   Show proper error message when VMware View client sends invalid credentials to APM
454784-2 4-Minor   in VPE %xx symbols such as the variable assign agent might be invalidly decoded.


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
514785-3 1-Blocking   TMM crash when processing AAM-optimized video URLs
522231-2 3-Major   TMM may crash when a client resets a connection
521455-5 3-Major K16963 Images transcoded to WebP format delivered to Edge browser
511534-2 3-Major K44288136 A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
476460-4 3-Major   WAM Range HTTP header limited to 8 ranges
421791-4 3-Major K15559 Out of Memory Error


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
461216-2 2-Critical   Cannot rename some files using CIFS optimization of the BIG-IP system.
497389-2 3-Major   Extraneous dedup_admin core
457568-1 3-Major K16966 Loading of configuration fails intermittently due to WOC Plug-in-related issues.


Service Provider Fixes

ID Number Severity Solution Article(s) Description
521556-2 2-Critical   Assertion "valid pcb" in TCP4 with ICAP adaptation
516057-5 2-Critical   Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
512054-4 3-Major K17135 CGNAT SIP ALG - RTP connection not created after INVITE
511326-3 3-Major K24410405 SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
499701-6 3-Major   SIP Filter drops UDP flow when ingressq len limit is reached.
480311-4 3-Major K47143123 ADAPT should be able to work with OneConnect
448493-11 3-Major   SIP response from the server to the client get dropped


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
524748 2-Critical   PCCD optimization for IP address range
468688-1 2-Critical   Initial sync fails for upgraded pair (11.5.x to 11.6)
530865-1 3-Major   AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
523465-1 3-Major   Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
515187 3-Major   Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
515112-2 3-Major   Delayed ehash initialization causes crash when memory is fragmented.
513565-3 3-Major   AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.
509919-1 3-Major   Incorrect counter for SelfIP traffic on cluster
497671 3-Major   iApp GUI: Unable to add FW Policy/Rule to context via iApp
485880-3 3-Major   Unable to apply ASM policy with forwarding CPM policy via GUI, generic error
459024-1 3-Major   Error L4 packets encounter configured whitelist entries that do not match the protocol
533808-2 4-Minor   Unable to create new rule for virtual server if order is set to "before"/"after"
533336-1 4-Minor   Display 'description' for port list members
510226-1 4-Minor   All descriptions for ports-list's members are flushed after the port-list was updated
495432-1 5-Cosmetic   Add new log messages for AFM rule message load/activation in datapath.


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
491771-1 2-Critical   Parking command called from inside catch statement
450779-1 2-Critical   PEM source or destination flow filter attempts match against both source and destination IPs of a flow
439249-1 2-Critical   PEM:Initial quota request in the rating group request is not as configured.
526295-4 3-Major   BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id
511064-2 3-Major K17108 Repeated install/uninstall of policy with usage monitoring stops after second time
495913-3 3-Major   TMM core with CCA-I policy received with uninstall
478399-6 3-Major   PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.
464273-1 3-Major   PEM: CCR-I for the Gx session has only one subscriber ID type even if session created has more than one type
438608-1 3-Major   PEM: CCR-U triggered during Gy session may not have Request Service Unit (RSU)
438092-2 3-Major   PEM: CCR-U triggered by RAR during Gy session will have not have Requested Service Unit(RSU)
449643-2 4-Minor   Error message 'Gx uninit failed!' and 'Gy unint failed!' received during boot of the system


Device Management Fixes

ID Number Severity Solution Article(s) Description
525595-1 1-Blocking K38134424 Memory leak of inbound sockets in restjavad.
509273-3 2-Critical   hostagentd consumes memory over time
509120-1 2-Critical   BIG-IQ 4.5.0 cannot discover version pre-11.5.4 BIG-IP versions due to /tmp removal



Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
511651-2 CVE-2015-5058 K17047 CVE-2015-5058: Performance improvement in packet processing.


Functional Change Fixes

None



Cumulative fixes from BIG-IP v11.5.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
513034-2 CVE-2015-4638 K17155 TMM may crash if Fast L4 virtual server has fragmented packets
492368-10 CVE-2014-8602 K15931 Unbound vulnerability CVE-2014-8602
489323-6 CVE-2015-8098 K43552605 Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.
507842-4 CVE-2015-1349 K16356 Patch for BIND Vulnerability CVE-2015-1349
500088-10 CVE-2014-3571 K16123 OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update
497719-12 CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 K15934 NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296
477281-9 CVE-2014-6032 K15605 Improved XML Parsing
441613-8 CVE-2015-8022 K12401251 APM TMUI Vulnerability CVE-2015-8022
447483-7 CVE-2014-3959 K15296 CVE-2014-3959


Functional Change Fixes

ID Number Severity Solution Article(s) Description
500303-11 1-Blocking K17302 Virtual Address status may not be reliably communicated with route daemon
499947-3 2-Critical   Improved performance loading thousands of Virtual Servers
502770-3 3-Major   clientside and serverside command crashes TMM
451433-2 3-Major   HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe)
368824-1 3-Major K24050031 There is no indication that a failed standby cannot go active.


TMOS Fixes

ID Number Severity Solution Article(s) Description
477218-6 1-Blocking   Simultaneous stats query and pool configuration change results in process exit on secondary.
452656-4 1-Blocking   NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'
425729-1 1-Blocking   mcpd debug logging hardening
509276-3 2-Critical   VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
507487-3 2-Critical   ZebOS Route not withdrawn when VAddr/VIP down and no default pool
504496-4 2-Critical   AAA Local User Database may sync across failover groups
501343-2 2-Critical   In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
484733-5 2-Critical   aws-failover-tgactive.sh doesn't skip network forwarding virtuals
471860-2 2-Critical K16209 Disabling interface keeps DISABLED state even after enabling
467196-4 2-Critical K16015 Log files limited to 24 hours
466266-3 2-Critical   In rare cases, an upgrade (or a restart) can result in an Active/Active state
438674-4 2-Critical K14873 When log filters include tamd, tamd process may leak descriptors
430323-3 2-Critical   VXLAN daemon may restart when 8000 VXLAN tunnels are configured
412160-4 2-Critical K90882247 vCMP provisioning may cause continual tmm crash.
394236-4 2-Critical   MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
514450-2 3-Major   VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
513294-1 3-Major   LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
512485-2 3-Major   Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
503604-2 3-Major   Tmm core when switching from interface tunnel to policy based tunnel
501953-1 3-Major   HA failsafe triggering on standby device does not clear next active for that device.
501371-2 3-Major K39672730 mcpd sometimes exits while doing a file sync operation
500234-3 3-Major   TMM may core during failover due to invalid memory access in IPsec components
495526-2 3-Major   IPsec tunnel interface causes TMM core at times
494367-4 3-Major   HSB lockup after HiGig MAC reset
491791-2 3-Major   GET on non-existent pool members does not show error
489750-2 3-Major K16696 Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
488374-3 3-Major K17019 Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
484706-7 3-Major K16460 Incremental sync of iApp changes may fail
477789-2 3-Major   SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.
468235-3 3-Major   The worldwide City database (City2) does not contain all of the appropriate Proxy strings.
456573-5 3-Major   Sensor read faults with DC power supply
453489-3 3-Major   userauth_hostbased mismatch: warnings from VIPRION for localhost or slotN
439343-9 3-Major   Client certificate SSL authentication unable to bind to LDAP server
420204-2 3-Major   FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
509063-1 4-Minor K17015 Creating or loading guest on cluster with empty slot 1 can result in error
493223-2 4-Minor   syscalld core dumps now keep more debugging information
441642-4 4-Minor K16107 /etc/monitors/monitors_logrotate.conf contains an error
437637-2 4-Minor   Sensor critical alarm: Main board +0.9V_CN35XX
492422-3 5-Cosmetic K24508323 HTTP request logging reports incorrect response code
456263 5-Cosmetic   Platform marketing name for B4300 is incorrectly shown as A108
440605-4 5-Cosmetic   Unknown BigDB variable type 'port_list'


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
445329-2 1-Blocking K17273 DNS cache resolver connections can be slow to terminate
507611-1 2-Critical K17151 On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
506304-3 2-Critical   UDP connections may stall if initialization fails
505222-3 2-Critical   DTLS drops egress packets when traffic is sufficiently heavy.
504225-1 2-Critical   Virtual creation with the multicast IPv6 address returns error message
503620-2 2-Critical   ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
495030-3 2-Critical   Segfault originating from flow_lookup_nexthop.
493558-3 2-Critical K16206 TMM core due to SACK hole value mismatch
486450-5 2-Critical   iApp re-deployment causes mcpd on secondaries to restart
480370-7 2-Critical K17147 Connections to virtual servers with port-preserve property will cause connections to leak in TMM
475460-6 2-Critical K16581 tmm can crash if a client-ssl profile is in use without a CRL
474974-2 2-Critical   Fix ssl_profile nref counter problem.
474388-4 2-Critical K16957 TMM restart, SIGSEGV messages, and core
456853-2 2-Critical   DTLS cannot handle client certificate when client does not send CertVerify message.
511130-2 3-Major   TMM core due to invalid memory access while handling CMP acknowledgement
510720-2 3-Major K81614705 iRule table command resumption can clear the header buffer before the HTTP command completes
510264-2 3-Major   TMM core associated with smtps profile.
508716-3 3-Major   DNS cache resolver drops chunked TCP responses
506702-2 3-Major   TSO can cause rare TMM crash.
506282-5 3-Major K16168 GTM DNSSEC keys generation is not sychronized upon key creation
505964-3 3-Major   Invalid http cookie handling can lead to TMM core
504633-7 3-Major   DTLS should not update 'expected next sequence number' when the record is bad.
504396-3 3-Major   When a virtual's ARP or ICMP is disabled, the wrong mac address is used
504306-7 3-Major   https monitors might fail to re-use SSL sessions.
503979-3 3-Major   High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
503741-14 3-Major K16662 DTLS session should not be closed when it receives a bad record.
503118-1 3-Major   clientside and serverside command crashes TMM
502959-3 3-Major   Unable get response from virtual server after node flapping
502683-6 3-Major   Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
502174-6 3-Major   DTLS fragments do not work for ClientHello message.
502149-2 3-Major K06334742 Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
501690-7 3-Major   TMM crash in RESOLV::lookup for multi-RR TXT record
499950-6 3-Major   In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
499946-2 3-Major K16801 Nitrox might report bad records on highly fragmented SSL records
499430-6 3-Major K16623 Standby unit might bridge network ingress packets when bridge_in_standby is disabled
499150-2 3-Major K16721 OneConnect does not reuse existing connections in VIP targeting VIP configuration
497742-5 3-Major   Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
495574-6 3-Major K16111 DB monitor functionality might cause memory issues
495443-3 3-Major K16621 ECDH negotiation failures logged as critical errors.
495253-5 3-Major K16603 TMM may core in low memory situations during SSL egress handling
494322-5 3-Major   The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
493673-5 3-Major K12352524 DNS record data may have domain names compressed when using iRules
491518-5 3-Major   SSL persistence can prematurely terminate TCP connection
491454-8 3-Major   SSL negotiation may fail when SPDY profile is enabled
490713-5 3-Major   FTP port might occasionally be reused faster than expected
485472-4 3-Major   iRule virtual command allows for protocol mismatch, resulting in crash
485176-5 3-Major K07324064 RADIUS::avp replace command cores TMM when only two arguments are passed to it
484305-5 3-Major K16733 Clientside or serverside command with parking command crashes TMM
483539-6 3-Major   With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
481844-4 3-Major   tmm can crash and/or use the wrong CRL in certain conditions
481216-5 3-Major   Fallback may be attempted incorrectly in an abort after an Early Server Response
478734-4 3-Major   Incorrect 'FIPS import for failed for key' failure when operation actually succeeds
471625-7 3-Major   After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
471535-6 3-Major   TMM cores via assert during EPSV command
461587-6 3-Major   TCP connection can become stuck if client closes early
456763-2 3-Major   L4 forwarding and TSO can cause rare TMM outages
456413-4 3-Major   Persistence record marked expired though related connection is still active
455840-5 3-Major   EM analytic does not build SSL connection with discovered BIG-IP system
447272-4 3-Major K17288 Chassis with MCPD audit logging enabled will sync updates to device group state
444710-8 3-Major   Out-of-order TCP packets may be dropped
438792-10 3-Major   Node flapping may, in rare cases, lead to inconsistent persistence behavior
435335-6 3-Major K16038 SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize
428163-2 3-Major   Removing a DNS cache from configuration can cause TMM crash
415358-6 3-Major   Remote login shell hardening
384451-8 3-Major   Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
498597-8 4-Minor K16761 SSL profile fails to initialize and might cause SSL operation issues
459884-5 4-Minor   Large POST requests are not handled well by APM.
451224-2 4-Minor   IP packets that are fragmented by TMM, the fragments will have their DF bit
436468-2 4-Minor   DNS cache resolver TCP current connection stats not always decremented properly
442647-4 5-Cosmetic K04311130 IP::stats iRule command reports incorrect information past 2**31 bits
435044-4 5-Cosmetic K22006218 Erroneous 'FIPS open failed' error on platforms without FIPS hardware


Performance Fixes

ID Number Severity Solution Article(s) Description
497619-7 3-Major K16183 TMM performance may be impacted when server node is flapping and persist is used


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
479142-8 3-Major K16173 Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
475549-2 3-Major   Input handling error in GTM GUI
468519-6 3-Major   BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.
420440-7 3-Major K14413 Multi-line TXT records truncated by ZoneRunner file import
491554-5 4-Minor K54162409 [big3d] Possible memory leakage for auto-discovery error events.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
464735-1 2-Critical   Errors and unavailable virtual server upon deactivation of ASM policy that is assigned to a non-default rule of L7 policy
509968 3-Major   BD crash when a specific configuration change happens
501612-5 3-Major   Spurious Configuration Synchronizations
485764-4 3-Major K17401 WhiteHat vulnerability assessment tool is configured but integration does not work correctly
482915-7 3-Major K17510 Learning suggestion for the maximum headers check violation appears only for blocked requests
475819-6 3-Major K17325 BD crash when trying to report attack signatures
442157-2 3-Major   Incorrect assignment of ASM policy to virtual server
512687-2 4-Minor   Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
441214-3 2-Critical K17353 monpd core dumps in case of MySQL crash
497681-3 3-Major   Tuning of Application DoS URL qualification criteria
479334-4 3-Major   monpd/ltm log errors after Hotfix is applied
439514-6 4-Minor   Different time-stamps are translated to the same time (due to DST clock change) and causes database errors


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
488986-13 1-Blocking K16582 Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
507782-6 2-Critical   TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
506235-4 2-Critical   TMM Crash
505101-4 2-Critical   tmm may panic due to accessing uninitialized memory
495901-4 2-Critical   Tunnel Server crash if probed on loopback listener.
494098-9 2-Critical K16857 PAC file download mechanism race condition
493360-4 2-Critical   Fixed possible issue causing Edge Client to crash during reconnect
489328-8 2-Critical   When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
484454-7 2-Critical K16669 Users not able to log on after failover
441790 2-Critical   Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms
511893 3-Major   Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
509956-5 3-Major   Improved handling of cookie values inside SWG blocked page.
509758-3 3-Major   EdgeClient shows incorrect warning message about session expiration
508719-7 3-Major K22391125 APM logon page missing title
508630-3 3-Major   The APM client does not clean up DNS search suffixes correctly in some cases
507318-2 3-Major   JS error when sending message from DWA new message form using Chrome
506349-5 3-Major   BIG-IP Edge Client for Mac identified as browser by APM in some cases
504606-6 3-Major   Session check interval now has minimum value
503319-5 3-Major K16901 After network access is established browser sometimes receives truncated proxy.pac file
502441-7 3-Major   Network Access connection might reset for large proxy.pac files.
501498-4 3-Major   APM CTU doesn't pick up logs for Machine Certificate Service
499620-8 3-Major   BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
499427-4 3-Major   Windows File Check does not work if the filename starts with an ampersand
498469-8 3-Major   Mac Edge Client fails intermittently with machine certificate inspection
497436-3 3-Major   Mac Edge Client behaves erratically while establishing network access connection
497325-5 3-Major K16643 New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
496817-7 3-Major   Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
495319-9 3-Major   Connecting to FP with APM edge client is causing corporate network to be inaccessible
495265-6 3-Major   SAML IdP and SP configured in same access profile not supported
494637-6 3-Major K80550446 localdbmgr process in constant restart/core loop
494284-10 3-Major K16624 Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
494176-1 3-Major   Network access to FP does not work on Yosemite using APM Mac Edge Client.
494088-5 3-Major   APD or APMD should not assert when it can do more by logging error message before exiting.
494008-4 3-Major   tmm crash while initializing the URL filter context for SWG.
493487-5 3-Major K45558362 Function::call() and Function::apply() wrapping does not work as expected
493164-4 3-Major K62553244 flash.net.NetConnection::connect() has an erroneous security check
492238-9 3-Major K16848 When logging out of Office 365 TMM may restart
492153-7 3-Major K17055 Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
491233-9 3-Major K16105 Rare deadlock in CustomDialer component
490844-2 3-Major K50522620 Some controls on a web page might stop working.
490681-5 3-Major K17470 Memcache entry for dynamic user leaks
490675-5 3-Major K16855 User name with leading or trailing spaces creates problems.
489382-8 3-Major   Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
488892-4 3-Major   JavaRDP client disconnects
486597-7 3-Major   Fixed Network Access renegotiation procedure
486268-7 3-Major   APM logon page missing title
485355-4 3-Major   Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)
484847-13 3-Major   DTLS cannot be disabled on Edge Client for troubleshooting purposes
484582-3 3-Major   APM Portal Access is inaccessible.
483601-4 3-Major K16895 APM sends a logout Bookmarked Access whitelist URL when session is expired.
480817-4 3-Major   Added options to troubleshoot client by disabling specific features
480242-7 3-Major   APD, APMD, MCPD communication error failure now reported with error code
477898-2 3-Major   Some strings on BIG-IP APM EDGE Client User Interface were not localized
477795-4 3-Major   SSL profile passphrase may be displayed in clear text on the Dashboard
476038-9 3-Major   Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
476032-6 3-Major   BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
475735-2 3-Major K30145457 Failed to load config after removing peer from sync-only group
475505-8 3-Major   Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
474582-2 3-Major   Add timestamps to logstatd logs for Policy Sync
473386-13 3-Major K17540 Improved Machine Certificate Checker matching criteria for FQDN case
473129-6 3-Major K15943 httpd_apm access_log remains empty after log rotation
470205-4 3-Major   /config/.../policy_sync_d Directory Is 100% Full
469824-9 3-Major   Mac Edge client on Mac mini receives settings for iOS Edge Client
468395-2 3-Major K63044556 IPv4 Allocation failure ... is out of addresses
458770-4 3-Major   [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction
456608-5 3-Major   Direct links for frame content, with 'Frame.src = url'
453455-9 3-Major   Added support of SAML Single Logout to Edgeclient.
452464-6 3-Major K28271912 iClient does not handle multiple messages in one payload.
452416-6 3-Major   tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
452010-4 3-Major K16609 RADIUS Authentication fails when username or password contain non-ASCII characters
442698-9 3-Major   APD Active Directory module memory leak in exception
437743-8 3-Major   Import of Access Profile config that contains ssl-cert is failing
436201-15 3-Major   JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
432900-12 3-Major   APM configurations can fail to load on newly-installed systems
431149-8 3-Major K17217 APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
428387-9 3-Major   SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
403991-9 3-Major   Proxy.pac file larger than 32 KB is not supported
489364-6 4-Minor   Now web VPN client correctly minimizes IE window to tray
482134-6 4-Minor   APD and APMD cores during shutdown.
465012-5 4-Minor   Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
464992-8 4-Minor   Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
461597-10 4-Minor   MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate
461560-6 4-Minor   Edge client CTU report does not contain interface MTU value
460427-6 4-Minor   Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
451118-8 4-Minor   Fixed mistakes in French localization
449525-1 4-Minor   apd and apmd constantly restarting
432423-8 4-Minor   Need proactive alerts for APM license usage
493385-9 5-Cosmetic   BIG-IP Edge Client uses generic icon set even if F5 icon set is configured
486344-4 5-Cosmetic   French translation does not properly fit buttons in BIG-IP Edge client on Windows


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
486346-2 2-Critical   Prevent wamd shutdown cores
488917-1 4-Minor   Potentially confusing wamd shutdown error messages


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
485182-4 3-Major K19303084 wom_verify_config does not recognize iSession profile in /Common sub-partition


Service Provider Fixes

ID Number Severity Solution Article(s) Description
503676-5 2-Critical   SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
500365-5 2-Critical   TMM Core as SIP hudnode leaks
482436-9 2-Critical K16973 BIG-IP processing of invalid SIP request may result in high CPU utilization
466761-5 2-Critical   Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
455006-6 2-Critical K50532341 Invalid data is merged with next valid SIP message causing SIP connection failures
507143-2 3-Major K17071 Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion
472092-6 3-Major   ICAP loses payload at start of request in response to long execution time of iRule
464116-5 3-Major   HTTP responses are not cached when response-adapt is applied


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
512609-2 2-Critical   Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses
478470 4-Minor   AFM Online Help updated: DoS Detection Threshold Percentage


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
484278-3 2-Critical K16734 BIG-IP crash when processing packet and running iRule at the same time


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
493807-4 2-Critical K15989 TMM might crash when using PPTP with profile logging enabled
487660-1 3-Major K16268 LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range


Device Management Fixes

ID Number Severity Solution Article(s) Description
462827-8 1-Blocking K16634 Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id
463380-4 3-Major K16693 URIs with space characters may not work properly in ODATA query



Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
496849-2 CVE-2014-9326 K16090 F5 website update retrievals vulnerability
477274-12 CVE-2014-6031 K16196 Buffer Overflow in MCPQ
496845-2 CVE-2014-9342 K15933 NTP vulnerability CVE-2014-9296
477278-11 CVE-2014-6032 K15605 XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033
468345-2 CVE-2015-1050 K16081 Blocking page with harmful JavaScript can be run by system administrator


Functional Change Fixes

ID Number Severity Solution Article(s) Description
382157-2 3-Major K17163 Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats


TMOS Fixes

ID Number Severity Solution Article(s) Description
498704-1 2-Critical   Module provisioning doesn't properly account for disk space
487567-3 2-Critical   Addition of a DoS Profile Along with a Required Profile May Fail
472202-2 2-Critical   Potential false positive report of DMA RX lockup failure
507461-2 3-Major   Net cos config may not persist on HA unit following staggered restart of both HA pairs.
504572-3 3-Major K30038035 PVA accelerated 3WHS packets are sent in wrong hardware COS queue


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
509310-1 2-Critical   Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
498005-1 2-Critical   The HTTP:payload command could cause the TMM to crash if invoked in a non-HTTP event
506290-3 3-Major   MPI redirected traffic should be sent to HSB ring1
505452-1 3-Major   New db variable to control packet priority for TMM generated packets
505056-3 3-Major   BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.
496588-2 3-Major   HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash


Performance Fixes

ID Number Severity Solution Article(s) Description
489259-2 2-Critical   [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic
496998-2 3-Major   Update offenders more aggressively. Increase batch size for Dwbld processing.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
510287 1-Blocking   Create ASM security policy by BIG-IQ
509663 1-Blocking   ASM restarts periodically with errors in asm_config_server.log: ASM Config server died unexpectedly
508908-2 2-Critical   Enforcer crash
507919-2 2-Critical   Updating ASM through iControl REST does not affect CMI sync state
504182-2 2-Critical   Enforcer cores after upgrade upon the first request
498361 2-Critical   Manage ASM security policies from BIG-IQ
493401-3 2-Critical   Concurrent REST calls on a single endpoint may fail
489705-3 2-Critical K16245 Running out of memory while parsing large XML SOAP requests
481476-10 2-Critical   MySQL performance
468387-2 2-Critical   Enforcer core related to specific error condition in the session db
511477 3-Major   Manage ASM security policies from BIG-IQ
511029 3-Major   "selfLink" for ASM Policy was incorrect for iControl REST
510818 3-Major   Manage ASM security policies from BIG-IQ
508519-1 3-Major   Performance of Policy List screen
508338-2 3-Major   Under rare conditions cookies are enforced as base64 instead of clear text
507905-1 3-Major   Saving Policy History during UCS load causes db deadlock/timeout
507289-1 3-Major   User interface performance of Web Application Security Editor users
506386-1 3-Major   Automatic ASM sync group remains stuck in init state when configured from tmsh
506355-2 3-Major   Importing an XML file without defined entity sections
505624-2 3-Major   Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration
504973-2 3-Major   Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
497769-2 3-Major   Policy Export: BIG-IP does not export redirect URL for 'Login Response Page'
496565-2 3-Major   Secondary Blades Request a Sync
496011-2 3-Major K17385 Resets when session awareness enabled
490284-6 3-Major K17383 ASM user interface extremely slow to respond (e.g., longer that 2 minutes to render policy list)
469786-2 3-Major K04393808 Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule
465181-4 3-Major   Unhandled connection error in iprepd causes memory leak in iprepd or merged
510828 5-Cosmetic   Manage ASM security policies from BIG-IQ


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
461715-2 2-Critical   AVR: Collecting geolocation IDs
503471-2 3-Major K17395 Memory leak can occur when there is a compressed response, and abnormal termination of the connection
500034-2 3-Major   [SMTP Configuration] Encrypted password not shown in GUI
489682-4 3-Major K40339022 Configuration upgrade failure due to change in an ASM predefined report name
468874-1 3-Major K17456 Monpd errors appear when AVR loads data to MySQL
467945-4 3-Major   Error messages in AVR monpd log


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
497662-4 1-Blocking   BIG-IP DoS via buffer overflow in rrdstats
431980-2 2-Critical K17310 SWG Reports: Overview and Reports do not show correct data.


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
514651 2-Critical   db variable to disable rate-tracker
514266 2-Critical   Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash
513403-3 2-Critical K16490 TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
510162 2-Critical   potential TMM crash when AFM DoS Sweep & Flood is configured
503541-3 2-Critical   Use 64 bit instead of 10 bit for Rate Tracker library hashing.
501480-2 2-Critical   AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
500925-2 2-Critical   Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
498227 2-Critical   Incorrect AFM firewall rule counter update after pktclass-daemon restarts.
497342-2 2-Critical   TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.
489845-1 2-Critical   Sometimes auto-blacklisting will not function after the provisioning of AFM and APM modules
511406 3-Major K16421 Pagination issue on firewall policy rules page
510224-1 3-Major   All descriptions for address-list members are flushed after the address-list was updated
506452-1 3-Major   Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1
504384-3 3-Major   ICMP attack thresholds
503085-2 3-Major   Make the RateTracker threshold a constant
502414-3 3-Major   Make the RateTracker tier3 initialization number less variant.
501986-2 3-Major   Add a sys db tunable to make Sweep and Flood vectors be rate-limited per-TMM process
500640-2 3-Major K21264026 TMM core might occur if FLOW_INIT iRule attached to Virtual server
497732 3-Major   Enabling specific logging may trigger other unrelated events to be logged.
497667 3-Major   Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error
497263-2 3-Major   Global whitelist count exhausted prematurely
496278 3-Major K16294 Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
495928-4 3-Major   APM RDP connection gets dropped on AFM firewall policy change
495698 3-Major   iRule can be deleted even though it exists in a rule-list
495390-2 3-Major   An error occurs on Active Rules page after attempting to reorder Rules in a Policy
485771-2 3-Major   TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.
469297-2 3-Major   Address list summary page does not display the description for individual address list entries.
465229-1 3-Major   Fix for Policy Rule Names Displaying Distorted in Rare Conditions
464972-2 3-Major   Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.
464966-1 3-Major   Active Rule page may display incorrectly if showing multiple rules and at least one rule list
464762-1 3-Major   Rule lists may not display schedules for rules that have them
464222-1 3-Major   Policy Rule Missing from TMSH Overlapping Status Output
458810-1 3-Major   Time field may not display correctly in log search function
445984-1 3-Major   Wrong overlapping status is shown if there are firewall rules with source or destination port range that begins with "1"
438773-1 3-Major   Network Firewall event logs page pops up date/time picker automatically during drag-and-drop
506470 4-Minor   Reduce pccd OOM probability with port expansion change
497311-1 4-Minor   Can't add a ICMPv6 type and code to a FW rule.
473589-1 4-Minor   Error at attempt to add GeoIP with parentheses.

 

Cumulative fix details for BIG-IP v11.5.10 that are included in this release

810557-7 : ASM ConfigSync Hardening

Solution Article: K05123525


807477-7 : ConfigSync Hardening

Solution Article: K04280042


799617-7 : ConfigSync Hardening

Solution Article: K05123525


799589-7 : ConfigSync Hardening

Solution Article: K05123525


797885-8 : ConfigSync Hardening

Solution Article: K05123525


796469-8 : ConfigSync Hardening

Solution Article: K05123525


794413-7 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


757027-6 : BIND Update

Solution Article: K01713115


757026-6 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


757025-6 : BIND Update

Solution Article: K00040234


756774-1 : Aborted DNS queries to a cache may cause a TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.

Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.

Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.


756270-5 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.


753796-5 : SNMP does not follow best security practices

Solution Article: K40443301


750488-1 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.

Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Cache.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.


750484-1 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.


750472-1 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok


750460-6 : Subscriber management configuration GUI

Solution Article: K61002104


750457-1 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.

Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Express.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok


749879-5 : Possible interruption while processing VPN traffic

Solution Article: K47527163


749774-6 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749675-6 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


745387-6 : Resource-admin user roles can no longer get bash access

Component: TMOS

Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.

Conditions:
Resource-admin users configured with bash shell access.

Impact:
Resource-admin users with bash access may write to system files causing security risks.

Workaround:
Do not assign bash access for resource-admin users.

Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.

Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.


745358-6 : ASM GUI does not follow best practices

Solution Article: K14812883


745165-6 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195


742226-5 : TMSH platform_check utility does not follow best security practices

Solution Article: K11330536


739970-5 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321


739947-5 : TMM may crash while processing APM traffic

Solution Article: K42465020


739927-6 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.


739846-6 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.


739094-2 : APM Client Vulnerability: CVE-2018-5546

Solution Article: K54431371


737574-5 : iControl REST input sanitization

Solution Article: K20541896


737441-3 : Disallow hard links to svpn log files

Solution Article: K54431371


726409-1 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Component: TMOS

Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

Impact:
denial of service

Workaround:
don't allow login

Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439


726255-5 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

Fix:
dns_path memory will be released after ttl.


726239-1 : interruption of traffic handling as sod daemon restarts TMM

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when TCP persist timer is active.


724680-1 : OpenSSL Vulnerability: CVE-2018-0732

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601

Conditions:
For more information see: https://support.f5.com/csp/article/K21665601

Impact:
For more information see: https://support.f5.com/csp/article/K21665601

Workaround:
None.

Fix:
For more information see: https://support.f5.com/csp/article/K21665601


723130-4 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Solution Article: K13996

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
None.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.


722677-1 : High-Speed Bridge may lock up

Solution Article: K26455071


722387-5 : TMM may crash when processing APM DTLS traffic

Solution Article: K97241515


721924-5 : bgpd may crash processing extended ASNs

Solution Article: K17264695

Component: TMOS

Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.

Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled

Impact:
Dynamic routing disrupted while bgpd restarts.

Fix:
bgpd now processes extended ASNs as expected.


721895-3 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)

Component: Global Traffic Manager (DNS)

Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.

Conditions:
Running a vulnerability scanner or other SSL test tool.

Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.

Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.

In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.

Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).

After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.


719554-5 : Linux Kernel Vulnerability: CVE-2018-8897

Solution Article: K17403481


716992-5 : The ASM bd process may crash

Solution Article: K75432956


716922-6 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.


716391-5 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.


714181-2 : TMM may crash while processing TCP traffic

Solution Article: K14632915


713951-1 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.


711281-1 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.


710827-6 : TMUI dashboard daemon stability issue

Solution Article: K44603900


710314-4 : TMM may crash while processing HTML traffic

Solution Article: K94105051


710148-6 : CVE-2017-1000111 & CVE-2017-1000112

Solution Article: K60250153


710028-6 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.


708653-5 : TMM may crash while processing TCP traffic

Solution Article: K07550539


708249-6 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.


707740-1 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination

Component: TMOS

Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.

Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.

Impact:
Cannot delete the unused monitor.

Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only

You can now delete the monitor.

Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.


707445-5 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.


707226-4 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.


706642-5 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

Fix:
wamd n longer leaks memory during configuration changes and cluster events.


706304-1 : ASU and other Update Check services overload F5 download server

Component: Application Security Manager

Symptoms:
ASM Signature Update (ASU) and other Update Check services may fail due to an overload on the F5 download server.

Conditions:
-- Automatic update attempt is initiated during specified schedule.
-- F5 download server is overloaded by Update attempts.

Impact:
ASU and other Update Check services fail.

Workaround:
To work around this issue, run manual updates instead.

To prevent this issue, change the time of the daily job run. To do so, follow these steps:

1. Open the cron job text file.
   # vi /etc/crontab

2. Change this line as follows:
   From: 02 4 * * * root run-parts /etc/cron.daily
   To: 10 4 * * * root run-parts /etc/cron.daily

3. Save the changes, and quit vi.

This will change the automatic updates to run at 4:10 rather than 4:02.

Fix:
ASU and other Update Check services now stagger download attempts to prevent F5 download server overload.


705476-6 : Appliance Mode does not follow design best practices

Solution Article: K28003839


705112 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.


704490-2 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003


704483-2 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003


704184-5 : APM MAC Client create files with owner only read write permissions

Solution Article: K52171282


703835-6 : When using SCP into BIG-IP systems, you must specify the target filename

Solution Article: K82814400


702490-6 : Windows Credential Reuse feature may not work

Component: Access Policy Manager

Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).

The logterminal.txt file contains messages similar to the following:

<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted

Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.

Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.

Workaround:
There is no workaround at this time.

Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.


702472-6 : Appliance Mode Security Hardening

Solution Article: K87659521


701785-5 : Linux kernel vulnerability: CVE-2017-18017

Solution Article: K18352029


699803 : TMM may crash while processing IPv6 traffic

Solution Article: K77671456


699455-1 : SAML export does not follow best practices

Solution Article: K50254952


699452-1 : Web UI does not follow current best coding practices

Solution Article: K29280193


697303-5 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.


696265-1 : BD crash

Solution Article: K60985582

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.


696049-5 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.


695901-4 : TMM may crash when processing ProxySSL data

Solution Article: K46940010


695878-1 : Signature enforcement issue on specific requests

Component: Application Security Manager

Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.

Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.

-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).

Impact:
Attack signatures are not enforced on the payload of this request at all.

Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.

Fix:
The operation now looks into part of the payload for the attack signatures enforcement.


694922-1 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state


694901 : CVE-2015-8710: Libxml2 Vulnerability

Solution Article: K45439210


693996-1 : MCPD sync errors and restart after multiple modifications to file object in chassis

Solution Article: K42285625

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


693810-5 : CVE-2018-5529: APM Linux Client Vulnerability

Solution Article: K52171282


693744-1 : CVE-2018-5531: vCMP vulnerability

Solution Article: K64721111


693739-4 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled

Component: Access Policy Manager

Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.

Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.

Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.

Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.

Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.


692941-5 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.


692369-1 : TMM crash caused by SSOv2 form based due to null config

Component: Access Policy Manager

Symptoms:
Service outage because of tmm restart.

Conditions:
-- SSOv2 client initiated is configured.
-- Sending a small POST request with a small payload (smaller than 4 KB).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer crashes when executing with an invalid client-initiated forms SSO configuration.


691806-5 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Solution Article: K61815412

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.


691670-1 : Rare BD crash in a specific scenario

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.


689826-4 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)

Solution Article: K95422068

Component: Access Policy Manager

Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.

Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.

Impact:
Proxy settings are not applied on client side after VPN is established.

Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
 
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:

 1. Set the custom variable name to the following value:
    config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
    Note: <network access resource name> is the name of the network access resource.

 2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
    return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
    Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.

 3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.

Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.


689437-4 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Solution Article: K49554067

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

Fix:
icrd_child parsing logic update is needed to not enter recursion.


688625-4 : PHP Vulnerability CVE-2017-11628

Solution Article: K75543432


688586-1 : DTLS does not retransmit ServerHello message if it is lost

Component: Local Traffic Manager

Symptoms:
DTLS does not retransmit ServerHello message if it is lost

Conditions:
The first DTLS ServerHello message is lost

Impact:
It cannot be re-transmit and the handshake fails.

Fix:
Re-transmit ServerHello message when it is lost.


687193-2 : TMM may leak memory when processing SSL Forward Proxy traffic

Solution Article: K45325728


686305-4 : TMM may crash while processing SSL forward proxy traffic

Solution Article: K64552448


686228-4 : TMM may crash in some circumstances with VLAN failsafe

Solution Article: K23243525

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.


685615-1 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Solution Article: K24447043

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

Fix:
source-mac-address for host traffic is correctly set.


685207-4 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.


684937-4 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Solution Article: K26451305

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.


684879-4 : TMM may crash while processing TLS traffic

Solution Article: K02714910


684319-1 : iRule execution logging

Component: Local Traffic Manager

Symptoms:
iRule execution can block tmm from getting CPU cycles.

Conditions:
when executing iRule TCL with e.g. a tight while loop, tmm will miss to sent its heartbeat. This change adds additional logging around this.

Impact:
Logging shows now iRule perpetrator.

Workaround:
No workaround.

Fix:
tmm will now log the following message should the configurable execution limit exceed:

 notice tmm9[20262]: 01010338:5: Virtual /Common/http_respond iRule /Common/responder <HTTP_REQUEST> execution ran for 631 ticks (192.168.24.24:38169 -> 10.209.31.20:80 TCP)
 notice tmm9[20262]: 01010029:5: Clock advanced by 632 ticks


683241-5 : Improve CSRF token handling

Solution Article: K70517410

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.


683113-4 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Solution Article: K22904904

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.


682682-4 : tmm asserts on a virtual server-to-virtual server connection

Component: Local Traffic Manager

Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.

Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.

Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.

Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.


681710-6 : Malformed HTTP/2 requests may cause TMM to crash

Solution Article: K10930474


680755-3 : max-request enforcement no longer works outside of OneConnect

Solution Article: K27015502

Component: Local Traffic Manager

Symptoms:
max-request enforcement does not work when OneConnect is not configured.

Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.

Impact:
max-request enforcement does not work.

Workaround:
Always use OneConnect.

Fix:
max-request enforcement now works when OneConnect is not configured.


679861-4 : Weak Access Restrictions on the AVR Reporting Interface

Component: Application Visibility and Reporting

Symptoms:
The AVR reporting interface does not follow best practices for access restrictions.

Conditions:
AVR provisioned

Impact:
If accessed the AVR reporting interface may disclose:
 - Client and server IP addresses
 - URIs from client requests
 - Metadata about attacks detected by BIG-IP

Workaround:
Ensure that network access to the management port is restricted and that Port Lockdown setting for Self-IPs is not set to "Allow All". The default port lockdown of "Allow Default" provides mitigation against access via Self-IP.

Fix:
Stronger access restrictions enforced on the AVR reporting interface.


679603-4 : bd core upon request, when profile has sensitive element configured.

Solution Article: K15460886

Component: Application Security Manager

Symptoms:
bd crash, system goes offline.

Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.

Impact:
System goes offline/fails over.

Workaround:
Remove sensitive elements from the json profile in the ASM policy.

Fix:
ASM now handles this condition so the crash no longer occurs.


679235-3 : Inspection Host NPAPI Plugin for Safari can not be installed

Component: Access Policy Manager

Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.

Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.

Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.

Workaround:
There is no workaround at this time.

Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.


678976-4 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

Solution Article: K24756214

Component: Access Policy Manager

Symptoms:
VDI debug logs print user credentials to /var/log/apm.

Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.

Impact:
User credentials are written to /var/log/apm.

Workaround:
Set VDI debug level to Notice.

Fix:
The system no longer prints user credentials to VDI debug logs.


677525-4 : Translucent VLAN group may use unexpected source MAC address

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.


677088-6 : BIG-IP tmsh vulnerability CVE-2018-15321

Solution Article: K01067037


676457-1 : TMM may consume excessive resource when processing compressed data

Solution Article: K52167636


676355-4 : DTLS retransmission does not comply with RFC in certain resumed SSL session

Component: Local Traffic Manager

Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.

Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.

Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.

Workaround:
None.

Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.


674486-2 : Expat Vulnerability: CVE-2017-9233

Solution Article: K03244804


674320-4 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems

Solution Article: K11357182

Component: TMOS

Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:

 notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59

Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)

Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).

Impact:
Configuration on peer systems in a device group does not get saved after a sync.

Workaround:
Manually save the configuration on peer systems after a sync.

Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.


674189-5 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0

Solution Article: K52320548


674145-5 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

Fix:
The expected data values are properly printed in the log message.


673165-3 : CVE-2017-7895: Linux Kernel Vulnerability

Solution Article: K15004519


672988-4 : MCP memory leak when performing incremental ConfigSync

Solution Article: K03433341

Component: TMOS

Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.

This leak occurs on the device that is sending the configuration.

Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.

Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.

Workaround:
None.

Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.


672480-1 : WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO

Component: Access Policy Manager

Symptoms:
HTTP requests that are being processed by Kerberos SSO never leaves APM, and connections simply time out.

Conditions:
There is an issue in MIT krb5 library for calculating wait time for responses from KDC, which ends up with a negative value. This translates to infinite timeout by poll() syscall. At the same time, if all Kerberos requests to KDC are dropped (e.g., by a misconfigured firewall), Kerberos SSO never receives the responses, and Kerberos SSO never gives up on waiting for the KDC response (this is an issue in the library).

Impact:
A deadlock occurs within the Kerberos SSO. Eventually there will be a global deadlock, which causes this particular WebSSO process to be completely unresponsive for Kerberos SSO functionality. APM end users cannot access the backend.

Workaround:
For this issue to have a real impact, there must be an unresponded-to Kerberos request. To eliminate this possibility, make sure there is no firewall blockage, incorrect routing, etc., so that WebSSO always receives responses, even negative ones.

Note: WebSSO will never use infinite timeout when waiting for Kerberos responses, so even if a firewall blocks the Kerberos request, although Kerberos SSO does not function, it does not cause global unresponsiveness from the WebSSO process.


672124-5 : Excessive resource usage when BD is processing requests

Solution Article: K12403422


671813 : CVE-2016-10142: IPv6 fragmentation attack

Solution Article: K57211290


671497-3 : TSIG authentication bypass in AXFR requests

Solution Article: K59448931


670822-5 : TMM may crash when processing SOCKS data

Solution Article: K55225440


670804 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP

Solution Article: K03163260

Component: Local Traffic Manager

Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.

Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Disable verified accept when used with OneConnect on a virtual server.

Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.


669394-1 : CS redirects to incorrect URL

Solution Article: K23432927

Component: Application Security Manager

Symptoms:
The BIG-IP ASM system may redirect a client request to an incorrect URL after the client browser passes the client-side integrity defense JavaScript challenge.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have enabled the Client Side Integrity Defense feature in a DoS profile associated with a virtual server.
-- A client request containing a certain structured URL is processed by the virtual server with the DoS profile.
-- The client browser passes the client-side integrity defense JavaScript challenge issued by the BIG-IP ASM system.

Impact:
The client browser is redirected to an incorrect URL. If a malicious attacker triggers the DoS profile and then sends a maliciously crafted structured URL to unsuspecting users as part of a phishing attack, the users may be redirected to a malicious website.

Workaround:
None.

Fix:
Client side code no longer redirects to an incorrect URL under these conditions.


667278-6 : DSC connections between BIG-IP units may fail to establish

Component: TMOS

Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:

-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).

While the unit at the other end of the connection will log messages similar to the following example:

-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed

Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).

Impact:
Config-Sync and device discovery operations will fail between affected units.

Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).

Fix:
Config-Sync and device discovery operations no longer fail.


666454-4 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

Solution Article: K05520115

Component: Access Policy Manager

Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.

Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.

Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.

Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.

Impact:
VPN connection will fail.

Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.


664769-3 : TMM may restart when using SOCKS profile and an iRule

Component: Local Traffic Manager

Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.

Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.

Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.

Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.


663924-4 : Qkview archives includes Kerberos keytab files

Component: TMOS

Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.

Conditions:
APM provisioned with Kerberos authentication.

Impact:
Private security key exposure.

Workaround:
There is no workaround.

Fix:
Qkview no longer collects 'kerberos_keytab_file_d' directory containing keytab files when creating qkview archive.


663310-1 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files

Component: Global Traffic Manager (DNS)

Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.

Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.

Impact:
Zones cannot be loaded.

Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;

Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".

On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".


662881-4 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Solution Article: K10443875

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.


662850-4 : Expat XML library vulnerability CVE-2015-2716

Solution Article: K50459349


662816-4 : Monitor node log fd leak for certain monitor types

Solution Article: K61902543

Component: Local Traffic Manager

Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.

Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.

This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.

The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open

Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.

File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

Fix:
The bigd daemon does not leak file descriptors for monitor node logs when certain types of LTM health monitors are configured with node logging enabled and the monitor is then removed from the LTM node, pool, or pool member configuration.


662663-5 : Decryption failure Nitrox platforms in vCMP mode

Solution Article: K52521791


660239-4 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.


659899-4 : Rare, intermittent system instability observed in dynamic load-balancing modes

Solution Article: K10589537

Component: Local Traffic Manager

Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.

Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.

Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.


658214-4 : TCP connection fail intermittently for mirrored fastl4 virtual server

Solution Article: K20228504

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.

Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.


657961 : The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown

Solution Article: K44031930

Component: Global Traffic Manager (DNS)

Symptoms:
The edit button in the Pools section of a Wide IP create page does not place the pool name entry back into the select dropdown.

Conditions:
There must be a pool in the selected list, that pool must be highlighted when the edit button is clicked.

Impact:
The edit button does not work as intended.

Workaround:
Use the delete button and find the pool in the select dropdown to edit its ratio.

Fix:
Fixed issue that caused the edit button on the Wide IP create page to not place the pool name back into the select dropdown.


657883-4 : tmm cache resolver should not cache response with TTL=0

Solution Article: K34442339

Component: Local Traffic Manager

Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.

Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.

Impact:
tmm cache resolver caches responses with TTL=0.

Workaround:
None.

Fix:
The system no longer caches ttl=0 response for tmm cache resolver. This is correct behavior.


656902 : Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile

Component: Local Traffic Manager

Symptoms:
During the upgrade to 11.5.4 HF3, the upgrade will remove the DHE-DSS from cipher suite, which will cause the cipher suites configured beginning with the characters '@', '+', '-', or '!' will be removed from the configuration.

Conditions:
clientssl/serverssl profile ciphers configuration contains keywords beginning with the characters '@', '+', '-', or '!'.

Impact:
Cipher suites are configured using keywords such as AES, AES-GCM, !DES, -ADH, @STRENGTH, etc. The issue causes keywords beginning with the characters '@', '+', '-', or '!' to be removed from the configuration.

For example, if the cipher suite configuration before installing 11.5.4 HF3 was: 'NATIVE:!SSLV2:!SSLV3:!MD5:!EXPORT:!LOW:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES:!RC4:!ADH:!ECDHE_ECDSA:!ECDH_ECDSA:!ECDH_RSA:!DHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:+DES-CBC3-SHA'

After installing 11.5.4 HF3 it would be reduced to: 'NATIVE:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES'

Workaround:
Manually restore the clientssl/serverssl profile cipher configuration.

Fix:
Fixed an issue that causes the cipher suites configured beginning with the characters '@', '+', '-', or '!' to be removed from the configuration on upgrade.


655756 : TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.

Component: Local Traffic Manager

Symptoms:
TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.

Conditions:
-- TMOS v11.5.4 HF3.
-- SSL profile active.
-- BIG-IP 2000/4000 platform.

Impact:
TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The cause of the crash was identified and removed.


655649-5 : BGP last update timer incorrectly resets to 0

Solution Article: K88627152

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
               [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
               [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
               [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.

Workaround:
None.

Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.


655432-3 : SSL renegotiation failed intermittently with AES-GCM cipher

Solution Article: K85522235

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.

Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.


655059-1 : TMM Crash

Solution Article: K37404773


655021-4 : BIND vulnerability CVE-2017-3138

Solution Article: K23598445


654599-3 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Solution Article: K74132601

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.

Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.


654368-4 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require

Solution Article: K15732489

Component: Local Traffic Manager

Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.

Conditions:
This occurs when associating CRLs with virtual servers.

Impact:
Error is not reported for invalid CRL.

Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.

The command to verify CRL against a CA file is as follows:
openssl crl -CAfile <path to the CA certificate bundle/file> -noout -in <path to CRL file>

Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.


653993-1 : A specific sequence of packets to the HA listener may cause tmm to produce a core file

Solution Article: K12044607


653880-2 : Kernel Vulnerability: CVE-2017-6214

Solution Article: K81211720


652877-1 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

Fix:
Reactivating the license on a VIPRION system no longer causes MCPD process restart on one or all secondary blades.


652516-2 : Multiple Linux Kernel Vulnerabilities

Solution Article: K31603170


651772-6 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.

Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.

Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.


651155-5 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
The conditions under which this occurs are not known.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.

Fix:
HSB no longer continually logs 'loopback ring 0 tx not active'.


649933-5 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.


649907-4 : BIND vulnerability CVE-2017-3137

Solution Article: K30164784


649904-4 : BIND vulnerability CVE-2017-3136

Solution Article: K23598445


649564-4 : Crash related to GTM monitors with long RECV strings

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.

Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.

Impact:
Core dump. Traffic might be disrupted while gtmd restarts.

Workaround:
None.

Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.


648865-3 : Linux kernel vulnerability: CVE-2017-6074

Solution Article: K82508682


648286-3 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.

Component: Global Traffic Manager (DNS)

Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.

Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.

Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.

Loss of functionality from earlier releases.

Workaround:
Manually select each entry to add to the member list.

Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.


648217-2 : CVE-2017-6074: Linux Kernel Vulnerability

Solution Article: K82508682


648037-4 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.

Fix:
Fixed a tmm crash related to LB::reselect


646643-4 : HA standby virtual server with non-default lasthop settings may crash.

Solution Article: K43005132

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.

Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).

-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).

Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.


646604-4 : Client connection may hang when NTLM and OneConnect profiles used together

Solution Article: K21005334

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.


645615-4 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.


645589 : Password-less ssh access lost for non-admin users after tmsh load sys ucs

Component: TMOS

Symptoms:
During the load of ucs, the $HOME/.ssh/authorized_keys file is moved to /etc/ssh/<user> and then a symbolic link is pointed to that file in the $HOME/.ssh such that the ucs load modification of ownership won't break the password-less ssh access to the BIG-IP. The problem is that the /etc/ssh/<user> directory has no other-group read permissions and non-admin users can't read the file and hence the password-less access is denied and a password is requested.

Conditions:
Always happens as the permissions for /etc/ssh/<user> are 0700 (user read-write-execute only) and it is owned by root.

Impact:
Non-admin users lose password-less access to their BIG-IP after tmsh load sys ucs.

Workaround:
An admin user needs to manually change the permissions of the /etc/ssh and /etc/ssh/<user> permissions to be 0755.

A non-admin user has no such capability and thus has no workaround.

Fix:
By simply setting the umask to 0022 prior to the call to mkpath (with 0755 permissions) makes the /usr/local/bin/install_ucs.pm script behave as expected.

The override of the umask is then set back to previous value as to not affect the script elsewhere.


645179-4 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.


645101-3 : OpenSSL vulnerability CVE-2017-3732

Solution Article: K44512851


644904-3 : tcpdump 4.9

Solution Article: K55129614


644693-6 : Fix for multiple CVE for openjdk-1.7.0

Solution Article: K15518610


644220-1 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.

Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.


644184-6 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Solution Article: K36427438

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.

Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.

Fix:
ZebOS daemons no longer hangs while AgentX is waiting.


643554-13 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update

Solution Article: K37526132 K44512851 K43570545


643375-3 : TMM may crash when processing compressed data

Solution Article: K10329515


643187-4 : BIND vulnerability CVE-2017-3135

Solution Article: K80533167


643034-4 : Turn off TCP Proxy ICMP forwarding by default

Solution Article: K52510343

Component: Local Traffic Manager

Symptoms:
Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.

Conditions:
Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.

Impact:
Peers use suboptimal Path Maximum Transmission Units (PMTUs).

Workaround:
For TCP and UDP proxies, ensure proxy-mss is disabled in the profile.

OR

Disable MTU caching on pool members.

Fix:
There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.

Behavior Change:
The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier.

For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).


642330-4 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: Global Traffic Manager (DNS)

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.


642039-4 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Solution Article: K20140595

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.


641512-2 : DNSSEC key generations fail with lots of invalid SSL traffic

Solution Article: K51064420

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.


641360-4 : SOCKS proxy protocol error

Solution Article: K30201296


641013-4 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.


639575-3 : Using libtar with files larger than 2 GB will create an unusable tarball

Component: TMOS

Symptoms:
Programs such as qkview create a .tar file (tarball) using libtar. If any of the files collected are greater than 2 GB, the output tar file cannot be read by /bin/tar.

This occurs due to a limitation of the file compression library employed by qkview command; the system cannot collect files larger than 2 GB in size in a Qkview.

The qkview command may generate output that iHealth cannot parse, and that the tar command cannot extract.

Conditions:
-- The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
-- A 2 GB or larger file exists in a directory that qkview normally collects.

Impact:
No qkview diagnostics file is created. Although you can extract the qkview tarball using /usr/bin/libtar, the file will be a zero-length file. Cannot submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
Remove the file larger than 2 GB from the system prior to running qkview or other program that uses libtar.

Fix:
With the fix to third party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.


638935-1 : Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: TMOS

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.


638137-3 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828

Solution Article: K51201255


637181-2 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.


636702-1 : BIND vulnerability CVE-2016-9444

Solution Article: K40181790


636700-2 : BIND vulnerability CVE-2016-9147

Solution Article: K02138183


636699-3 : BIND vulnerability CVE-2016-9131

Solution Article: K86272821


635933-2 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Solution Article: K23440942


635412-1 : Invalid mss with fast flow forwarding and software syn cookies

Solution Article: K82851041


635314-3 : vim Vulnerability: CVE-2016-1248

Solution Article: K22183127


633723-1 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.

Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.

Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Workaround:
None.

Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.


633691-2 : HTTP transaction may not finish gracefully due to TCP connection is closed by RST

Component: Local Traffic Manager

Symptoms:
HTTP or other higher layer protocol transactions may not finish gracefully due to TCP connection is closed by RST.

Conditions:
1. There is ClientSSL or ServerSSL configured on the Virtual Server.
2. HTTP or other higher layer protocol has not finished the translations yet.
3. Client or Server sends out the TCP FIN packet.

Impact:
Application-level responses may not be received at all by the client.

Workaround:
No Workaround.

Fix:
TMM should try to use the TCP FIN to close the connection gracefully as much as possible instead of using RST which will abandon the data which has not been sent out to the wire.


633465-1 : Curl cannot be forced to use TLSv1.0 or TLSv1.1

Solution Article: K09748643

Component: TMOS

Symptoms:
Curl fails when connecting to server that does not accept TLSv1.1 or TLSv1.2 handshakes. This occurs even if the "--tlsv1.0" or "--tlsv1.1" options to the curl command are used.

Conditions:
Curl is used to attempt to connect to a server that does not understand TLSv1.1 and/or TLSv1.2 handshakes. This occurs when using software v11.5.4 HF2 through 11.5.6 or v11.6.1 HF1 through 11.6.3.

Impact:
Curl will fail.

Workaround:
Use "curl-apd" rather than "curl". curl-apd does not currently implement TLSv1.1 or TLSv1.2.

Fix:
Curl now honors the tlsv version flag, so the system correctly uses TLSv1.0, TLSv1.1, or TLSv1.2, as specified.


632798-3 : Double-free may occur if Access initialization fails

Solution Article: K30710317

Component: Access Policy Manager

Symptoms:
Double-free may occur if Access initialization fails.

Conditions:
Access initialization failure occurs, possibly due to license issues.

Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.


632618 : ImageMagick vulnerability CVE-2016-3717

Solution Article: K29154575


632423-1 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Solution Article: K40256229

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
    set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}

Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.


631688-3 : Multiple NTP vulnerabilities

Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302


631627-3 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.


631582-3 : Administrative interface enhancement

Solution Article: K55792317


631530 : TAI offset not adjusted immediately during leap second

Solution Article: K32246335

Component: TMOS

Symptoms:
When repeating a UTC time value during a leap second (when UTC time should be 23:59:60), the International Atomic Time (TAI) timescale should not stop, the kernel increments the TAI offset one second too late.

Conditions:
This occurs during an NTP leap second event, for example an event occurs on December 31, 2016, at 23:59:60 UTC

Impact:
Impact to applications unknown, system will stay stable and a timer may be fired off later than expected.

Workaround:
None.

Fix:
International Atomic Time (TAI) offset during leap second has been corrected.


631204-3 : GeoIP lookups incorrectly parse IP addresses

Solution Article: K23124150


631172-2 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Solution Article: K54071336

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.

Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.


630475-3 : TMM Crash

Solution Article: K13421245


630446-3 : Expat vulnerability CVE-2016-0718

Solution Article: K52320548


629771 : the TCP::unused_port does erroneous accept IPV4_COMPAT addresses

Component: Local Traffic Manager

Symptoms:
when calling TCP::unused_port command with a tcl ip addr object which represents the IPv4 address as IPv4-Compatible IPv6 address,
the function searches for existing flows related to this address.
IPv4-Compatible IPv6 addresses are deprecated, the flow table uses IPv4-Mapped IPv6 address

Conditions:
the IP::Addr object has been crafted with the following command

[IP::addr <addr> mask ::ffff:ffff]

Impact:
The TCP::unused_port command is unable to return an unused port

Workaround:
use the string representation by forcing the object to be a string
e.g.

 set ipv6_addr "fe80::250:56ff:0a1e:0101"
      set ipv4_from_ipv6 [ string tolower [IP::addr $ipv6_addr mask ::ffff:ffff] ]
      set free [TCP::unused_port $ipv4_from_ipv6 [TCP::local_port] 10.30.1.64 [TCP::client_port] 48000 48255]

Fix:
ID598860-5 fixes the IP::addr command to return IPV4 MAPPED addr


629530-8 : Under certain conditions, monitors do not time out.

Solution Article: K53675033

Component: Global Traffic Manager (DNS)

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.

Fix:
The resource status is now correct under all monitor timeout conditions.


629421-3 : Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.

Component: Global Traffic Manager (DNS)

Symptoms:
The memory consumption of Big3d will slowly increase if a lot of Wide IPs are being created or deleted.

Conditions:
Adding or removing Wide IPs on a GTM sync pair.

Impact:
A few bytes of memory will be leaked by Big3d on sync.

Workaround:
there is no workaround at this time.

Fix:
The leak has been eliminated.


629033-1 : BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello).

Component: Local Traffic Manager

Symptoms:
BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello). Instead, the BIG-IP system is sending SHA1 signature algorithms in the Server Hello first.

Conditions:
clientside / Server Hello.

Impact:
Minimal. SHA1 algorithms are listed first and they should be last.

Workaround:
None.

Fix:
The system now reorders signature hash algorithms such that SHA1 is last.


628164-1 : OSPF with multiple processes may incorrectly redistribute routes

Solution Article: K20766432

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.

OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.


627907-4 : Improve cURL usage

Solution Article: K11464209


626360-4 : TMM may crash when processing HTTP2 traffic

Solution Article: K22541983


625824-4 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, which causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases.

Workaround:
Restart httpd to reload the iControl daemon.

Fix:
Fixed a memory leak associated with iControl.


625671-1 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.

Fix:
dnsxdump handles non-standard resource record types.


625602-1 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
Some messages that should be sent to peers in a device group are not successfully sent.

Conditions:
A series of create/delete ASM policies and multiple changes to the ASM sync Device Group (creation, deletion, joining devices, removing devices).

Impact:
ASM configuration does not sync properly

Workaround:
Reconfigure the device group and restart asm_config_server using the following command:
# pkill -f asm_config_server

Fix:
Communication over the ASM Device Group now works correctly after leaving/joining Device Groups.


625376-2 : In some cases, download of PAC file by edge client may fail

Component: Access Policy Manager

Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.

Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.

Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.

Workaround:
Use only lowercase characters in PAC file URI.

Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.


625372-1 : OpenSSL vulnerability CVE-2016-2179

Solution Article: K23512141


625198-4 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.

Fix:
TCP maintains state appropriately to avoid crash.


624931 : getLopSensorData "sensor data reply too short" errors with FND300 DC PSU

Component: TMOS

Symptoms:
On a BIG-IP 2000-/4000-series or 5000-/7000-series appliances with FND300 DC power supplies running BIG-IP v11.5.4-HF2, errors similar to the following are logged every 30+ seconds:

warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16d size: 39
warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16e size: 39

In addition, the PSU status is reported as Not Present by the "tmsh show sys hardware" and "tmctl chassis_power_supply_status_stat" commands.

tmsh show sys hardware:

Chassis Power Supply Status
  Index Status Current
  1 not-present NA
  2 not-present NA

tmctl chassis_power_supply_status_stat:

name index status input_status output_status fan_status current_status
==============================================================================
pwr1 1 2 2 2 2 0
pwr2 2 2 2 2 2 0
Totals 3 4 4 4 4 0
------------------------------------------------------------------------------

(Where a status value of 2 == Not Present)

Conditions:
This problem occurs when all of the following conditions are true:
1. BIG-IP 2000-/4000-series or 5000-/7000-series appliance
2. One or more FND300 DC power supplies installed
3. Running BIG-IP v11.5.4-HF2

Impact:
1. Errors logged every 30+ seconds
2. PSU status is reported as Not Present

Fix:
The status of FND300 DC power supplies is reported correctly on BIG-IP 2000-/4000-series and 5000-/7000-series appliances.


624903-2 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.

Solution Article: K55102452


624692-1 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying

Component: TMOS

Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.

Conditions:
Certificate with multi-byte encoded strings.

Impact:
Unable to view certificate list page or view certificate information via iControl/REST.


624570-4 : BIND vulnerability CVE-2016-8864

Solution Article: K35322517


624457-2 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Solution Article: K10558632


624263-1 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


624193 : Topology load balancing not working as expected

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.

Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.

Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.

Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.

Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.


623930-1 : vCMP guests with vlangroups may loop packets internally

Component: TMOS

Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.

Conditions:
vCMP guest, vlangroups.

Impact:
High CPU utilization and potentially undelivered packets.

Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.

Fix:
Packets are no longer looped between vlangroup children on vCMP guests.


623119-3 : Linux kernel vulnerability CVE-2016-4470

Solution Article: K55672042


622856-2 : BIG-IP may enter SYN cookie mode later than expected

Component: Local Traffic Manager

Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.

Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.

Impact:
BIG-IP does not enter SYN cookie mode at the expected time.

Workaround:
Disable verified accept on all VIP TCP profiles.

Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.


622662-4 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697


622496-3 : Linux kernel vulnerability CVE-2016-5829

Solution Article: K28056114


622178-4 : Improve flow handling when Autolasthop is disabled

Solution Article: K19361245


622166-1 : HTTP GET requests with HTTP::cookie iRule command receive no response

Solution Article: K75571433

Component: Local Traffic Manager

Symptoms:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers do not get a response.

Conditions:
An LTM virtual server with an iRule including the HTTP::cookie command.

Impact:
No response is received by the client.

Workaround:
None.

Fix:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers now get a response as expected.


621935-4 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024


621465 : The minimum IP packet fragment size is now 1 and not 24

Component: Local Traffic Manager

Symptoms:
The minimum IP packet fragment size, set via DB Var [TM.MinIPfragSize], is 24 and that causes problems if you need to use smaller fragments in your network.

Conditions:
You are trying to configure TM.MinIPfragSize and need it to be set to a value smaller than 24.

Impact:
You are unable to configure fragment sizes smaller than 24 in your network.

Workaround:
NA

Fix:
Changed DB Var [TM.MinIPfragSize] minimum value from 24 to 1.


621452-4 : Connections can stall with TCP::collect iRule

Solution Article: K58146172

Component: Local Traffic Manager

Symptoms:
Connection does not complete.

Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.

The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.

Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.

Impact:
-- Connection fails.
-- This issue can also cause the Configuration Utility's Device Management :: Overview page to stop responding.

Workaround:
There is no workaround at this time.

Fix:
The system now properly sets state variables associated with TCP::collect, so this issue no longer occurs.


621417-2 : sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.

Component: TMOS

Symptoms:
On a BIG-IP deployed in AWS cloud, sys-icheck reports size an md5 errors for /usr/share/defaults/BIG-IP_base.conf file as following:

ERROR: S.5...... c /usr/share/defaults/BIG-IP_base.conf (no backup)

Conditions:
BIG-IP deployed in AWS cloud.

Impact:
sys-icheck reports "rpm --verify" size and md5 errors for /usr/share/defaults/BIG-IP_base.conf. This doesn't have any functional impact on the product but looks like factory config file was modified incorrectly by a user/application.

Workaround:
No workaround exists for this issue.

Fix:
sys-icheck error for /usr/share/defaults/BIG-IP_base.conf in AWS.


621337-4 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469

Solution Article: K97285349


621314-1 : SCTP virtual server with mirroring may cause excessive memory use on standby device

Solution Article: K55358710

Component: TMOS

Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.

Conditions:
SCTP virtual server has mirroring enabled.

Impact:
TMMs will have high memory usage on standby device.

Workaround:
Disable mirroring on the SCTP virtual server.

Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.


621273-5 : DSR tunnels with transparent monitors may cause TMM crash.

Component: TMOS

Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.

Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM does not crash.


621242-2 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A

Fix:
Increased the reserved free space on VE images.


620829-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Solution Article: K34213161

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
None.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.


620712 : Added better search capabilities on the Pool Members Manage & Pool Create page.

Component: Global Traffic Manager (DNS)

Symptoms:
Large amount of virtual servers were hard to manage on the GSLB Pool Member Manage page.

Conditions:
Having large amount of virtual servers/wide ips

Impact:
Poor usability.

Workaround:
No workaround.

Fix:
The GSLB Pool Member Manage page now has a new search feature in the form of a combo box to allow for better management of large amount of virtual servers.

Behavior Change:
The GSLB Pool Member Manage page now has the new search feature to allow for better management of large amount of virtual servers.


620659-1 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.


620215-2 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.


619849-1 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGABRT (killed by sod)

Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.

This issue occurs extremely rarely.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
disable verify accept.

Fix:
the loop is fixed.


619757-4 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.

Fix:
iSession no longer causes routing entries to be prematurely freed.


619398-3 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.


619071-1 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.

Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.


618905-2 : tmm core while installing Safenet 6.2 client

Component: Local Traffic Manager

Symptoms:
tmm core while installing Safenet 6.2 client.

Conditions:
Safenet 6.2 client installation

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm core related to Safenet 6.2 client installation.


618324-3 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A

Fix:
Correct (*** Invalid ***) information displayed.


618261-4 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005


618258-4 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005


618024-4 : software switched platforms accept traffic on lacp trunks even when the trunk is down

Component: Local Traffic Manager

Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).

Conditions:
LACP trunk with status down

Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.

Workaround:
no workaround

Fix:
tmm now checks the link status on tmm owned lacp trunks before accepting traffic.


617901-4 : GUI to handle file path manipulation to prevent GUI instability.

Solution Article: K00363258


617862-3 : Fastl4 handshake timeout is absolute instead of relative

Component: Local Traffic Manager

Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.

Conditions:
A TCP connection in three-way handshake.

Impact:
Connections are expired prematurely if they are still in three-way handshake.

Workaround:
Disable handshake timeout.

Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.

Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.


617824-1 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.


617628-3 : SNMP reports incorrect value for sysBladeTempTemperature OID

Component: TMOS

Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.

# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245

# tmsh show sys hardware

Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...

The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.

Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.

Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.

config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
  1 1 0 19 49 Blade air outlet temperature 1
  1 2 0 14 41 Blade air inlet temperature 1
  1 3 0 21 57 Blade air outlet temperature 2
  1 4 0 16 41 Blade air inlet temperature 2
  1 5 0 25 60 Mezzanine air outlet temperatur
  1 6 0 27 72 Mezzanine HSB temperature 1
  1 7 0 17 63 Blade PECI-Bridge local tempera
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
  1 9 0 25 68 Mezzanine BCM56846 proximity te
  1 10 0 22 69 Mezzanine BCM5718 proximity tem
  1 11 0 19 57 Mezzanine Nitrox3 proximity tem
  1 12 0 16 46 Mezzanine SHT21 Temperature


617273-4 : Expat XML library vulnerability CVE-2016-5300

Solution Article: K70938105


616864-4 : BIND vulnerability CVE-2016-2776

Solution Article: K18829561


616772-3 : CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager)

Solution Article: K15724


616765-3 : CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager)

Solution Article: K15147


616498-3 : CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager)

Solution Article: K15404


616491-3 : CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager)

Solution Article: K6734


616382 : OpenSSL Vulnerability (TMM)

Solution Article: K93122894


616242-1 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank

Solution Article: K39944245

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

    01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.


616215-1 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.

Fix:
TMM no longer cores in this instance.


616169-1 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.

Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.


615934 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.


615695 : Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2

Component: Application Security Manager

Symptoms:
The following bugs were documented as fixed in BIG-IP v11.5.4-HF2:

ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd

However, the packages containing these fixes were not actually included in the BIG-IP v11.5.4-HF2 ISO.
Therefore, these bugs are not actually fixed in BIG-IP v11.5.4-HF2.

Conditions:
BIG-IP v11.5.4-HF2

Impact:
Referenced bugs are not actually fixed in BIG-IP v11.5.4-HF2.

Fix:
[BIG-IP v11.5.4 Hotfix Rollup containing this fix] includes the packages which contain the fixes for the following bugs:

ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd


615187 : Missing hyperlink to GSLB virtual servers and servers on the pool member page.

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to to GSLB virtual servers and servers on the pool member page were removed in 11.x.

Conditions:
Have a GSLB pool with pool members set up.

Impact:
Must manually note of the member's virtual or server.

Workaround:
Manually take note of virtual or server and search for it.

Fix:
Added hyperlink to GSLB virtuals and servers on the pool member page.


614865 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.

Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.


614675 : GUI or iControl SOAP API call 'LocalLB::ProfileClientSSL::create_v2' creates invalid profile

Component: TMOS

Symptoms:
1. Using the GUI or an iControl SOAP call can create invalid client SSL profile containing an empty cert-key-chain. This might occur after following these steps:
 -- Create new client-ssl cert from the GUI (the web-based UI).
 -- Check 'Custom' in 'Certificate Key Chain', but do not add anything.
 -- Click Finished. The system creates the following:

        ltm profile client-ssl /Common/cssl {
            app-service none
            cert none
            cert-key-chain {
                "" { }
                defualt_rsa_ckc { <=== a typo "defualt"
                    cert /Common/default.crt
                    key /Common/default.key
                }
            }
            <snip>
        }

2. Using the iControl function 'LocalLB::ProfileClientSSL::create_v2' creates a profile with two cert-key-chain objects containing identical cert and key values, but with different names:

      ltm profile client-ssl my_prof {
          app-service none
          cert mycert.crt
          cert-key-chain {
              "" {
                  cert mycert.crt
                  key mycert.key
              }
              defualt_rsa_ckc { <=== a typo "defualt"
                  cert mycert.crt
                  key mycert.key
              }
          }
          chain none
          inherit-certkeychain false
          key mycert.key
          passphrase none
      }

Conditions:
Creating client SSL profiles using the GUI or the iControl function create_v2().

Impact:
Cannot add the invalid client SSL profile to a virtual server.

Workaround:
Remove the invalid client SSL profile and re-create the profile using TMSH or the GUI.

Fix:
GUI or iControl SOAP API call 'LocalLB::ProfileClientSSL::create_v2' no longer creates an invalid profile when creating client SSL profiles using the iControl function create_v2(). In addition, 'defualt' has been changed to 'default', as expected.


614441-1 : False Positive for illegal method (GET)

Solution Article: K04950182

Component: Application Security Manager

Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----

Conditions:
This was seen after upgrade and/or failover.

Impact:
-- False positives.
-- BD has the incorrect security configuration.

Workaround:
Run the following command: restart asm.


614147-4 : SOCKS proxy defect resolution

Solution Article: K02692210


614097-4 : HTTP Explicit proxy defect resolution

Solution Article: K02692210


613613 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.


613576-9 : QOS load balancing links display as gray

Component: Global Traffic Manager (DNS)

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.


613524-1 : TMM crash when call HTTP::respond twice in LB_FAILED

Component: Local Traffic Manager

Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.

Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.

Impact:
Traffic disrupted while tmm restarts.

Fix:
This fix rectifies the problem.


613369-5 : Half-Open TCP Connections Not Discoverable

Component: Local Traffic Manager

Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.

Conditions:
A TCP connection in half-open state.

Impact:
Half-open TCP connections are not discoverable

Fix:
Properly acknowledge half-open TCP connections.


613225-4 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697


613127-5 : Linux TCP Stack vulnerability CVE-2016-5696

Solution Article: K46514822


612721 : FIPS: .exp keys cannot be imported when the local source directory contains .key file

Component: TMOS

Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.

Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).

Impact:
Unable to import the FIPS key

Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.


612419-3 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.

Fix:
Fixed a memory leak related to network access.


612128-2 : OpenSSH vulnerability CVE-2016-6515

Solution Article: K31510510


611830 : TMM may crash when processing TCP traffic

Solution Article: K13053402


611704-1 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event

Component: Local Traffic Manager

Symptoms:
A tmm crash was discovered during internal testing.

Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT


611469-6 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector

Solution Article: K95444512


611278-1 : Connections to a BIG-IP system's Self-IP address may fail when the VLAN cmp-hash is altered

Component: Local Traffic Manager

Symptoms:
On a BIG-IP system belonging to a Sync or Sync-Failover Device Group, you encounter intermittent Device Group errors during normal operation. This can include the device status flipping from Offline to In Sync, or actual sync errors on a manual or automatic config sync. You may also see iQuery errors in the logs of BIG-IP GTM systems.

Conditions:
This issue is known to occur on BIG-IP systems belonging to a Sync or Sync-Failover Device Group where the config sync VLAN cmp-hash mode is set to something other than default.

Impact:
Intermittent sync status or occasional config sync failures.

Workaround:
Ensure that the config sync IP is on a VLAN that has the cmp-hash mode set to default.


610609-4 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.


610582-8 : Device Guard prevents Edge Client connections

Component: Access Policy Manager

Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.

Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.

Impact:
Clients are unable to establish a VPN connection.

Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.

Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.

Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.


610429-2 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields


610417-4 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Solution Article: K54511423

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.

Workaround:
None.

Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).


610354-3 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.


610255-3 : CMI improvement

Solution Article: K62279530


610243-1 : HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication

Component: Access Policy Manager

Symptoms:
HTML5 client can not be used to access the published applications or desktops.
HTML5 client access displays returns blank/black screen and displays "Can not connect to the server".

Conditions:
APM is configured Citrix Storefront integration mode. And in Storefront html5 client access is enabled.

Impact:
HTML5 client can not be used to access the published resources

Workaround:
None

Fix:
HTML5 client can be used to access the published resources.


610180-5 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.

Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.


610138-5 : STARTTLS in SMTPS filter does not properly restrict I/O buffering

Solution Article: K23284054

Component: Local Traffic Manager

Symptoms:
Commands following STARTTLS in a group are accepted and processed after TLS is in place.

Conditions:
SMTPS profile in use.

Impact:
SMTPS filter will improperly process commands after STARTTLS.

Workaround:
None.

Fix:
Commands in a group after STARTTLS are dropped. This is correct behavior.


609691-5 : GnuPG vulnerability CVE-2014-4617

Solution Article: K21284031


608551-2 : Half-closed congested SSL connections with unclean shutdown might stall.

Component: Local Traffic Manager

Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.

Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.

Impact:
Possible stalled flow.

Workaround:
Use SSL client that sends clean shutdown.

Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.


608320-2 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


608024-2 : Unnecessary DTLS retransmissions occur during handshake.

Component: Local Traffic Manager

Symptoms:
Unnecessary DTLS retransmissions occur during handshake.

Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.

Impact:
Possible DTLS handshake failure on VE platform.

Workaround:
None.

Fix:
This release fixes a possible failed DTLS handshake on VE platforms.


607304-1 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running the geo_update command no longer causes this error.


606710-5 : Mozilla NSS vulnerability CVE-2016-2834

Solution Article: K15479471


606575-2 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.


605865-1 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.

Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.


605661-1 : Update TZ data

Component: TMOS

Symptoms:
Prior to this update, the data files provided by the tzdata package reflected the Egyptian government's plan to transition to daylight saving time (DST) on July 7, but the Egyptian government canceled the planned transition. This update provides tzdata data files that reflect the change of plans, and will thus provide correct time zone information.

This update also includes a time zone transition for Asia/Novosibirsk from +06 to +07 on 2016-07-24 at 02:00.

Conditions:
Egyptian or Asia/Novosibirsk time zone active

Impact:
Timezone calculations do not reflect current standards

Fix:
Timezone data files updated to reflect current standards


605579-9 : iControl-SOAP expat client library is subjected to entropy attack

Solution Article: K65460334


605476 : statsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.

Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.

Impact:
iStatsd process will restart due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.

3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.

4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.

Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.


605270-3 : On some platforms the SYN-Cookie status report is not accurate

Component: TMOS

Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.

Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.

Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.

Workaround:
Upgrade with new fixes for this.

Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.


605039-1 : lwresd and bind vulnerability CVE-2016-2775

Solution Article: K92991044


604977-4 : Wrong alert when DTLS cookie size is 32

Solution Article: K08905542

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.

Impact:
DTLS with cookie size 32-byte fails.

Workaround:
None.

Fix:
DTLS now accepts cookies with a length of 32 bytes.


604880-1 : tmm assert "valid pcb" in tcp.c

Component: Local Traffic Manager

Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.


604767-6 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.


604496-1 : SQL (Oracle) monitor daemon might hang.

Component: Local Traffic Manager

Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.

Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.

Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.

Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.

Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.


604442-3 : iControl log

Solution Article: K12685114


604272-3 : SMTPS profile connections_current stat does not reflect actual connection count.

Component: Local Traffic Manager

Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.

Conditions:
This occurs if you have an SMTPS virtual server configured.

Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.


604237-1 : Vlan allowed mismatch found error in VCMP guest

Component: TMOS

Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "

Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."

Impact:
Unable to use VLAN.

Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.


603945-3 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.

Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.


603758-4 : Big3D security hardening

Solution Article: K82038789


603723-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
None.

Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.


603667-1 : TMM may leak or corrupt memory when configuration changes occur with plugins in use

Component: Local Traffic Manager

Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.

Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.

Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.

Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).

Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.


603658-4 : AAM security hardening

Solution Article: K25359902


603609-5 : Policy unable to match initial path segment when request-URI starts with "//"

Component: Local Traffic Manager

Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".

Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".

Impact:
The policy does not match in this case.

Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.


603606-1 : tmm core

Component: Local Traffic Manager

Symptoms:
A tmm core occurrs with the following log message: notice panic: ../kern/page_alloc.c:521: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


603598-1 : big3d memory under extreme load conditions

Component: Global Traffic Manager (DNS)

Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.

This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.

Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.

When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.

For this to happen, the Active queue must be full as well as the Pending queue.

One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.

Thus the Pending queue might become full and the memory leak can occur.

In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.

In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.

Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.

In later versions, the leak is still possible, but is less likely to occur.

Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.

Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.

This will minimize the chances that the Pending queue
does not become full.

There is no mechanism to resize the queues.

Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.


603550-4 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.

Solution Article: K63164073

Component: Local Traffic Manager

Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.

As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.

-- Virtual stats 'Current SYN Cache' does not decrease.

Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).

Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.

Workaround:
None.

Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.


602749 : Memory exhaustion when asking for missing page of learning suggestion occurrences

Component: Application Security Manager

Symptoms:
High CPU Utilization: event code I706 Bypassing ASM

Conditions:
Open occurrences for some suggestion, there should be multiple pages, clear requests (on real machine that'll be because of traffic, but can be done directly in database by cleaning LRN_REQUESTS table), then change to the second page.

Impact:
memory exhaustion

Workaround:
None


601938-5 : MCPD stores certain data incorrectly

Solution Article: K52180214


601927-4 : Security hardening of control plane

Solution Article: K52180214

Component: TMOS

Symptoms:
File permissions changes needed as found by internal testing

Conditions:
N/A

Impact:
N/A

Fix:
Apply latest security practices to control plane files.


601893-4 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.

Solution Article: K89212666

Component: TMOS

Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.

Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use dynamic modification of rates for dynamic policies.

Fix:
You can now successfully use dynamic modification of rates for dynamic policies.


601709-4 : I2C error recovery for BIG-IP 4340N/4300 blades

Solution Article: K02314881

Component: TMOS

Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.

Conditions:
This rarely happens.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.

Workaround:
bigstart restart bcm56xxd

Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.


601527-1 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory during config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.

Fix:
Fixed a memory lean in mcpd


601407 : Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards

Component: Access Policy Manager

Symptoms:
While adding a new account from Citrix Receiver, it does not prompt for the credentials

Conditions:
APM is in integration mode with Storefront or web interface and APM uses only pnagent protocol for the integration.

Impact:
Could not access the published applications.

Workaround:
None

Fix:
APM supports new user agent string from Citrix Receiver 4.3 onwards.


601268-2 : PHP vulnerability CVE-2016-5766

Solution Article: K43267483


601178-4 : HTTP cookie persistence 'preferred' encryption

Component: Local Traffic Manager

Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.

Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.

Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.


600982-7 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"

Component: Local Traffic Manager

Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.

Conditions:
No conditions to be set, however this is a very rare occurrence in which a random number generator can technically generate the number Zero ( 0 ) which would trigger this.

Impact:
Traffic disrupted while TMM restarts, and failover occurs if high availability is configured. Mirroring and LB may be lost with renegotiation for certain types of traffic.

Workaround:
None.

Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.


600827-3 : Stuck Nitrox crypto queue can erroneously be reported

Solution Article: K21220807

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Hardware Error(Co-Processor): n3-crypto0 request queue stuck.

Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses Nitrox PX or Nitrox 3 encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Workaround:
None.

Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.


600662-5 : NAT64 vulnerability CVE-2016-5745

Solution Article: K64743453


600558-10 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

Fix:
Errors are no longer logged after deleting user in GUI.


600396-1 : iControl REST may return 404 for all requests in AWS

Component: TMOS

Symptoms:
iControl REST queries may fail against specific versions of BIG-IP in AWS. When this issue is encountered, all queries fail for the entirety of the BIG-IP uptime. An error message mentioning "RestWorkerUriNotFoundException" will be returned. For instance, this basic query will always return 404:

curl -k -u admin:ADMINPASSWORD -sv -X GET https://1.2.3.4/mgmt/tm/ltm

* Trying 1.2.3.4...
* Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: localhost.localdomain
* Server auth using Basic with user 'admin'
> GET /mgmt/tm/ltm HTTP/1.1
> Host: 1.2.3.4
> Authorization: Basic ....
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: 20 Jun 2016 17:49:39 UTC
< Server: com.f5.rest.common.RestRequestSender
...
{ [1093 bytes data]
* Connection #0 to host 1.2.3.4 left intact
{
   "errorStack" : [
      "com.f5.rest.common.RestWorkerUriNotFoundException: http://localhost:8100/mgmt/tm/ltm",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.cloneAndForwardRequest(ForwarderPassThroughWorker.java:293)",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:211)",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
      "at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
      "at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
      "at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:850)",
      "at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
      "at com.f5.rest.common.RestServer$1.run(RestServer.java:147)",
      "at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
      "at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
      "at java.lang.Thread.run(Thread.java:722)\n"
   ],
   "restOperationId" : 8827,
   "code" : 404,
   "referer" : "4.3.2.1",
   "message" : "http://localhost:8100/mgmt/tm/ltm"
}

Conditions:
It is not known what triggers this, it intermittently affects new BIG-IP instances running in Amazon Web Services (AWS EC2) cloud environments.

Impact:
All iControl REST queries (GETs, PUTs, POSTs, DELETEs) will fail always until the BIG-IP is restarted.

Workaround:
Restart the BIG-IP.


600248-5 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366


600232-5 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366


600223-5 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366


600205-5 : OpenSSL Vulnerability: CVE-2016-2178

Solution Article: K53084033


600198-5 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033


600116 : DNS resolution request may take a long time in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution may appear slow in some cases

Conditions:
All of following conditions should be met

1) DNS Relay proxy is installed on user's machine
2) User's machine has multiple network adapters and some of them are in disconnected state.

Impact:
DNS resolution will be slow

Workaround:
Disable network adapters that are not connected.

Fix:
Now DNS Relay proxy server doesn't proxy DNS servers on non-connected interfaces. This fixes slow resolution DNS issue.


600069-4 : Portal Access: Requests handled incorrectly

Solution Article: K54358225


599536-5 : IPsec peer with wildcard selector brings up wrong phase2 SAs

Solution Article: K05263202


599285-5 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Solution Article: K51390683


599191-1 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card

Component: TMOS

Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.

Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync

Impact:
A stale key is left on the FIPS card. There is no impact to functionality.

Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>


599168-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Solution Article: K35520031


598983-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Solution Article: K35520031


598981-1 : APM ACL does not get enforced all the time under certain conditions

Solution Article: K06913155

Component: Access Policy Manager

Symptoms:
APM ACL does not get enforced all the time under certain conditions

Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.

Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.

Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.

Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.


598874-1 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.

Fix:
Do not send anything in response to a SYN retransmission timeout.


598860-5 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address

Component: Local Traffic Manager

Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.

Example:
ltm rule test_bug {
    when CLIENT_DATA {
    log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}

Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1

Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1

Conditions:
using IP::addr to convert an IPv6 to an IPv4 address

Impact:
Address is converted into an IPv4-compatible IPv6 address.


598211-3 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.

Component: Access Policy Manager

Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.

Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.

Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.

Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.

when HTTP_REQUEST {
    if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
        log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
        HTTP::path "/Citrix/$store_name/"
    }
}

Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.


598039-8 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.

Fix:
Stopped MCP leaking when wildcard queries are performed.


598002-4 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033


597978-5 : GARPs may be transmitted by active going offline

Component: Local Traffic Manager

Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.

Conditions:
Multiple traffic-groups configured and active goes offline.

Impact:
It is not expected that this will cause any impact.

Workaround:
Make the unit standby before forcing offline.


597966-1 : ARP/neighbor cache nexthop object can be freed while still referenced by another structure

Component: Local Traffic Manager

Symptoms:
Use after free or double-free of the nexthop object may cause memory corruption or TMM core.

Conditions:
This can happen if the server-side connection establishment takes some time to complete, creating a large enough time window where the nexthop object might be freed.

Impact:
The BIG-IP dataplane might crash. This is a very timing/memory-usage-dependent issue.

Workaround:
None.

Fix:
Management of nexthop object reference counting is more consistent.


597652-1 : CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match

Solution Article: K20225390


597431-6 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.


597429 : eam maintains lock on /var/log/apm.1 after logrotate

Component: Access Policy Manager

Symptoms:
/var/log fills up and eventually runs out of disk space. Old log files are not being deleted from the rotation, and they are locked and unable to be removed.

Conditions:
This occurs when eam is configured. eam provides external access management for 3rd party identity integration such as Oracle Access Manager (OAM) SSO.

Impact:
/var/log consumes an unusually high amount of disk space, and logrotate does not work correctly.


597394-5 : Improper handling of IP options

Solution Article: K46535047


597214-6 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
You can use an iRule to rename field names in the original code.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.


597089-3 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.

Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.

Workaround:
Disabling the PVA resolves the issue.


597023-5 : NTP vulnerability CVE-2016-4954

Solution Article: K82644737


597010-5 : NTP vulnerability CVE-2016-4955

Solution Article: K03331206


596997-5 : NTP vulnerability CVE-2016-4956

Solution Article: K64505405


596814-2 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.


596603-5 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.


596488-5 : GraphicsMagick vulnerability CVE-2016-5118.

Solution Article: K82747025


596433-1 : Virtual with lasthop configured rejects request with no route to client.

Component: Local Traffic Manager

Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.

Conditions:
This issue occurs when the following conditions are meet:

- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.

Impact:
Connection is erroneously reset with no route to client.

Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.


596340-4 : F5 TLS vulnerability CVE-2016-9244

Solution Article: K05121675


596134-1 : TMM core with PEM virtual server

Component: Policy Enforcement Manager

Symptoms:
TMM cores, this signature is contained in /var/log/ltm:
err tmm1[7822]: 011f0007:3: http_process_state_prepend - Invalid action:0x109010

Conditions:
A core may occur if a PEM virtual has a parked flow (through an iRule, persistence profile, or other mechanism), where an internal control event occurs while the flow is parked.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Check for the processing of a HUDCTL_ABORT message prior processing other HUD messages in PEM.


595874-3 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.

As a result of this issue, you may encounter the following symptom:

After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.

Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.

Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:

Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.

Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot

For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
 
Verify the installation progress by typing the following command:
tmsh show sys software

Output appears similar to the following example:

Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct

Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.


595773-6 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.

Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.


594496-4 : PHP Vulnerability CVE-2016-4539

Solution Article: K35240323


593530-3 : In rare cases, connections may fail to expire

Solution Article: K26430211

Component: Local Traffic Manager

Symptoms:
Connections have an idle timeout of 4294967295 seconds.

Conditions:
Any IP (ipother) profile is assigned to virtual server.

Impact:
Connections may linger.

Workaround:
None.

Fix:
Fixed idle initialization error when using Any IP (ipother) profile.


593447-3 : BIG-IP TMM iRules vulnerability CVE-2016-5024

Solution Article: K92859602


593390-1 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.

Component: Local Traffic Manager

Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.

Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.

Impact:
Higher memory usage than necessary.

Workaround:
Always have iRules select profiles using the complete path.

Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.


592871-1 : Cavium Nitrox PX/III stuck queue diagnostics missing.

Component: Local Traffic Manager

Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.

Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.

Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.

Workaround:
None.

Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.


592869 : Syntax Error when reimporting exported content containing acl-order 0

Component: Access Policy Manager

Symptoms:
Syntax Error when reimporting exported content containing acl-order 0. The error message is similar to the following.

Syntax Error: ... 'acl-order' may not be specified more than once; Validating configuration...

Conditions:
Exported config has apm resource with acl-order 0.

Impact:
Unable to import exported .conf.tar.gz.

Workaround:
None.

Fix:
It is now possible to export and then import config that contains apm resource with acl-order 0.


592868-1 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="&#10;" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.

Fix:
Now rewrite correctly handles HTML entities in attribute values.


592854-2 : Protocol version set incorrectly on serverssl renegotiation

Component: Local Traffic Manager

Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.

Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.

Impact:
Protocol field is invalid (0), and the server will reset the connection.

Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.


592784 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.

Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.


592485-1 : Linux kernel vulnerability CVE-2015-5157

Solution Article: K17326


592414-3 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed

Component: Access Policy Manager

Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.

Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.

Impact:
Web application malfunction.

Workaround:
None.

Fix:
Fixed.


591918-6 : ImageMagick vulnerability CVE-2016-3718

Solution Article: K61974123


591908-6 : ImageMagick vulnerability CVE-2016-3717

Solution Article: K29154575


591894-6 : ImageMagick vulnerability CVE-2016-3715

Solution Article: K10550253


591881-5 : ImageMagick vulnerability CVE-2016-3716

Solution Article: K25102203


591828-3 : For unmatched connection, TCP RST may not be sent for data packet

Solution Article: K52750813

Component: Advanced Firewall Manager

Symptoms:
When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.

Conditions:
This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning).

-- Packets other than SYN with no entry in the connection table arrive.

This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.

Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.

Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.

Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).

Fix:
The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.


591806-4 : ImageMagick vulnerability CVE-2016-3714

Solution Article: K03151140


591789 : IPv4 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv4 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled on version 11.5.4, 11.6.0 HF6, or 11.6.1.

Impact:
IPv4 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv4 fragments are no longer incorrectly dropped when packet filtering is enabled.


591767-4 : NTP vulnerability CVE-2016-1547

Solution Article: K11251130


591666-1 : TMM crash in DNS processing on TCP virtual with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
Product corrected to prevent crash when there are no available members.


591659-2 : Server shutdown is propagated to client after X-Cnection: close transformation.

Solution Article: K47203554

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.

Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.


591476-6 : Stuck crypto queue can erroneously be reported

Solution Article: K53220379

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck. tmm crash

Conditions:
-- Running on one of the following platforms:
 + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx
 + VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:

tmsh modify sys db crypto.queue.timeout value 0

To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system.

Note: Traffic is disrupted while during restarts.

Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.


591455-3 : NTP vulnerability CVE-2016-2516

Solution Article: K24613253


591447-4 : PHP vulnerability CVE-2016-4070

Solution Article: K42065024


591438-3 : PHP vulnerability CVE-2015-8865

Solution Article: K54924436


591328-3 : OpenSSL vulnerability CVE-2016-2106

Solution Article: K36488941


591327-3 : OpenSSL vulnerability CVE-2016-2106

Solution Article: K36488941


591325-3 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109

Solution Article: K75152412


591117-2 : APM ACL construction may cause TMM to core if TMM is out of memory

Component: Access Policy Manager

Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.

Conditions:
BIG-IP is extremely loaded and out of memory.

Impact:
Traffic disrupted while tmm restarts.

Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.


591042-6 : OpenSSL vulnerabilities

Solution Article: K23230229


590820-5 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Component: Access Policy Manager

Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.

Impact:
Very low web application performance when using Microsoft Internet Explorer.

Workaround:
None.

Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.


590345-4 : ACCESS policy running iRule event agent intermittently hangs

Component: Access Policy Manager

Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.

Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.

Impact:
Policy execution intermittently hangs.

Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}

Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.


589856 : IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients

Component: TMOS

Symptoms:
When two iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction ID, which results in unexpected errors and transaction issues.

Conditions:
-- Two iControl REST clients using the same username.
-- Requests to create transactions, either simultaneously or in quick sequence.

Impact:
Transaction semantics are not followed, and unintended errors may occur.

Workaround:
None.

Fix:
Under these conditions, transaction IDs are now unique, so this issue no longer occurs.


589400-5 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Solution Article: K33191529

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.

Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.


589379-1 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.

Solution Article: K20937139

Component: TMOS

Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.

Conditions:
OSPF using route health injection for default route.

Impact:
No functional impact. The extraneous LSA is immediately aged out.

Workaround:
Configure a static default route in imish instead of using RHI for the default route.

Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.


589338-2 : Linux host may lose dynamic routes on secondary blades

Component: TMOS

Symptoms:
The Linux host residing on a secondary blade might lose dynamic routes previously learned via a dynamic routing protocol.

Conditions:
- Multibladed chassis or vCMP guest.
- Routes learned via dynamic routing.
- Restart of services or reboot of secondary blade.

Impact:
Routes on Linux host of secondary blade are lost. This might affect host traffic, such as monitoring, remote logging, etc., due to the lack of routing information.

Workaround:
Modify the ZebOS maximum-paths setting on the primary blade to trigger a route update to the non-primary blades.

Add a custom alert to the user_alert.conf to auto-mitigate this issue whenever a blade joins the cluster.

# 11.5.x workaround for user_alert.conf
alert BLADE_JOINED_CLUSTER "010719fc:5: Mate cluster member (.*) turned Green." {
    exec command="/usr/sbin/zebos -a cmd 'enable,conf t,maximum-paths 5,maximum-paths 4,exit,exit'"
}

Note: The Mate cluster log is not present in 11.6.x, so this an 11.5.x only workaround.

Fix:
This issue no longer occurs, so there is consistency among blades.


589298 : TMM crash with a core dump

Component: Application Security Manager

Symptoms:
TMM crash with a core dump

Conditions:
ASM provisioned
Session Awareness enabled
Mirroring is enabled
HA (CMI) setup

Impact:
Traffic disrupted while tmm restarts.

Workaround:
none

Fix:
We've fixed the handling of Session Awareness in HA (CMI) setup to prevent TMM crashes


589256-4 : DNSSEC NSEC3 records with different type bitmap for same name.

Solution Article: K71283501

Component: Global Traffic Manager (DNS)

Symptoms:
For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.

Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.


589039-3 : Clearing masquerade MAC results in unexpected link-local self IP addresses.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system advertises fe80::200:ff:fe00:0 as a self IP address.

Conditions:
Masquerade MAC changes from non-zero to zero.

Impact:
This might cause IP address conflicts between devices in a high availability (HA) configuration.

Workaround:
Restart tmm after setting masquerade MAC to zero.

Fix:
The system does not advertise invalid self IP addresses on clearing masquerade MAC.


588572-2 : Unnecessary re-transmission of packets on higher ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.

Conditions:
ICMP PMTU is higher than existing MTU. User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.

Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU) in the advanced TCP implementation.


588569-2 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
TCP segment size is 40 bytes less.

Conditions:
ICMP implementation using Path MTU (PMTU). User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG

Impact:
The impact of this issue is less data per TCP segment.

Workaround:
Disable Path MTU Discovery by doing the following,

"tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU in the advanced TCP implementation.


588351-3 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.


588115-4 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.

Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.


587966-5 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port

Solution Article: K77283304

Component: Local Traffic Manager

Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.

Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.

Impact:
A Type DNS Query dropped intermittently.

Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.

Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.


587892 : Multiple iRule proc names might clash, causing the wrong rule to be executed.

Component: Local Traffic Manager

Symptoms:
Multiple iRule proc names might clash, causing the wrong rule to be executed.

Conditions:
This occurs when there is an iRule configured with more than one proc, which might cause the wrong proc to get executed.

Impact:
The call proc might execute the wrong proc.

Workaround:
None.

Fix:
Multiple iRules configured with more than one proc no longer cause the wrong proc to get executed.


587705-6 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.

Solution Article: K98547701

Component: Local Traffic Manager

Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.

Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.

Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.

Workaround:
None.

Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.


587698-1 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured

Component: TMOS

Symptoms:
bgpd daemon crashes

Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.

Impact:
bgpd daemon crashes leading to route loss and traffic loss.

Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.


587691-2 : TMM crashes upon SSL handshake cancellation.

Solution Article: K41679973

Component: Local Traffic Manager

Symptoms:
TMM crashes upon SSL handshake cancellation.

Conditions:
SSL handshake cancellation.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when SSL handshake is canceled.


587617-4 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.

Conditions:
No GTM server object configured with existent selfip.

Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.

Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671

Fix:
gtmd will not core.


587107-1 : Allow iQuery to negotiate up to version TLS1.2

Component: Global Traffic Manager (DNS)

Symptoms:
big3d accepts only TLS1.0, and gtmd offers only TLS1.0 during iQuery SSL handshake. iQuery does not negotiate up to TLS 1.2.

Conditions:
Establishing iQuery connections.

Impact:
The older, less secure TLS1.0 version is the only possible iQuery connection.

Workaround:
None.

Fix:
big3d now accepts, and gtmd now offers up to, TLS1.2 in iQuery handshakes.

TLS1 and TLS1.1 are still accepted by both ends of the iQuery connection (gtmd and big3d) to enable older clients (gtmd) to connect to newer servers (big3d) and vice versa.

Behavior Change:
big3d now accepts TLS1.2 in iQuery handshakes, and gtmd now offers up to TLS1.2.


587077-4 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118

Solution Article: K37603172


586878-1 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.


586738-3 : The tmm might crash with a segfault.

Component: Local Traffic Manager

Symptoms:
The tmm might crash with a segfault.

Conditions:
Using IPsec with hardware encryption.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.


586718-5 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.

Fix:
Session variable substitutions are no longer logged.


586056 : Machine cert checker doesn't work as expected if issuer or AltName is specified

Component: Access Policy Manager

Symptoms:
Windows Machine cert checker doesn't work as expected if issuer or AltName is specified. User cannot pass access policy even with valid machine cert.

Logs in client PC can be produced, such as:

EXCEPTION - CCertCheckCtrl::Verify FindCertificateInStore failed with error code:

and

CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"1", Allow elevation UI:"0", Serial number(HEX):"", Issuer:"??????????????????????", SubjectAltName:""

Conditions:
Issuer or Subject AltName fields are populated.

Site recently upgraded to 11.5.4.

Impact:
User may not pass policy as expected

Workaround:
N/A

Fix:
Now Machine Cert checker correctly processes issuer and SAN fields.


586006-5 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.


585547-4 : NTP configuration items are no longer collected by qkview

Component: TMOS

Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.

Conditions:
Execute qkview to collect diagnostic information.

Impact:
Possibility for keys to be exposed.

Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.

Fix:
With this release, qkview no longer collects this file.


585424-4 : Mozilla NSS vulnerability CVE-2016-1979

Solution Article: K20145801


585412-1 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.

Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.


585045 : ASM REST: Missing 'gwt' support for urlContentProfiles

Component: Application Security Manager

Symptoms:
A URL's header content profile cannot be set to 'gwt' via REST, and if such a configuration exists on the device, then REST will fail to retrieve the collection.

Conditions:
ASM REST is used to configure or inspect URLs on a Security Policy, and GWT profiles are used.

Impact:
Unusable REST for the collection.

Workaround:
None.

Fix:
GWT profiles on URLs are now correctly supported via REST.


584717 : TCP window scaling is not applied when SYN cookies are active

Component: Local Traffic Manager

Symptoms:
TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window.

Conditions:
SYN cookies have been activated.

Impact:
Poor performance / throughput.

Workaround:
None

Fix:
The tmm now properly scales the TCP window upon SYN cookie activation.


584583-2 : Timeout error when using the REST API to retrieve large amount of data

Solution Article: K18410170

Component: TMOS

Symptoms:
The Rest API might time out when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API appears as follows: errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET

Conditions:
Configuration containing a large number of GTM pools and pool members (numbering in the thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.

Workaround:
There is no workaround at this time.

Fix:
TMSH performance has been improved for this GTM case (improvement ~5-10 times), which is root case for REST failure. Timeout is no longer triggered for this amount of data.


584373-1 : AD/LDAP resource group mapping table controls are not accessible sometimes

Component: Access Policy Manager

Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds

Conditions:
very long group names and resource names

Impact:
Impossible to delete and move rows in table - still possible to edit tho.

Workaround:
Spread one assign thru multiple rows

Fix:
Scroll bar is appearing when needed


584310 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Solution Article: K83393638

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.

Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.


584029-7 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file while processing fragmented packets.

As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- In one of the /var/log/tmm log files, you observe an error message similar to the following example:
 notice panic: ../base/flow_fwd.c:255: Assertion "ffwd flag set" failed.
 panic: ../net/packet.c:168: Assertion "packet is locked by a driver" failed.

notice ** SIGFPE **

Conditions:
This issue occurs when all of the following conditions are met:

-- The TMM process offloads a fragmented packet by way of an ffwd operation.
-- Your BIG-IP system is under heavy load.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
None.

Fix:
Fragmented packets no longer cause tmm to core under heavy load.


583957-3 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.

Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.


583936-1 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.

Fix:
Now properly removing ECMP routes from the routing table.


583631-1 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Component: Local Traffic Manager

Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.

Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.

Impact:
The connection fails. The system might generate an alert.

Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.


583502-3 : Considerations for transferring files from F5 devices

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048

Conditions:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048

Impact:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048

Fix:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048


583285-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.

Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.

Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.


582952 : L