Applies To:
Show Versions
BIG-IP AAM
- 12.1.5
BIG-IP APM
- 12.1.5
BIG-IP Analytics
- 12.1.5
BIG-IP Link Controller
- 12.1.5
BIG-IP LTM
- 12.1.5
BIG-IP AFM
- 12.1.5
BIG-IP PEM
- 12.1.5
BIG-IP DNS
- 12.1.5
BIG-IP ASM
- 12.1.5
BIG-IP Release Information
Version: 12.1.5.3
Build: 5.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
Important: Memory leak after upgrade
F5 has uncovered a memory leak that occurs after upgrading to 12.1.5.3 that may affect configurations with HTTPS monitors. This occurs as a result of bug 625156.
To download a hotfix that addresses this issue, go to the F5 Downloads site here (login required).
For information about this issue, see K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3.
and K02024500: Pool-members with HTTPS monitors go down after upgrade to 12.1.5.3.
Cumulative fixes from BIG-IP v12.1.5.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 933741-6 | CVE-2021-22979 | K63497634 | Security hardening in FPS GUI |
| 932065-5 | CVE-2021-22978 | K87502622 | iControl REST framework exception handling hardening |
| 921337-4 | CVE-2021-22976 | K88230177 | ASM processes some web-sockets requests longer than usual |
| 917509-6 | CVE-2020-27718 | K58102101 | ASM processes some requests longer than usual |
| 911761-6 | CVE-2020-5948 | K42696541 | F5 TMUI XSS vulnerability CVE-2020-5948 |
| 908673-1 | CVE-2020-27717 | K43850230 | TMM may crash while processing DNS traffic |
| 879745-7 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic |
| 846917-6 | CVE-2019-10744 | K47105354 | lodash Vulnerability: CVE-2019-10744 |
| 837773-5 | CVE-2020-5912 | K12936322 | Restjavad Storage and Configuration Hardening |
| 750292-3 | CVE-2019-6592 | K54167061 | TMM may crash when processing TLS traffic |
| 904937-6 | CVE-2020-27725 | K25595031 | Excessive resource consumption in zxfrd |
| 898949-5 | CVE-2020-27724 | K04518313 | APM may consume excessive resources while processing VPN traffic |
| 880361-5 | CVE-2021-22973 | K13323323 | TMM may crash while processing iRules LX commands |
| 859089-2 | CVE-2020-5907 | K00091341 | TMSH allows SFTP utility access |
| 842717-2 | CVE-2020-5855 | K55102004 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 |
| 832757-2 | CVE-2017-18551 | K48073202 | Linux kernel vulnerability CVE-2017-18551 |
| 811789-5 | CVE-2020-5915 | K57214921 | Device trust UI hardening |
| 751036-4 | CVE-2020-27721 | K52035247 | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone |
| 734177 | CVE-2012-6701 CVE-2015-8830 CVE-2016-8650 CVE-2017-2671 CVE-2017-6001 CVE-2017-7308 CVE-2017-7616 CVE-2017-7889 CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2017-12190 CVE-2017-15121 CVE-2017-18203 CVE-2018-1130 CVE-2018-3639 CVE-2018-5803 |
K42142782 | CVE-2019-12190 : RHEL6 Kernel Vulnerability |
| 693360-6 | CVE-2020-27721 | K52035247 | A virtual server status changes to yellow while still available |
| 681535 | CVE-2017-2628 | K35453761 | CVE-2015-3148 in curl was incomplete. |
| 818177-7 | CVE-2019-12295 | K06725231 | CVE-2019-12295 Wireshark Vulnerability |
| 746091-4 | CVE-2019-19151 | K21711352 | TMSH Vulnerability: CVE-2019-19151 |
| 717276-3 | CVE-2020-5930 | K20622530 | TMM Route Metrics Hardening |
| 954381-5 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
| 955145-5 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
| 950077-5 | CVE-2021-22987, CVE-2021-22988 | K18132488 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
| 953677-5 | CVE-2021-22987, CVE-2021-22988 | K18132488 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
| 953729-5 | CVE-2021-22989, CVE-2021-22990 | K56142644 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 |
| 973333-1 | CVE-2021-22991 | K56715231 | TMM buffer-overflow vulnerability CVE-2021-22991 |
| 981169-5 | CVE-2021-22994 | K66851119 | F5 TMUI XSS vulnerability CVE-2021-22994 |
| 743105-5 | CVE-2021-22998 | K31934524 | BIG-IP SNAT vulnerability CVE-2021-22998 |
| 932697 | CVE-2021-23000 | K34441555 | BIG-IP TMM vulnerability CVE-2021-23000 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 724556-1 | 2-Critical | icrd_child spawns more than maximum allowed times (zombie processes) | |
| 657912-1 | 3-Major | PIM can be configured to use a floating self IP address | |
| 760234-3 | 4-Minor | Configuring Advanced shell for Resource Administrator User has no effect |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 860517-5 | 2-Critical | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | |
| 841953-2 | 2-Critical | A tunnel can be expired when going offline, causing tmm crash | |
| 841333-2 | 2-Critical | TMM may crash when tunnel used after returning from offline | |
| 780817-3 | 2-Critical | TMM can crash on certain vCMP hosts after modifications to VLANs and guests. | |
| 769817-5 | 2-Critical | BFD fails to propagate sessions state change during blade restart | |
| 737322-1 | 2-Critical | tmm may crash at startup if the configuration load fails | |
| 706521-6 | 2-Critical | K21404407 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password |
| 648270-4 | 2-Critical | mcpd can crash if viewing a fast-growing log file through the GUI | |
| 948769-2 | 3-Major | TMM panic with SCTP traffic | |
| 888497-6 | 3-Major | Cacheable HTTP Response | |
| 887089-6 | 3-Major | Upgrade can fail when filenames contain spaces | |
| 871657-4 | 3-Major | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | |
| 842189-1 | 3-Major | Tunnels removed when going offline are not restored when going back online | |
| 814585-6 | 3-Major | PPTP profile option not available when creating or modifying virtual servers in GUI | |
| 810957-6 | 3-Major | Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core | |
| 807005-6 | 3-Major | Save-on-auto-sync is not working as expected with large configuration objects | |
| 800185-1 | 3-Major | Saving a large encrypted UCS archive may fail and might trigger failover | |
| 794501-5 | 3-Major | Duplicate if_indexes and OIDs between interfaces and tunnels | |
| 783113-2 | 3-Major | BGP sessions remain down upon new primary slot election | |
| 760950-1 | 3-Major | Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment | |
| 760439-1 | 3-Major | After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status | |
| 759596-4 | 3-Major | Tcl errors in iRules 'table' command | |
| 757520 | 3-Major | After a software upgrade, the BIG-IP system does not use the correct hostname for logging.★ | |
| 749785-3 | 3-Major | nsm can become unresponsive when processing recursive routes | |
| 749007-4 | 3-Major | South Sudan, Sint Maarten, and Curacao country missing in GTM region list | |
| 745261-3 | 3-Major | The TMM process may crash in some tunnel cases | |
| 742628-6 | 3-Major | K53843889 | Tmsh session initiation adds increased control plane pressure |
| 739872-3 | 3-Major | The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover | |
| 738943-1 | 3-Major | imish command hangs when ospfd is enabled | |
| 724109-5 | 3-Major | Manual config-sync fails after pool with FQDN pool members is deleted | |
| 720569-2 | 3-Major | Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition | |
| 699091-1 | 3-Major | SELinux denies console access for remote users. | |
| 698429-3 | 3-Major | Misleading log error message: Store Read invalid store addr 0x3800, len 10 | |
| 688399-5 | 3-Major | HSB failure results in continuous TMM restarts | |
| 687115-1 | 3-Major | SNMP performance can be impacted by a long list of allowed-addresses | |
| 680917-2 | 3-Major | Invalid monitor rule instance identifier | |
| 678456-2 | 3-Major | ZebOS BGP peer-group configuration not fixed up on upgrade★ | |
| 672063-1 | 3-Major | K38335326 | Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash. |
| 626589-6 | 3-Major | K73230273 | iControl-SOAP prints beyond log buffer |
| 620311-1 | 3-Major | GUI Failover Unicast Address information incorrect | |
| 605675-1 | 3-Major | Sync requests can be generated faster than they can be handled | |
| 600732-2 | 3-Major | IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description | |
| 489572-2 | 3-Major | K60934489 | Sync fails if file object is created and deleted before sync to peer BIG-IP |
| 933461-1 | 4-Minor | BGP multi-path candidate selection does not work properly in all cases. | |
| 931837-4 | 4-Minor | NTP has predictable timestamps | |
| 902417-1 | 4-Minor | Configuration error caused by Drafts folder in a deleted custom partition★ | |
| 831293-1 | 4-Minor | SNMP address-related GET requests slow to respond. | |
| 801637-2 | 4-Minor | Cmp_dest on C2200 platform may give incorrect results | |
| 721526-1 | 4-Minor | tcpdump fails to write verbose packet data to file | |
| 685582-5 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
| 664524 | 4-Minor | CVE-2017-2636: A race condition was found in the N_HLDC Linux kernel driver that can lead to double free CVE-2016-7910:A flaw was found in the Linux kernel's implementation of seq_file which can lead to memory corruption |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 715032-6 | 1-Blocking | K73302459 | iRulesLX Hardening |
| 941089-5 | 2-Critical | TMM core when using Multipath TCP | |
| 842937-1 | 2-Critical | TMM crash due to failed assertion 'valid node' | |
| 743950-3 | 2-Critical | TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled | |
| 740228-3 | 2-Critical | TMM crash while sending a DHCP Lease Query to a DHCP server | |
| 949145-2 | 3-Major | Improve TCP's response to partial ACKs during loss recovery | |
| 915281-7 | 3-Major | Do not rearm TCP Keep Alive timer under certain conditions | |
| 879413-5 | 3-Major | Statsd fails to start if one or more of its *.info files becomes corrupted | |
| 851789-1 | 3-Major | SSL monitors flap with client certs with private key stored in FIPS | |
| 851045-5 | 3-Major | LTM database monitor may hang when monitored DB server goes down | |
| 814761-4 | 3-Major | PostgreSQL monitor fails on second ping with count != 1 | |
| 807821-1 | 3-Major | ICMP echo requests occasionally go unanswered | |
| 805017-4 | 3-Major | DB monitor marks pool member down if no send/recv strings are configured | |
| 796993-2 | 3-Major | Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs | |
| 785481-5 | 3-Major | A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached | |
| 770477-4 | 3-Major | SSL aborted when client_hello includes both renegotiation info extension and SCSV | |
| 755997-3 | 3-Major | Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address | |
| 753805-2 | 3-Major | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | |
| 750473-2 | 3-Major | VA status change while 'disabled' are not taken into account after being 'enabled' again | |
| 724824-5 | 3-Major | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | |
| 722707-1 | 3-Major | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | |
| 687887-4 | 3-Major | Unexpected result from multiple changes to a monitor-related object in a single transaction | |
| 686059-1 | 3-Major | FDB entries for existing VLANs may be flushed when creating a new VLAN. | |
| 608952-5 | 3-Major | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | |
| 604811-3 | 3-Major | Under certain conditions TMM may crash while processing OneConnect traffic | |
| 516307-2 | 3-Major | K35152864 | Multiple Relay in DHCP relay is not working. |
| 409340-1 | 3-Major | K63086108 | https/ssl monitor closes immediately (rather than awaiting remote close-notify) |
| 822025-5 | 4-Minor | HTTP response not forwarded to client during an early response | |
| 808409-2 | 4-Minor | Unable to specify if giaddr will be modified in DHCP relay chain | |
| 781225-4 | 4-Minor | HTTP profile Response Size stats incorrect for keep-alive connections | |
| 769309-4 | 4-Minor | DB monitor reconnects to server on every probe when count = 0 | |
| 746077-2 | 4-Minor | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | |
| 726983-5 | 4-Minor | Inserting multi-line HTTP header not handled correctly | |
| 939841-5 | 2-Critical | BIG-IP MPTCP vulnerability CVE-2021-23003 | |
| 939845-5 | 3-Major | Invalid MPTCP JOIN messages not immediately dropped |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 702457-3 | 3-Major | DNS Cache connections remain open indefinitely |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 927617-5 | 2-Critical | "Illegal Base64 value" violation is detected for cookie with valid base64 value | |
| 943125-5 | 3-Major | Web-Socket request with JSON payload causing core during the payload parsing | |
| 941853-4 | 3-Major | Logging Profiles do not disassociate from virtual server when multiple changes are made | |
| 918933-5 | 3-Major | K88162221 | Some ASM attack signatures do not match on cookies |
| 848445-5 | 3-Major | K86285055 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★ |
| 833685-2 | 3-Major | Idle async handlers can remain loaded for a long time doing nothing | |
| 712336-3 | 3-Major | bd daemon restart loop | |
| 686763-2 | 3-Major | asm_start is consuming too much memory | |
| 630355-3 | 3-Major | K57041868 | Local Logs Missing Or Recorded Found For Incorrect Policy |
| 975233-5 | 1-Blocking | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 | |
| 935401-6 | 3-Major | BIG-IP ASM iControl REST vulnerability CVE-2021-23001 |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 727031-2 | 1-Blocking | TMM disruption from disaggregation in vCMP systems | |
| 760629-1 | 3-Major | Remove Obsolete APM keys in BigDB | |
| 739570-1 | 3-Major | Unable to install EPSEC package★ | |
| 766017-5 | 4-Minor | [APM][LocalDB] Local user database instance name length check inconsistencies★ |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 621284-5 | 3-Major | Incorrect TMSH help text for the 'max-response' RAMCACHE attribute |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 939529-5 | 3-Major | Branch parameter not parsed properly when topmost via header received with comma separated values | |
| 747909-2 | 4-Minor | GTPv2 MEI and Serving-Network fields decoded incorrectly |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 726154-1 | 3-Major | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 753014-2 | 3-Major | PEM iRule action with RULE_INIT event fails to attach to PEM policy |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 940401-5 | 5-Cosmetic | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 913441-1 | 2-Critical | Tmm cores while doing Hitless Upgrade while there are active flows | |
| 949861 | 3-Major | Wr_urldbd returns unknown results for customdb on some blades | |
| 741994 | 4-Minor | Cleanup Webroot database files when database fail to download | |
| 674795-1 | 4-Minor | tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours. |
Cumulative fixes from BIG-IP v12.1.5.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 895525-6 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
| 909237-2 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability |
| 909233-2 | CVE-2020-8616 | K97810133 | DNS Hardening |
| 905905-5 | CVE-2020-5904 | K31301245 | TMUI CSRF vulnerability CVE-2020-5904 |
| 895993-6 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
| 895981-6 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
| 895881-5 | CVE-2020-5903 | K43638305 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 |
| 883717-5 | CVE-2020-5914 | K37466356 | BD crash on specific server cookie scenario |
| 882185-3 | CVE-2020-5897 | K20346072 | BIG-IP Edge Client Windows ActiveX |
| 879025-7 | CVE-2020-5913 | K72752002 | When processing TLS traffic, LTM may not enforce certificate chain restrictions |
| 841577-7 | CVE-2020-5922 | K20606443 | iControl REST hardening |
| 839453-1 | CVE-2019-10744 | K47105354 | lodash library vulnerability CVE-2019-10744 |
| 830401-6 | CVE-2020-5877 | K54200228 | TMM may crash while processing TCP traffic with iRules |
| 819197-7 | CVE-2019-13135 | K20336394 | BIGIP: CVE-2019-13135 ImageMagick vulnerability |
| 819189-6 | CVE-2019-13136 | K03512441 | BIGIP: CVE-2019-13136 ImageMagick vulnerability |
| 788057-6 | CVE-2020-5921 | K00103216 | MCPD may crash while processing syncookies |
| 626360 | CVE-2017-6163 | K22541983 | TMM may crash when processing HTTP2 traffic |
| 886085-7 | CVE-2020-5925 | K45421311 | BIG-IP TMM vulnerability CVE-2020-5925 |
| 883097-3 | CVE-2020-5924 | K11400411 | Radius authentication may consume excessive resources |
| 881445-3 | CVE-2020-5898 | K69154630 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 |
| 872673-5 | CVE-2020-5918 | K26464312 | TMM can crash when processing SCTP traffic |
| 870273-1 | CVE-2020-5936 | K44020030 | TMM may consume excessive resources when processing SSL traffic |
| 860477-7 | CVE-2020-5906 | K82518062 | SCP hardening |
| 858025-6 | CVE-2021-22984 | K33440533 | Proactive Bot Defense does not validate redirected paths |
| 848405-7 | CVE-2020-5933 | K26244025 | TMM may consume excessive resources while processing compressed HTTP traffic |
| 838881-6 | CVE-2020-5853 | K73183618 | APM Portal Access Vulnerability: CVE-2020-5853 |
| 837837-6 | CVE-2020-5917 | K43404629 | F5 SSH server key size vulnerability CVE-2020-5917 |
| 832885-6 | CVE-2020-5923 | K05975972 | Self-IP hardening |
| 829121-6 | CVE-2020-5886 | K65720640 | State mirroring default does not require TLS |
| 829117-6 | CVE-2020-5885 | K17663061 | State mirroring default does not require TLS |
| 888493-6 | CVE-2020-5928 | K40843345 | ASM GUI Hardening |
| 852929-4 | CVE-2020-5920 | K25160703 | AFM WebUI Hardening |
| 838909-2 | CVE-2020-5893 | K97733133 | BIG-IP APM Edge Client vulnerability CVE-2020-5893 |
| 823893-5 | CVE-2020-5890 | K03318649 | Qkview may fail to completely sanitize LDAP bind credentials |
| 749324-4 | CVE-2012-6708 | K62532311 | jQuery Vulnerability: CVE-2012-6708 |
| 760723-4 | CVE-2015-4037 | K64765350 | Qemu Vulnerability |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 858229-1 | 3-Major | K22493037 | XML with sensitive data gets to the ICAP server |
| 858189-6 | 3-Major | Make restnoded/restjavad/icrd timeout configurable with sys db variables. | |
| 643459-3 | 3-Major | K81809012 | Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 767013-5 | 2-Critical | Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch | |
| 749388-4 | 2-Critical | 'table delete' iRule command can cause TMM to crash | |
| 743082-3 | 2-Critical | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★ | |
| 737055-3 | 2-Critical | Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy | |
| 795649-1 | 3-Major | Loading UCS from one iSeries model to another causes FPGA to fail to load | |
| 788577-2 | 3-Major | BFD sessions may be reset after CMP state change | |
| 762073-3 | 3-Major | Continuous TMM restarts when HSB drops off the PCI bus | |
| 754460 | 3-Major | No failover on HA Dual Chassis setup using HA score | |
| 741902-4 | 3-Major | sod does not validate message length vs. received packet length | |
| 725791-3 | 3-Major | K44895409 | Potential HW/HSB issue detected |
| 722380-3 | 3-Major | The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. | |
| 648621-1 | 3-Major | SCTP: Multihome connections may not expire | |
| 619873-2 | 3-Major | Secure Vault: Key cleanup for 5000-, 7000-series, and i-Series platforms★ | |
| 559001-1 | 3-Major | Unable to clear LCD messages and Alarm LED state on non-iSeries platforms | |
| 743815-4 | 4-Minor | vCMP guest observes connflow reset when a CMP state change occurs. | |
| 722230-6 | 4-Minor | Cannot delete FQDN template node if another FQDN node resolves to same IP address | |
| 660760-1 | 4-Minor | K75105750 | DNS graphs fail to display in the GUI |
| 550526 | 4-Minor | K84370515 | Some time zones prevent configuring trust with a peer device using the GUI. |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 831325-4 | 2-Critical | K10701310 | HTTP PSM detects more issues with Transfer-Encoding headers |
| 757578-5 | 2-Critical | RAM cache is not compatible with verify-accept | |
| 747617-4 | 2-Critical | TMM core when processing invalid timer | |
| 705768-4 | 2-Critical | The dynconfd process may core and restart with multiple DNS name servers configured | |
| 860005-5 | 3-Major | Ephemeral nodes/pool members may be created for wrong FQDN name | |
| 858301-5 | 3-Major | K27551003 | HTTP RFC compliance now checks that the authority matches between the URI and Host header |
| 858297-5 | 3-Major | K27551003 | HTTP requests with multiple Host headers are rejected if RFC compliance is enabled |
| 803233-5 | 3-Major | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | |
| 784565-5 | 3-Major | VLAN groups are incompatible with fast-forwarded flows | |
| 766169-1 | 3-Major | Replacing all VLAN interfaces resets VLAN MTU to a default value | |
| 755727-4 | 3-Major | Ephemeral pool members not created after DNS flap and address record changes | |
| 720440 | 3-Major | Radius monitor marks pool members down after 6 seconds | |
| 704450-2 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
| 689361-3 | 3-Major | Configsync can change the status of a monitored pool member | |
| 655724-3 | 3-Major | K15695 | MSRDP persistence does not work across route domains. |
| 640809-1 | 3-Major | K79892782 | Merged constantly restarts★ |
| 582207-7 | 3-Major | MSS may exceed MTU when using HW syncookies | |
| 575642-1 | 3-Major | rst_cause of "Internal error" | |
| 594064-2 | 4-Minor | K57004151 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 760471-5 | 3-Major | GTM iQuery connections may be reset during SSL key renegotiation. | |
| 746348-3 | 3-Major | On rare occasions, gtmd fails to process probe responses originating from the same system. | |
| 708421-1 | 3-Major | K52142743 | DNS::question 'set' options are applied to packet, but not to already parsed dns_msg |
| 704198-1 | 3-Major | K29403988 | Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 681010-1 | 3-Major | K33572148 | 'Referer' is not masked when 'Query String' contains sensitive parameter |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 866021-5 | 3-Major | Diameter Mirror connection lost on the standby due to "process ingress error" | |
| 815877-5 | 3-Major | Information Elements with zero-length value are rejected by the GTP parser | |
| 747187-4 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
| 745404-3 | 3-Major | MRF SIP ALG does not reparse SDP payload if replaced | |
| 741951-3 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. | |
| 651886-1 | 3-Major | Certain FIX messages are dropped | |
| 836357-2 | 4-Minor | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | |
| 788513-5 | 4-Minor | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 816529 | 3-Major | If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart. |
Cumulative fixes from BIG-IP v12.1.5.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 852445-6 | CVE-2019-6477 | K15840535 | Big-IP : CVE-2019-6477 BIND Vulnerability |
| 818709-5 | CVE-2020-5858 | K36814487 | TMSH does not follow current best practices |
| 818429-1 | CVE-2020-5857 | K70275209 | TMM may crash while processing HTTP traffic |
| 805837-5 | CVE-2019-6657 | K22441651 | REST does not follow current design best practices |
| 795437-1 | CVE-2019-6677 | K06747393 | Improve handling of TCP traffic for iRules |
| 795197-4 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 |
| 781377-3 | CVE-2019-6681 | K93417064 | tmrouted may crash while processing Multicast Forwarding Cache messages |
| 780601-5 | CVE-2020-5873 | K03585731 | SCP file transfer hardening |
| 778077-2 | CVE-2019-6680 | K53183580 | Virtual to virtual chain can cause TMM to crash |
| 767373-4 | CVE-2019-8331 | K24383845 | CVE-2019-8331: Bootstrap Vulnerability |
| 759343-3 | CVE-2019-6668 | K49827114 | MacOS Edge Client installer does not follow best security practices |
| 737731-3 | CVE-2019-6622 | K44885536 | iControl REST input sanitization |
| 809165-5 | CVE-2020-5854 | K50046200 | TMM may crash will processing connector traffic |
| 805557-5 | CVE-2020-5882 | K43815022 | TMM may crash while processing crypto data |
| 795797-5 | CVE-2019-6658 | K21121741 | AFM WebUI Hardening |
| 788773-5 | CVE-2019-9515 | K50233772 | HTTP/2 Vulnerability: CVE-2019-9515 |
| 788769-5 | CVE-2019-9514 | K01988340 | HTTP/2 Vulnerability: CVE-2019-9514 |
| 782529-5 | CVE-2019-6685 | K30215839 | iRules does not follow current design best practices |
| 773673-5 | CVE-2019-9512 | K98053339 | HTTP/2 Vulnerability: CVE-2019-9512 |
| 768981-5 | CVE-2019-6670 | K05765031 | VCMP Hypervisor Hardening |
| 761144-2 | CVE-2019-6684 | K95117754 | Broadcast frames may be dropped |
| 761112-6 | CVE-2019-6683 | K76328112 | TMM may consume excessive resources when processing FastL4 traffic |
| 761014-5 | CVE-2019-6669 | K11447758 | TMM may crash while processing local traffic |
| 725551-5 | CVE-2019-6682 | K40452417 | ASM may consume excessive resources |
| 857669 | CVE-2020-5908 | K33023560 | BIG-IP Edge Client may log sensitive data on Linux client |
| 811109 | CVE-2020-5861 | K22113131 | TMM RAM Cache Vulnerability: CVE-2020-5861 |
| 789893-5 | CVE-2019-6679 | K54336216 | SCP file transfer hardening |
| 779177-5 | CVE-2019-19150 | K37890841 | Apmd logs "client-session-id" when access-policy debug log level is enabled |
| 773653-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773649-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773641-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773637-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773633-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 773621-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
| 738236-3 | CVE-2019-6688 | K25607522 | UCS does not follow current best practices |
| 712876-4 | CVE-2017-8824 | K15526101 | CVE-2017-8824: Kernel Vulnerability |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 819397-4 | 1-Blocking | K50375550 | TMM does not enforce RFC compliance when processing HTTP traffic |
| 769193-3 | 3-Major | Added support for faster congestion window increase in slow-start for stretch ACKs | |
| 557322-1 | 3-Major | Sensitive monitor parameters recorded in bigd and monitor logs |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 765533-5 | 2-Critical | K58243048 | Sensitive information logged when DEBUG logging enabled |
| 621260-5 | 2-Critical | mcpd core on iControl REST reference to non-existing pool | |
| 812981-1 | 3-Major | MCPD: memory leak on standby BIG-IP device | |
| 809205-2 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | |
| 641450 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
| 625901-1 | 3-Major | SNAT pools allow members in different partitions to be assigned, but this causes a load failure | |
| 620954-3 | 3-Major | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | |
| 618137-1 | 3-Major | Native IXLV: New tagged VLAN does not work after several restarts of tmm | |
| 614808-1 | 3-Major | Running qkview with option -c (--complete) fails if there is an encrypted key | |
| 600944-1 | 3-Major | tmsh does not reset route domain to 0 after cd /Common and loading bash | |
| 596815-1 | 3-Major | System DNS nameserver and search order configuration does not always sync to peers | |
| 595317-4 | 3-Major | Forwarding address for Type 7 in ospfv3 is not updated in the database | |
| 584041 | 3-Major | forward slash '/' is used in the description field, admin user will be demoted to guest. | |
| 516167-2 | 3-Major | K21382264 | TMSH listing with wildcards prevents the child object from being displayed |
| 503482-2 | 3-Major | BGP cannot redistribute IPv4 routes learned from OSPFv3. | |
| 638960-2 | 4-Minor | A subset of the BIG-IP default profiles can be incorrectly deleted | |
| 638893-1 | 4-Minor | Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command | |
| 625428-1 | 4-Minor | SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit | |
| 624909-2 | 4-Minor | Static route create validation is less stringent than static route delete validation | |
| 623536-2 | 4-Minor | SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent | |
| 620522-1 | 4-Minor | Some expected command output are missing in qkview | |
| 591732-2 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. | |
| 590415-1 | 4-Minor | Partition can be removed when remote role info entries refer to it | |
| 589862-6 | 4-Minor | HA Grioup percent-up display value is truncated, not rounded | |
| 590399-1 | 5-Cosmetic | K11304001 | Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'. |
| 571634-1 | 5-Cosmetic | tmstat CPU values can be incorrect |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 826601-2 | 2-Critical | Prevent receive window shrinkage for looped flows that use a SYN cookie | |
| 787825-4 | 2-Critical | K58243048 | Database monitors debug logs have plaintext password printed in the log file |
| 639764-2 | 2-Critical | Crash when searching external data-groups with records that do not have values | |
| 616298-1 | 2-Critical | Loading the configuration fails when a virtual server uses HTTP Strict Transport Security (HSTS). | |
| 615303-2 | 2-Critical | K47381511 | bigd crash with Tcl monitors |
| 788325-5 | 3-Major | K39794285 | Header continuation rule is applied to request/response line |
| 773421-5 | 3-Major | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | |
| 761185-5 | 3-Major | K50375550 | Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic |
| 663730-1 | 3-Major | Bigd prematurely kills child/external monitor process if WIFCONTINUED signal received | |
| 643041-4 | 3-Major | K64451315 | Less than optimal interaction between OneConnect and proxy MSS |
| 636842-1 | 3-Major | K51472519 | A FastL4 virtual server may drop a FIN packet when mirroring is enabled |
| 601189-2 | 3-Major | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | |
| 594751-3 | 3-Major | K90535529 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN |
| 567330-1 | 5-Cosmetic | tmsh show sys memory on secondaries will generate innocuous error |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 662308-1 | 2-Critical | BD core | |
| 636669-3 | 2-Critical | K37300224 | bd log are full of 'Can't run patterns' messages |
| 635977-1 | 2-Critical | Bd core on specific out of memory scenario | |
| 620301-4 | 2-Critical | Policy import fails due to missing signature System in associated Signature Set | |
| 854177-1 | 3-Major | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | |
| 850673-5 | 3-Major | BD sends bad ACKs to the bd_agent for configuration | |
| 832205-2 | 3-Major | ASU cannot be completed after Signature Systems database corruption following binary Policy import | |
| 831661-5 | 3-Major | ASMConfig Handler undergoes frequent restarts | |
| 809125-4 | 3-Major | CSRF false positive | |
| 793149-1 | 3-Major | Adding the Strict-transport-Policy header to internal responses | |
| 785009-1 | 3-Major | Binary policy import fails with a user-defined Signature Set containing only non-existent signatures | |
| 783505-1 | 3-Major | ASU is very slow on device with hundreds of policies due to table checksums | |
| 765809 | 3-Major | Memory increases for the bd daemon on cluster environment primary blade | |
| 725879 | 3-Major | Internet Explorer running on Windows phone 8.1 gets CAPTCHA during legitimate browsing | |
| 755005-4 | 4-Minor | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | |
| 747560-2 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 825049-2 | 1-Blocking | Windows code signing certificate update 2019 | |
| 685862-2 | 3-Major | BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 642211-2 | 3-Major | Warning logged when GENERICMESSAGE::message drop iRule command used |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 602098-1 | 3-Major | Translation object created in non-Common partition is visible in the policy created for Common partition |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 627341-1 | 3-Major | TMUI loginProviderName is invalid when requesting a REST token |
Cumulative fixes from BIG-IP v12.1.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 807477-4 | CVE-2019-6650 | K04280042 | ConfigSync Hardening |
| 797885-5 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
| 796469-1 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
| 810557-5 | CVE-2019-6649 | K05123525 | ASM ConfigSync Hardening |
| 799617-5 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
| 799589-5 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
| 794389-5 | CVE-2019-6651 | K89509323 | iControl REST endpoint response inconsistency |
| 771873-2 | CVE-2019-6642 | K40378764 | TMSH Hardening |
| 762453-4 | CVE-2020-5872 | K63558580 | Hardware cryptography acceleration may fail |
| 758065-3 | CVE-2019-6667 | K82781208 | TMM may consume excessive resources while processing FIX traffic |
| 757023-5 | CVE-2018-5743 | K74009656 | BIND vulnerability CVE-2018-5743 |
| 756538-2 | CVE-2019-6645 | K15759349 | Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. |
| 739971-3 | CVE-2018-5391 | K74374841 | Linux kernel vulnerability: CVE-2018-5391 |
| 737574-3 | CVE-2019-6621 | K20541896 | iControl REST input sanitization★ |
| 737565-3 | CVE-2019-6620 | K20445457 | iControl REST input sanitization |
| 726393-5 | CVE-2019-6643 | K36228121 | DHCPRELAY6 can lead to a tmm crash |
| 715923-3 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may terminate connections unexpectedly |
| 794413-5 | CVE-2019-6471 | K10092301 | BIND vulnerability CVE-2019-6471 |
| 758018-2 | CVE-2019-6661 | K61705126 | APD/APMD may consume excessive resources |
| 757455-4 | CVE-2019-6647 | K87920510 | Excessive resource consumption when processing REST requests |
| 745257-4 | CVE-2018-14634 | K20934447 | Linux kernel vulnerability: CVE-2018-14634 |
| 702469-4 | CVE-2019-6633 | K73522927 | Appliance mode hardening in scp |
| 679861-2 | CVE-2019-6655 | K31152411 | Weak Access Restrictions on the AVR Reporting Interface |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 744937-4 | 3-Major | K00724442 | BIG-IP DNS and GTM DNSSEC security exposure |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 707509-3 | 1-Blocking | Initial vCMP guest creations can fail if certain hotfixes are used | |
| 769809-1 | 2-Critical | The vCMP guests 'INOPERATIVE' after upgrade | |
| 750586-3 | 2-Critical | HSL may incorrectly handle pending TCP connections with elongated handshake time. | |
| 748205-2 | 2-Critical | SSD bay identification incorrect for RAID drive replacement★ | |
| 744331-1 | 2-Critical | OpenSSH hardening | |
| 743790-4 | 2-Critical | BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus | |
| 734539-2 | 2-Critical | The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads | |
| 726487-1 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
| 710277-2 | 2-Critical | IKEv2 further child_sa validity checks | |
| 693996-3 | 2-Critical | K42285625 | MCPD sync errors and restart after multiple modifications to file object in chassis |
| 685458-5 | 2-Critical | K44738140 | merged fails merging a table when a table row has incomplete keys defined. |
| 671741-4 | 2-Critical | LCD on iSeries devices can lock at red 'loading' screen. | |
| 653152-1 | 2-Critical | Support RSASSA-PSS-SIGN in F5 crypto APIs. | |
| 788301-2 | 3-Major | K58243048 | SNMPv3 Hardening |
| 777261-1 | 3-Major | When SNMP cannot locate a file it logs messages repeatedly | |
| 758527-5 | 3-Major | K39604784 | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode |
| 758119-3 | 3-Major | K58243048 | qkview may contain sensitive information |
| 747592-4 | 3-Major | PHP vulnerability CVE-2018-17082 | |
| 746266-4 | 3-Major | A vCMP guest VLAN MAC mismatch across blades. | |
| 745405 | 3-Major | Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover | |
| 743803-5 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
| 738445-1 | 3-Major | IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup | |
| 737437-1 | 3-Major | IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages | |
| 663924-2 | 3-Major | Qkview archives includes Kerberos keytab files | |
| 641753-2 | 3-Major | Syncookies activated on a genuine connection gets reset almost 30-50% of the time | |
| 599543-3 | 3-Major | Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile | |
| 575919-3 | 3-Major | Running concurrent TMSH instances can result in error in access to history file | |
| 523797-2 | 3-Major | Upgrade: file path failure for process name attribute in snmp.★ | |
| 726317-3 | 4-Minor | Improved debugging output for mcpd | |
| 692165-2 | 4-Minor | A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token | |
| 662372-1 | 4-Minor | K41250179 | Uploading a new device certificate file via the GUI might not update the device certificate |
| 631334-4 | 4-Minor | K69038629 | TMSH does not preserve \? for config save/load operations |
| 520877-1 | 4-Minor | Alerts sent by the lcdwarn utility are not shown in tmsh | |
| 479471-1 | 4-Minor | K00342205 | CPU statistics reported by the tmstat command may spike or go negative |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 759968-1 | 1-Blocking | Distinct vCMP guests are able to cluster with each other. | |
| 757391-1 | 2-Critical | Datagroup iRule command class can lead to memory corruption | |
| 756450-3 | 2-Critical | Traffic using route entry that's more specific than existing blackhole route can cause core | |
| 752930 | 2-Critical | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | |
| 740963-3 | 2-Critical | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | |
| 738046-3 | 2-Critical | SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby | |
| 724214-2 | 2-Critical | TMM core when using Multipath TCP | |
| 671714-2 | 2-Critical | Empty persistence cookie name inserted from policy can cause TMM to crash | |
| 667779-2 | 2-Critical | iRule commands may cause the TMM to crash in very rare situations. | |
| 474797-7 | 2-Critical | Nitrox crypto hardware may attempt soft reset while currently resetting | |
| 760550-2 | 3-Major | Retransmitted TCP packet has FIN bit set | |
| 759480-1 | 3-Major | HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash | |
| 758872-1 | 3-Major | TMM memory leak | |
| 758631-1 | 3-Major | ec_point_formats extension might be included in the server hello even if not specified in the client hello | |
| 756270-1 | 3-Major | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | |
| 749414-1 | 3-Major | Invalid monitor rule instance identifier error | |
| 749294-1 | 3-Major | TMM cores when query session index is out of boundary | |
| 742237-1 | 3-Major | CPU spikes appear wider than actual in graphs | |
| 740959-1 | 3-Major | User with manager rights cannot delete FQDN node on non-Common partition | |
| 739963-1 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
| 727292-2 | 3-Major | SSL in proxy shutdown case does not deliver server TCP FIN | |
| 726232-1 | 3-Major | iRule drop/discard may crash tmm | |
| 720219-1 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
| 715467-3 | 3-Major | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | |
| 702450-4 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
| 699598-4 | 3-Major | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR | |
| 688629-3 | 3-Major | K52334096 | Deleting data-group in use by iRule does not trigger validation error |
| 617382-1 | 3-Major | Csyncd memory leak on multi-bladed systems | |
| 599567 | 3-Major | APM assumes SNAT automap, does not use SNAT pool | |
| 576311-1 | 3-Major | K41335027 | HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present |
| 511324-12 | 3-Major | K23159242 | HTTP::disable does not work after the first request/response. |
| 504522-2 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value | |
| 747585-1 | 4-Minor | TCP Analytics supports ANY protocol number | |
| 624168-2 | 4-Minor | DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 735832-2 | 2-Critical | RAM Cache traffic fails on B2150 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 750213-1 | 3-Major | K25351434 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 723790-4 | 2-Critical | Idle asm_config_server handlers consumes a lot of memory | |
| 773553-5 | 3-Major | ASM JSON parser false positive. | |
| 761231-5 | 3-Major | K79240502 | Bot Defense Search Engines getting blocked after configuring DNS correctly |
| 760878-1 | 3-Major | Incorrect enforcement of explicit global parameters | |
| 727107-1 | 3-Major | Request Logs are not stored locally due to shmem pipe blockage | |
| 721399-3 | 3-Major | Signature Set cannot be modified to Accuracy = 'All' after another value | |
| 695878-5 | 3-Major | Signature enforcement issue on specific requests | |
| 685164-3 | 3-Major | K34646484 | In partitions with default route domain != 0 request log is not showing requests |
| 660327-2 | 3-Major | Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded. | |
| 653017-2 | 3-Major | Bot signatures cannot be created after upgrade with DoS profile in non-Common partition | |
| 605649-3 | 3-Major | K28782793 | The cbrd daemon runs at 100% CPU utilization |
| 758336-2 | 4-Minor | Incorrect recommendation in Online Help of Proactive Bot Defense |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 774301-1 | 3-Major | Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList | |
| 766577-5 | 3-Major | APMD fails to send response to client and it already closed connection. | |
| 755507-1 | 3-Major | [App Tunnel] 'URI sanitization' error |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 709670-5 | 3-Major | iRule triggered from RADIUS occasionally fails to create subscribers. |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 757088 | 2-Critical | TMM clock advances and cluster failover happens during webroot db nightly updates | |
| 754257 | 3-Major | URL lookup queries not working |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 658417-1 | 2-Critical | REST: Failure to authenticate/renew user who is using expired password |
Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 757025-4 | CVE-2018-5744 | K00040234 | BIND Update |
| 756774-3 | CVE-2019-6612 | K24401914 | Aborted DNS queries to a cache may cause a TMM crash |
| 754944-4 | CVE-2019-6626 | K00432398 | AVR reporting UI does not follow best practices |
| 754345-4 | CVE-2019-6625 | K79902360 | WebUI does not follow best security practices |
| 754103-3 | CVE-2019-6644 | K75532331 | iRulesLX NodeJS daemon does not follow best security practices |
| 753776-3 | CVE-2019-6624 | K07127032 | TMM may consume excessive resources when processing UDP traffic |
| 749879 | CVE-2019-6611 | K47527163 | Possible interruption while processing VPN traffic |
| 748502-4 | CVE-2019-6623 | K72335002 | TMM may crash when processing iSession traffic |
| 744035-3 | CVE-2018-15332 | K12130880 | APM Client Vulnerability: CVE-2018-15332 |
| 739970-3 | CVE-2018-5390 | K95343321 | Linux kernel vulnerability: CVE-2018-5390 |
| 739947-3 | CVE-2019-6610 | K42465020 | TMM may crash while processing APM traffic |
| 757027-4 | CVE-2019-6465 | K01713115 | BIND Update |
| 757026-4 | CVE-2018-5745 | K25244852 | BIND Update |
| 753796-3 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices |
| 750460-4 | CVE-2019-6639 | K61002104 | Subscriber management configuration GUI |
| 750187-4 | CVE-2019-6637 | K29149494 | ASM REST may consume excessive resources |
| 745713-2 | CVE-2019-6619 | K94563344 | TMM may crash when processing HTTP/2 traffic |
| 745387-4 | CVE-2019-6618 | K07702240 | Resource-admin user roles can no longer get bash access |
| 745371-3 | CVE-2019-6636 | K68151373 | AFM GUI does not follow best security practices |
| 745165-4 | CVE-2019-6617 | K38941195 | Users without Advanced Shell Access are not allowed SFTP access |
| 742226-3 | CVE-2019-6635 | K11330536 | TMSH platform_check utility does not follow best security practices |
| 737910-1 | CVE-2019-6609 | K18535734 | Security hardening on the following platforms |
| 710857-4 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage |
| 703835-4 | CVE-2019-6616 | K82814400 | When using SCP into BIG-IP systems, you must specify the target filename |
| 702472-4 | CVE-2019-6615 | K87659521 | Appliance Mode Security Hardening |
| 698376-4 | CVE-2019-6614 | K46524395 | Non-admin users have limited bash commands and can only write to certain directories |
| 673842-3 | CVE-2019-6632 | K01413496 | VCMP does not follow best security practices |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 666505-2 | 2-Critical | Gossip between VIPRION blades | |
| 667257-2 | 3-Major | CPU Usage Reaches 100% With High FastL4 Traffic | |
| 607410-1 | 3-Major | K81239824 | In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible |
| 600811-2 | 3-Major | CATEGORY::lookup command change in behavior★ |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 752835-1 | 2-Critical | K46971044 | Mitigate mcpd out of memory error with auto-sync enabled. |
| 756153-1 | 3-Major | Add diskmonitor support for MySQL /var/lib/mysql | |
| 749153 | 3-Major | Cannot create LTM policy from GUI using iControl | |
| 735565-3 | 3-Major | BGP neighbor peer-group config element not persisting | |
| 726409-3 | 3-Major | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 | |
| 723794-4 | 3-Major | PTI (Meltdown) mitigation should be disabled on AMD-based platforms | |
| 722682-1 | 3-Major | Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★ | |
| 720819-1 | 3-Major | Certain platforms may take longer than expected to detect and recover from HSB lock-ups | |
| 720269-3 | 3-Major | TACACS audit logging may append garbage characters to the end of log strings | |
| 720110-4 | 3-Major | 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. | |
| 716166-3 | 3-Major | Dynamic routing not added when conflicting self IPs exist | |
| 714986-1 | 3-Major | Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot | |
| 714903-1 | 3-Major | Errors in chmand | |
| 714654-3 | 3-Major | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | |
| 709544-4 | 3-Major | VCMP guests in HA configuration become Active/Active during upgrade★ | |
| 707740-3 | 3-Major | Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination | |
| 693388-1 | 3-Major | Log additional HSB registers when device becomes unresponsive | |
| 678488-3 | 3-Major | K59332320 | BGP default-originate not announced to peers if several are peering over different VLANs |
| 639619-3 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
| 582792-7 | 3-Major | iRules are not updated in transactions through TMSH or iControl | |
| 581921-2 | 3-Major | K22327083 | Required files under /etc/ssh are not moved during a UCS restore |
| 508302-2 | 3-Major | Auto-sync groups may revert to full sync | |
| 671044-3 | 4-Minor | K78612407 | FIPS certificate creation can cause failover to standby system |
| 668964-2 | 4-Minor | K81873940 | 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group |
| 619706-1 | 4-Minor | tmsh appears to allow password change for internal lcd admin user | |
| 436116-1 | 4-Minor | The tcpdump utility may fail to capture packets |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 753912-1 | 2-Critical | K44385170 | UDP flows may not be swept |
| 747968-4 | 2-Critical | DNS64 stats not increasing when requests go through DNS cache resolver | |
| 744269-3 | 2-Critical | dynconfd restarts if FQDN template node deleted while IP address change in progress | |
| 741919-1 | 2-Critical | HTTP response may be dropped following a 100 continue message. | |
| 738945-1 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
| 727206-4 | 2-Critical | Memory corruption when using SSL Forward Proxy on certain platforms | |
| 718210-3 | 2-Critical | Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused | |
| 746922-3 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
| 744536 | 3-Major | HTTP/2 may garble large headers | |
| 742078-1 | 3-Major | Incoming SYNs are dropped and the connection does not time out. | |
| 739638-1 | 3-Major | BGP failed to connect with neighbor when pool route is used | |
| 738523-3 | 3-Major | SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages | |
| 721621-2 | 3-Major | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | |
| 720799-3 | 3-Major | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | |
| 717896-1 | 3-Major | Monitor instances deleted in peer unit after sync | |
| 717100-4 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
| 716716-3 | 3-Major | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | |
| 710564-3 | 3-Major | DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 | |
| 710355-1 | 3-Major | High CPU when using HTTP::collect for large chunked payloads | |
| 705112-1 | 3-Major | DHCP server flows are not re-established after expiration | |
| 685519-3 | 3-Major | Mirrored connections ignore the handshake timeout | |
| 651889-2 | 3-Major | persist record may be inconsistent after a virtual hit rate limit | |
| 625166-1 | 3-Major | Suspended iRules cannot complete on aborted flows | |
| 588720-1 | 3-Major | K44907534 | Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled. |
| 273104-2 | 3-Major | Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps | |
| 751586-1 | 4-Minor | Http2 virtual does not honour translate-address disabled | |
| 684319-2 | 4-Minor | iRule execution logging | |
| 664618-3 | 4-Minor | Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' | |
| 658382-1 | 5-Cosmetic | Large numbers of ERR_UNKNOWN appearing in the logs |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 756094-1 | 2-Critical | DNS express in restart loop, 'Error writing scratch database' in ltm log | |
| 739846-4 | 2-Critical | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | |
| 749508-4 | 3-Major | LDNS and DNSSEC: Various OOM conditions need to be handled properly | |
| 748902-8 | 3-Major | Incorrect handling of memory allocations while processing DNSSEC queries | |
| 746877-4 | 3-Major | Omitted check for success of memory allocation for DNSSEC resource record | |
| 744707-1 | 3-Major | Crash related to DNSSEC key rollover | |
| 723288-3 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
| 721895-1 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | |
| 748177-4 | 4-Minor | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character | |
| 726412-1 | 4-Minor | Virtual server drop down missing objects on pool creation |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 691945-2 | 3-Major | Security Policy Configuration Changes When Disabling Learning | |
| 690215-1 | 3-Major | Missing requests in request log | |
| 641307-2 | 3-Major | Response Page contents are corrupted by XML policy import for non-UTF-8 policies | |
| 641083-2 | 3-Major | Policy Builder Persistence is not saved while config events are received | |
| 754365-2 | 4-Minor | Updated flags for countries that changed their flags since 2010 | |
| 583402-1 | 4-Minor | ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 747192-3 | 2-Critical | Small memory leak while creating Access Policy items | |
| 714716-3 | 2-Critical | K10248311 | Apmd logs password for acp messages when in debug mode |
| 660913-1 | 2-Critical | For ActiveSync client type, browscap info provided is incorrect.★ | |
| 597674-1 | 2-Critical | TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels. | |
| 758764-5 | 3-Major | APMD Core when CRLDP Auth fails to download revoked certificate | |
| 747725-1 | 3-Major | Kerberos Auth agent may override settings that manually made to krb5.conf | |
| 746768-2 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
| 745654-1 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
| 722969-1 | 3-Major | Access Policy import with 'reuse' enabled instead rewrites shared objects | |
| 672818-2 | 3-Major | When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established | |
| 656784-2 | 3-Major | K98510679 | Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM |
Wan Optimization Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 674367-1 | 3-Major | K20983428 | SDD v3 symmetric deduplication may stop working indefinitely |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 701680-1 | 3-Major | MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 747104-4 | 1-Blocking | K52868493 | LibSSH: CVE-2018-10933 |
| 686376-1 | 3-Major | Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon | |
| 624314-1 | 3-Major | AVR reports incorrect 'actions' in ACL reports |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 726647-1 | 3-Major | PEM content insertion in a compressed response may truncate some data |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 744959-2 | 3-Major | SNMP OID for sysLsnPoolStatTotal not incremented in stats | |
| 708830-1 | 3-Major | Inbound or hairpin connections may get stuck consuming memory. |
Cumulative fixes from BIG-IP v12.1.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 738119-3 | CVE-2019-6589 | K23566124 | SIP routing UI does not follow best practices |
| 714181-3 | CVE-2019-6603 | K14632915 | TMM may crash while processing TCP traffic |
| 671498-3 | CVE-2017-3143 | K02230327 | BIND zone contents may be manipulated |
| 745358-4 | CVE-2019-6607 | K14812883 | ASM GUI does not follow best practices |
| 737442-1 | CVE-2019-6591 | K32840424 | Error in APM Hosted Content when set to public access |
| 724680-3 | CVE-2018-0732 | K21665601 | OpenSSL Vulnerability: CVE-2018-0732 |
| 716900-1 | CVE-2019-6594 | K91026261 | TMM core when using MPTCP |
| 699452-3 | CVE-2019-6597 | K29280193 | Web UI does not follow current best coding practices |
| 658557-2 | CVE-2019-6606 | K35209601 | The snmpd daemon may leak memory when processing requests. |
| 643554-12 | CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 | K37526132 K44512851 K43570545 | OpenSSL vulnerabilities - OpenSSL 1.0.2k library update |
| 603658-1 | CVE-2019-6601 | K25359902 | AAM security hardening |
| 530775-4 | CVE-2019-6600 | K23734425 | Login page may generate unexpected HTML output |
| 701785-3 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 734527-4 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
| 700827-2 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
| 600385-1 | 3-Major | K43295141 | BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout |
| 597899-1 | 3-Major | Disabling all pool members may not be reflected in Virtual Server status |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 741423-1 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
| 738887-2 | 2-Critical | BIG-IP SNMPD vulnerability CVE-2019-6608 | |
| 723722-3 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
| 723298-3 | 2-Critical | BIND upgrade to version 9.11.4 | |
| 700386-1 | 2-Critical | mcpd may dump core on startup | |
| 697424 | 2-Critical | iControl-REST crashes on /example for firewall address-lists | |
| 691589 | 2-Critical | When using LDAP client auth, tamd may become stuck | |
| 689437-2 | 2-Critical | K49554067 | icrd_child cores due to infinite recursion caused by incorrect group name handling |
| 638091-4 | 2-Critical | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
| 594366-1 | 2-Critical | K21271097 | Occasional crash of icrd_child when BIG-IP restarts |
| 748187-1 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
| 720713-3 | 3-Major | TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail | |
| 720651-3 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
| 720461-3 | 3-Major | qkview prompts for password on chassis | |
| 711249-2 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
| 707391-4 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
| 706354-1 | 3-Major | OPT-0045 optic unable to link | |
| 706104-2 | 3-Major | Dynamically advertised route may flap | |
| 705037-3 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
| 704449-4 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
| 700757-2 | 3-Major | vcmpd may crash when it is exiting | |
| 698619-1 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
| 693884-3 | 3-Major | ospfd core on secondary blade during network unstability | |
| 692189-3 | 3-Major | errdefsd fails to generate a core file on request. | |
| 689002-1 | 3-Major | Stackoverflow when JSON is deeply nested | |
| 676705-2 | 3-Major | Agetty should not run on VE that lack serial port | |
| 673974-1 | 3-Major | K63225596 | agetty auto detects parity on console port incorrectly |
| 671447-2 | 3-Major | ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form | |
| 666884-2 | 3-Major | K27056204 | Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform★ |
| 653888-2 | 3-Major | BGP advertisement-interval attribute ignored in peer group configuration | |
| 652877-3 | 3-Major | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
| 642923-2 | 3-Major | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system | |
| 639575-5 | 3-Major | Using libtar with files larger than 2 GB will create an unusable tarball | |
| 628402-4 | 3-Major | Operator users receive 'can't get object count from mcpd' error in response to certain commands | |
| 613509-1 | 3-Major | K49101035 | Platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve |
| 610449-2 | 3-Major | restarting mcpd on guest makes block-device-images disappear | |
| 602566-5 | 3-Major | sod daemon may crash during start-up | |
| 598289-4 | 3-Major | TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port> | |
| 598085-2 | 3-Major | Expected telemetry is not transmitted by sFlow on the standby-mode unit. | |
| 563905-2 | 3-Major | Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades. | |
| 491560-1 | 3-Major | Using proxy for IP intelligence updates | |
| 737389 | 4-Minor | Kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed | |
| 674145-3 | 4-Minor | chmand error log message missing data | |
| 608348-4 | 4-Minor | Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 744117-6 | 2-Critical | K18263026 | The HTTP URI is not always parsed correctly |
| 740490-2 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
| 739927-1 | 2-Critical | Bigd crashes after a specific combination of logging operations | |
| 737758-1 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
| 727044-1 | 2-Critical | TMM may crash while processing compressed data | |
| 726239-3 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
| 724868-2 | 2-Critical | dynconfd memory usage increases over time | |
| 663178-1 | 2-Critical | tmm may crash sometimes usng VPN | |
| 606035-1 | 2-Critical | csyncd crash | |
| 738521-2 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
| 714559-1 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
| 710028-4 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
| 708068-3 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
| 706102-3 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
| 701678-1 | 3-Major | Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded | |
| 695925-3 | 3-Major | Tmm crash when showing connections for a CMP disabled virtual server | |
| 693910-2 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
| 693582-3 | 3-Major | Monitor node log not rotated for certain monitor types | |
| 680264 | 3-Major | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags | |
| 674591-2 | 3-Major | K37975308 | Packets with payload smaller than MSS are being marked to be TSOed |
| 672312-2 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
| 666595-2 | 3-Major | Monitor node log fd leak by bigd instances not actively monitoring node | |
| 662816-2 | 3-Major | K61902543 | Monitor node log fd leak for certain monitor types |
| 653930-2 | 3-Major | K69713140 | Monitor with description containing backslash may fail to load. |
| 613618-1 | 3-Major | The TMM crashes in the websso plugin. | |
| 611482-4 | 3-Major | K71450348 | Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) . |
| 610138-2 | 3-Major | K23284054 | STARTTLS in SMTPS filter does not properly restrict I/O buffering |
| 605147-1 | 3-Major | No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections. | |
| 598707-4 | 3-Major | Path MTU does not work in self-IP flows | |
| 586621-7 | 3-Major | K36008344 | SQL monitors 'count' config value does not work as expected. |
| 628016-2 | 4-Minor | MP_JOIN always fails if MPTCP never receives payload data | |
| 618884-1 | 4-Minor | Behavior when using VLAN-Group and STP |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 750488 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
| 750484 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
| 750472 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
| 750457 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
| 749774-2 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
| 749675-2 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records | |
| 737332-2 | 3-Major | It is possible for DNSX to serve partial zone information for a short period of time | |
| 723792-3 | 3-Major | GTM regex handling of some escape characters renders it invalid |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 741108 | 2-Critical | tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses | |
| 744347-1 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
| 739945-1 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
| 738789-3 | 3-Major | ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog | |
| 738647-1 | 3-Major | Add the login detection criteria of 'status code is not X' | |
| 737998 | 3-Major | Brute Force end attack condition isn't satisfied for successful logins only | |
| 698757-1 | 3-Major | K58143082 | Standby system saves config and changes status after sync from peer |
| 664714-1 | 3-Major | Client-side challenge is changing POST parameter value under some circumstances | |
| 642185-1 | 3-Major | Add support for IBM AppScan scanner schema changes | |
| 613728-1 | 3-Major | Import/Activate Security policy with 'Replace policy associated with virtual server' option fails | |
| 569195-1 | 3-Major | K41874435 | A Set-Cookie for an existing ASM cookie without value change |
| 542817-1 | 3-Major | K11619228 | Specific numbers that are not credit card numbers are being masked as such |
| 653895 | 4-Minor | Admin user cannot edit policy |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 616161-1 | 2-Critical | BD process crash and restarts | |
| 737597 | 3-Major | AVR DoS Attack report misses virtual server name in a specific config |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 740777-2 | 2-Critical | Secondary blades mcp daemon restart when subroutine properties are configured | |
| 672221 | 2-Critical | TMM cores if the certificate configured to validate message signature does not exist. | |
| 631060-1 | 2-Critical | BIG-IP may incorrectly reject serverside connection when REQLOG is configured. | |
| 745574-4 | 3-Major | URL is not removed from custom category when deleted | |
| 739744-2 | 3-Major | Import of Policy using Pool with members is failing | |
| 726592-2 | 3-Major | Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop | |
| 628712-1 | 3-Major | K53129098 | Advanced customization doesn't work for Profiles in non-common partition with . (period) with name |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 706642-3 | 2-Critical | wamd may leak memory during configuration changes and cluster events | |
| 603746-1 | 4-Minor | DCDB security hardening |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 724532-1 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
| 710755-2 | 2-Critical | TMM crash when route information becomes stale and the system accesses stale information. | |
| 699454-3 | 4-Minor | Web UI does not follow current best coding practices | |
| 627454 | 4-Minor | Trimming leading whitespaces at logging profile creation |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 744516-2 | 2-Critical | TMM panics after a large number of LSN remote picks | |
| 734446-3 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT | |
| 669645-1 | 2-Critical | tmm crashes after LSN pool member change | |
| 663531-1 | 2-Critical | TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 746868 | 2-Critical | memory leakage when "apply to base domain" is enabled |
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 739094-4 | CVE-2018-5546 | K54431371 | APM Client Vulnerability: CVE-2018-5546 |
| 737441-1 | CVE-2018-5546 | K54431371 | Disallow hard links to svpn log files |
| 726089-3 | CVE-2018-15312 | K44462254 | Modifications to AVR metrics page |
| 724339-2 | CVE-2018-15314 | K04524282 | Unexpected TMUI output in AFM |
| 724335-2 | CVE-2018-15313 | K21042153 | Unexpected TMUI output in AFM |
| 722677-3 | CVE-2019-6604 | K26455071 | BIG-IP HSB vulnerability CVE-2019-6604 |
| 722387-2 | CVE-2019-6596 | K97241515 | TMM may crash when processing APM DTLS traffic |
| 722091-2 | CVE-2018-15319 | K64208870 | TMM may crash while processing HTTP traffic |
| 717742-3 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
| 707990-3 | CVE-2018-15315 | K41704442 | Unexpected TMUI output in SSL Certificate Instance page |
| 704184-3 | CVE-2018-5529 | K52171282 | APM MAC Client create files with owner only read write permissions |
| 701253-3 | CVE-2018-15318 | K16248201 | TMM core when using MPTCP |
| 721924-3 | CVE-2018-17539 | K17264695 | BIG-IP ARM BGP vulnerability CVE-2018-17539 |
| 719554-3 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
| 674486-5 | CVE-2017-9233 | K03244804 | Expat Vulnerability: CVE-2017-9233 |
| 661828-1 | CVE-2019-6590 | K55101404 | TMM may consume excessive resources when processing SSL traffic |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 715750-3 | 3-Major | K41515225 | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. |
| 652671-4 | 3-Major | K31326690 | Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 716391-3 | 2-Critical | K76031538 | High priority for MySQL on 2 core vCMP may lead to control plane process starvation |
| 690793-2 | 2-Critical | K25263287 | TMM may crash and dump core due to improper connflow tracking |
| 688148-1 | 2-Critical | IKEv1 racoon daemon SEGV during phase-two SA list iteration | |
| 613476-2 | 2-Critical | IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion | |
| 704247-3 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
| 686124-3 | 3-Major | K83576240 | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs |
| 678380-3 | 3-Major | K26023811 | Deleting an IKEv1 peer in current use could SEGV on race conditions. |
| 671712 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
| 670528-1 | 3-Major | K20251354 | Warnings during vCMP host upgrade. |
| 620746-1 | 3-Major | MCPD crash | |
| 580602-1 | 3-Major | Configuration containing LTM nodes with IPv6 link-local addresses fail to load. | |
| 551925-3 | 3-Major | Misdirected UDP traffic with hardware acceleration | |
| 464650-4 | 3-Major | Failure of mcpd with invalid authentication context. | |
| 689211-2 | 4-Minor | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | |
| 678254-2 | 4-Minor | Error logged when restarting Tomcat |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 716213-3 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
| 697259-1 | 2-Critical | K14023450 | Different versioned vCMP guests on the same chassis may crash. |
| 694656-3 | 2-Critical | K05186205 | Routing changes may cause TMM to restart |
| 666401-2 | 2-Critical | K03294104 | Memory might become corrupted when a Standby device transitions to Active during failover |
| 659709-1 | 2-Critical | Mirroring persistence records may cause a TMM memory leak | |
| 641869-1 | 2-Critical | K62744980 | Assertion "vmem_hashlist_remove not found" failed. |
| 635191-1 | 2-Critical | Under rare circumstances TMM may crash | |
| 618106-1 | 2-Critical | K74714343 | bigd core due to memory leak, especially with FQDN nodes |
| 615097-1 | 2-Critical | Incorrect use of HTTP::collect leads to TMM core. | |
| 513310-1 | 2-Critical | TMM might core when a profile is changed. | |
| 722363-1 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
| 720293-1 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
| 713690-1 | 3-Major | IPv6 cache route metrics are locked | |
| 712664-4 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
| 711981-3 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
| 700696-2 | 3-Major | SSID does not cache fragmented Client Certificates correctly via iRule | |
| 694697-3 | 3-Major | K62065305 | clusterd logs heartbeat check messages at log level info |
| 693308-3 | 3-Major | SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain | |
| 691224-1 | 3-Major | K59327001 | Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled |
| 671725-1 | 3-Major | K19920320 | Connection leak on standby unit |
| 632968-2 | 3-Major | supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails | |
| 600812-1 | 3-Major | IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet. | |
| 578971-3 | 3-Major | When mcpd is restarted on a blade, cluster members may be temporarily marked as failed | |
| 572234-2 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. | |
| 716922-4 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
| 622148-5 | 4-Minor | flow generated icmp error message need to consider which side of the proxy they are | |
| 602708-2 | 4-Minor | K84837413 | Traffic may not passthrough CoS by default |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 718885-1 | 2-Critical | K25348242 | Under certain conditions, monitor probes may not be sent at the configured interval |
| 726255-3 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
| 719644-1 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ | |
| 715448-1 | 3-Major | Providing LB::status with a GTM Pool name in a variable caused validation issues | |
| 710246-3 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
| 636790-3 | 3-Major | Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 739798 | 2-Critical | Massive number of log messages being generated and written to the bd.log. | |
| 734622 | 2-Critical | K83093212 | Policy change with newly enforced signatures causes sig collection failure in other policies |
| 721741-2 | 2-Critical | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | |
| 716788-3 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
| 685230-1 | 2-Critical | memory leak on a specific server scenario | |
| 666221-2 | 2-Critical | K47152503 | tmm may crash from DoSL7 |
| 617391-1 | 2-Critical | K53345828 | Custom ASM Search Engines causing sync, offline, and upgrade issues★ |
| 721752-1 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
| 713282-3 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
| 701856-2 | 3-Major | Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart | |
| 701039 | 3-Major | Requests do not appear in local logging due to rare file descriptor exhaustion | |
| 676223-2 | 3-Major | Internal parameter in order not to sign allowed cookies | |
| 650070-2 | 3-Major | K23041827 | iRule that uses ASM violation details may cause the system to reset the request |
| 648639-3 | 3-Major | K92201230 | TS cookie name contains NULL or other raw byte |
| 646800-2 | 3-Major | A part of the request is not sent to ICAP server in a specific case | |
| 644725-4 | 3-Major | K01914292 | Configuration changes while removing ASM from the virtual server may cause graceful ASM restart |
| 614730-1 | 3-Major | Session opening log shows incorrect number of challenged responses. | |
| 564324-2 | 3-Major | ASM scripts can break applications | |
| 463314-2 | 4-Minor | Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 685741 | 3-Major | DoS Overview is very slow to load data, to the point of timeout | |
| 649177-2 | 3-Major | K54018808 | Testing for connection to SMTP Server always returns "OK" |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 722013-3 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
| 631286-1 | 2-Critical | TMM Memory leak caused by APM URI cache entries | |
| 546489-1 | 2-Critical | VMware View USB redirection stops working after client reconnect | |
| 739144-1 | 3-Major | Domain logoff scripts runs after VPN connection is closed | |
| 738397-2 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
| 726895-1 | 3-Major | K02205915 | VPE cannot modify subroutine settings |
| 713655-3 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
| 703793-1 | 3-Major | tmm restarts when using ACCESS::perflow get' in certain events | |
| 702873-3 | 3-Major | Windows Logon Integration feature may cause Windows logon screen freeze | |
| 631626 | 3-Major | Unable to delete an access profile which contains a route domain agent | |
| 631048-1 | 3-Major | Portal Access [PeopleSoft] 'My Preferences' page does not have content | |
| 596166-1 | 3-Major | Cannot create email using Address Book | |
| 565347-2 | 3-Major | Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction | |
| 721375 | 4-Minor | Export then import of config with RSA server in it might fail |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 603755-1 | 2-Critical | dwbld core dump when Auto Blacklisting is configured, in a rare scenario | |
| 698806-2 | 3-Major | Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 738669-3 | 3-Major | Login validation may fail for a large request with early server response | |
| 716318-4 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 726303 | 3-Major | Unlock 10 million custom db entry limit |
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 716992-3 | CVE-2018-5539 | K75432956 | The ASM bd process may crash |
| 710244-1 | CVE-2018-5536 | K27391542 | Memory Leak of access policy execution objects |
| 709972-4 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
| 709688-5 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
| 693744-3 | CVE-2018-5531 | K64721111 | CVE-2018-5531: vCMP vulnerability |
| 710827-4 | CVE-2019-6598 | K44603900 | TMUI dashboard daemon stability issue |
| 710705-3 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
| 710314-2 | CVE-2018-5537 | K94105051 | TMM may crash while processing HTML traffic |
| 710148-4 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
| 705476-4 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
| 703940-3 | CVE-2018-5530 | K45611803 | Malformed HTTP/2 frame consumes excessive system resources |
| 698813-3 | CVE-2018-5538 | K45435121 | When processing DNSX transfers ZoneRunner does not enforce best practices |
| 677088-4 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
| 672124-3 | CVE-2018-5541 | K12403422 | Excessive resource usage when BD is processing requests |
| 714879-1 | CVE-2018-15326 | K34652116 | APM CRLDP Auth passes all certs |
| 708653-3 | CVE-2018-15311 | K07550539 | TMM may crash while processing TCP traffic |
| 673165 | CVE-2017-7895 | K15004519 | CVE-2017-7895: Linux Kernel Vulnerability |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 671999-2 | 3-Major | Re-extract the the thales software everytime the installation script is run | |
| 643034-1 | 3-Major | K52510343 | Turn off TCP Proxy ICMP forwarding by default |
| 620445-4 | 3-Major | New SIP::persist keyword to set the timeout without changing key | |
| 613023-4 | 3-Major | Update SIP::Persist to support resetting timeout value. | |
| 441079-2 | 3-Major | K55242686 | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
| 693007-3 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 700315-3 | 1-Blocking | K26130444 | Ctrl+C does not terminate TShark |
| 636774-1 | 1-Blocking | Potential TMM crash credits to BWC token distribution logic | |
| 723130-3 | 2-Critical | K13996 | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file |
| 707003-2 | 2-Critical | Unexpected syntax error in TMSH AVR | |
| 706423-2 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
| 696113-1 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
| 692158-2 | 2-Critical | iCall and CLI script memory leak when saving configuration | |
| 690819-3 | 2-Critical | Using an iRule module after a 'session lookup' may result in crash | |
| 671314-4 | 2-Critical | K37093335 | BIG-IP system cores when sending SIP SCTP traffic |
| 665362-4 | 2-Critical | MCPD might crash if the AOM restarts | |
| 663197-3 | 2-Critical | Security hardening of files to prevent sensitive configuration from being stored in qkview. | |
| 626861-2 | 2-Critical | K31220138 | Ensure unique IKEv2 sequence numbers |
| 599223-1 | 2-Critical | Prevent static destructors in tmipsecd daemon | |
| 581851-2 | 2-Critical | K16234725 | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands |
| 559980-1 | 2-Critical | Change console baud rate requires reboot to take effect | |
| 508113-3 | 2-Critical | tmsh load sys config base merge file <filename> fails | |
| 720880 | 3-Major | Attempts to license/re-license the BIG-IP system fail. | |
| 720756 | 3-Major | SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS | |
| 720104 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
| 714848 | 3-Major | OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled | |
| 710602 | 3-Major | iCRD commands requiring 'root' user access fixed | |
| 707445 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
| 704336-3 | 3-Major | Updating 3rd party device cert not copied correctly to trusted certificate store | |
| 704282-3 | 3-Major | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | |
| 701900 | 3-Major | K55938217 | DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease. |
| 698947-1 | 3-Major | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | |
| 694740-1 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
| 693106-2 | 3-Major | IKEv1 newest established phase-one SAs should be found first in a search | |
| 692179-3 | 3-Major | Potential high memory usage from errdefsd. | |
| 687905 | 3-Major | K72040312 | OneConnect profile causes CMP redirected connections on the HA standby |
| 687534-3 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
| 686926-3 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
| 684391-1 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
| 680838-3 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
| 679347-3 | 3-Major | K44117473 | ECP does not work for PFS in IKEv2 child SAs |
| 678925-4 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
| 677928-2 | 3-Major | A wrong source MAC address may be used in the outgoing IPsec encapsulated packets. | |
| 676897-1 | 3-Major | K25082113 | IPsec keeps failing to reconnect |
| 676092-1 | 3-Major | IPsec keeps failing to reconnect | |
| 675718-1 | 3-Major | IPsec keeps failing to reconnect | |
| 669268 | 3-Major | Failover in the same availability zone of AWS may fail when AWS services are intermittently available. | |
| 667223 | 3-Major | The merge option for the tmsh load sys config command removes existing nested objects | |
| 666035-1 | 3-Major | Obscuring secrets in files collected by qkview | |
| 621314-6 | 3-Major | K55358710 | SCTP virtual server with mirroring may cause excessive memory use on standby device |
| 617865-1 | 3-Major | Missing health monitor information for FQDN members | |
| 605270-5 | 3-Major | On some platforms the SYN-Cookie status report is not accurate | |
| 588929-2 | 3-Major | SCTP emits 'address conflict detected' log messages during failover | |
| 588794-2 | 3-Major | Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements | |
| 588771-2 | 3-Major | SCTP needs traffic-group validation for server-side client alternate addresses | |
| 586938-1 | 3-Major | K57360106 | Standby device will respond to the ARP of the SCTP multihoming alternate address |
| 586031-1 | 3-Major | K40453207 | Configuration with LTM policy may fail to load |
| 525580-1 | 3-Major | K51013874 | tmsh load sys config merge file filename.scf base command does not work as expected |
| 685475-3 | 4-Minor | K93145012 | Unexpected error when applying hotfix |
| 680856-3 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
| 679135-3 | 4-Minor | IKEv1 and IKEv2 cannot share common local address in tunnels | |
| 678388-3 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
| 658298-3 | 4-Minor | SMB monitor marks node down when file not specified | |
| 624484-2 | 4-Minor | K09023677 | Timestamps not available in bash history on non-login interactive shells |
| 573031-1 | 4-Minor | qkview may not collect certain configuration files in their entirety | |
| 720391-1 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' | |
| 713491-1 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess | |
| 651826-2 | 5-Cosmetic | SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 718071-3 | 2-Critical | HTTP2 with ASM policy not passing traffic | |
| 709334-2 | 2-Critical | Memory leak when SSL Forward proxy is used and ssl re-negotiates | |
| 708114-3 | 2-Critical | K33319853 | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed |
| 707447-2 | 2-Critical | Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. | |
| 707207-2 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
| 703914-1 | 2-Critical | TMM SIGSEGV crash in poolmbr_conn_dec. | |
| 686685-1 | 2-Critical | LTM Policy internal compilation error | |
| 683631-1 | 2-Critical | TMM crashes during stress test | |
| 678722-2 | 2-Critical | In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources | |
| 676721-2 | 2-Critical | K33325265 | Missing check for NULL condition causes tmm crash. |
| 674004-1 | 2-Critical | K34448924 | tmm may crash when after deleting pool member in traffic |
| 670804-2 | 2-Critical | K03163260 | Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP |
| 656898-2 | 2-Critical | 'oops' 'bad transition' messages occur | |
| 613524-3 | 2-Critical | TMM crash when call HTTP::respond twice in LB_FAILED | |
| 598110-1 | 2-Critical | pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic. | |
| 586587-1 | 2-Critical | RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. | |
| 571651-3 | 2-Critical | Reset Nitrox3 crypto accelerator queue if it becomes stuck. | |
| 440620-2 | 2-Critical | New connections may be reset when a client reuses the same port as it used for a recently closed connection | |
| 713951-3 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
| 713934-4 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
| 712475-1 | 3-Major | K56479945 | DNS zones without servers will prevent DNS Express reading zone data |
| 712464-1 | 3-Major | Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate | |
| 712437-1 | 3-Major | K20355559 | Records containing hyphens (-) will prevent child zone from loading correctly |
| 711281-3 | 3-Major | nitrox_diag may run out of space on /shared | |
| 707951 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
| 704381-3 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
| 703580 | 3-Major | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | |
| 702151-2 | 3-Major | HTTP/2 can garble large headers | |
| 700889-2 | 3-Major | K07330445 | Software syncookies without TCP TS improperly include TCP options that are not encoded |
| 700061-3 | 3-Major | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | |
| 700057-3 | 3-Major | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | |
| 698916-3 | 3-Major | TMM crash with HTTP/2 under specific condition | |
| 698379-3 | 3-Major | K61238215 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( |
| 693838 | 3-Major | Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors | |
| 691806-3 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
| 688553-1 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
| 685615-5 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
| 681757-1 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
| 678872-2 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
| 677525-3 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
| 676914-1 | 3-Major | The SSL Session Cache can grow indefinitely if the traffic group is changed. | |
| 676828-2 | 3-Major | K09012436 | Host IPv6 traffic is generated even when ipv6.enabled is false |
| 676355-2 | 3-Major | DTLS retransmission does not comply with RFC in certain resumed SSL session | |
| 675212-3 | 3-Major | The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication | |
| 673052-2 | 3-Major | On i-Series platforms, HTTP/2 is limited to 10 streams | |
| 671337-1 | 3-Major | NetHSM DNSSEC key creation can attempt to change the SELinux label on a file | |
| 668196-2 | 3-Major | Connection limit continues to be enforced with least-connections and pool member flap, member remains down | |
| 668006-1 | 3-Major | K12015701 | Suspended 'after' command leads to assertion if there are multiple pending events |
| 667707-2 | 3-Major | LTM policy associations with virtual servers are not ConfigSynced correctly | |
| 659519-1 | 3-Major | K42400554 | Non-default header-table-size setting on HTTP2 profiles may cause issues |
| 657883-2 | 3-Major | K34442339 | tmm cache resolver should not cache response with TTL=0 |
| 657626-2 | 3-Major | User with role 'Manager' cannot delete/publish LTM policy. | |
| 651541-2 | 3-Major | K83955631 | Changes to the HTTP profile do not trigger validation for virtual servers using that profile |
| 636289-2 | 3-Major | Fixed a memory issue while handling TCP::congestion iRule | |
| 633691-4 | 3-Major | HTTP transaction may not finish gracefully due to TCP connection is closed by RST | |
| 624846-1 | 3-Major | TCP Fast Open does not work for Responses < 1 MSS | |
| 604838-1 | 3-Major | TCP Analytics reports incorrectly reports entities as "Aggregated" | |
| 595281-1 | 3-Major | TCP Analytics reports huge goodput numbers | |
| 570277-1 | 3-Major | K16044231 | SafeNet client not able to establish session to all HSMs on all blades. |
| 367226-4 | 3-Major | Outgoing RIP advertisements may have incorrect source port | |
| 251162-3 | 3-Major | K11564 | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name |
| 248914-4 | 3-Major | K00612197 | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address |
| 713533-3 | 4-Minor | list self-ip with queries does not work | |
| 708249-4 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
| 700433-2 | 4-Minor | K10870739 | Memory leak when attaching an LTM policy to a virtual server |
| 685467-2 | 4-Minor | K12933087 | Certain header manipulations in HTTP profile may result in losing connection. |
| 678801-2 | 4-Minor | WS::enabled returned empty string | |
| 677958-2 | 4-Minor | WS::frame prepend and WS::frame append do not insert string in the right place. | |
| 645729-1 | 4-Minor | SSL connection is not mirrored if ssl session cache is cleared and resume attempted | |
| 639970-3 | 4-Minor | GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error | |
| 627764-2 | 4-Minor | Prevent sending a 2nd RST for a TCP connection | |
| 627695-2 | 4-Minor | [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational | |
| 621379-2 | 4-Minor | TCP Lossfilter not enforced after iRule changes TCP settings | |
| 618024-2 | 4-Minor | software switched platforms accept traffic on lacp trunks even when the trunk is down | |
| 604272-1 | 4-Minor | SMTPS profile connections_current stat does not reflect actual connection count. | |
| 523814-3 | 4-Minor | When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections | |
| 522302-2 | 4-Minor | TCP Receive Window error messages are inconsistent on UI | |
| 495242-3 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 713066-3 | 2-Critical | K10620131 | Connection failure during DNS lookup to disabled nameserver can crash TMM |
| 707310-1 | 2-Critical | DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) | |
| 706128-1 | 3-Major | DNSSEC Signed Zone Transfers Can Leak Memory | |
| 705503-1 | 3-Major | Context leaked from iRule DNS lookup | |
| 680069-3 | 3-Major | K81834254 | zxfrd core during transfer while network failure and DNS server removed from DNS zone config★ |
| 675539-1 | 3-Major | Inter-system communications targeted at a Management IP address might not work in some cases. | |
| 672491-2 | 3-Major | K10990182 | net resolver uses internal IP as source if matching wildcard forwarding virtual server |
| 660263-4 | 3-Major | DNS transparent cache message and RR set activity counters not incrementing | |
| 653775-3 | 3-Major | K05397641 | Ampersand (&) in GTM synchronization group name causes synchronization failure. |
| 643813-2 | 3-Major | ZoneRunner does not properly process $ORIGIN directives | |
| 637227-4 | 3-Major | K60414305 | DNS Validating Resolver produces inconsistent results with DNS64 configurations. |
| 629421-1 | 3-Major | Big3d memory leak when adding/removing Wide IPs in a GTM sync pair. | |
| 609527-2 | 3-Major | DNS cache local zone not properly copying recursion desired (RD) flag in response | |
| 602300-1 | 3-Major | Zone Runner entries cannot be modified when sys DNS starts with IPv6 address | |
| 669262-2 | 4-Minor | [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record | |
| 638170-1 | 4-Minor | K36455356 | Pagination broken or missing while viewing pool statistics for GTM wideip |
| 605537-5 | 4-Minor | K03997964 | Error when resetting statistics on GSLB Pool Members |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 639767-2 | 2-Critical | Policy with Session Awareness Statuses may fail to export | |
| 606983-3 | 2-Critical | ASM errors during policy import | |
| 580862-1 | 2-Critical | Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes | |
| 712362-1 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
| 710327-3 | 3-Major | Remote logger message is truncated at NULL character. | |
| 707888 | 3-Major | Some ASM operations delayed due to scheduled ASU update | |
| 707147-2 | 3-Major | High CPU consumed by asm_config_server_rpc_handler_async.pl | |
| 706845-1 | 3-Major | False positive illegal multipart violation | |
| 704143-2 | 3-Major | BD memory leak | |
| 700726-1 | 3-Major | Search engine list was updated, and fixing case of multiple entries | |
| 691897-1 | 3-Major | Names of the modified cookies do not appear in the event log | |
| 687759-2 | 3-Major | bd crash | |
| 686765-1 | 3-Major | Database cleaning failure may allow MySQL space to fill the disk entirely | |
| 683241-3 | 3-Major | K70517410 | Improve CSRF token handling |
| 674527-1 | 3-Major | TCL error in ltm log when server closes connection while ASM irules are running | |
| 666112-1 | 3-Major | K53708490 | TMM 'DoS Layer 7' memory leak during config load |
| 663396-1 | 3-Major | URL Method override is enforced incorrectly after upgrade | |
| 654996-1 | 3-Major | K50345236 | Closed connections remains in memory |
| 665470-1 | 4-Minor | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised | |
| 700812-2 | 5-Cosmetic | asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 716747-4 | 2-Critical | TMM my crash while processing APM or SWG traffic | |
| 715250-2 | 2-Critical | TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED | |
| 681850-1 | 2-Critical | APMD process may fail to initialize on start either after upgrade or after adding certain configurations | |
| 671373-2 | 2-Critical | urldb core seen | |
| 632798-2 | 2-Critical | K30710317 | Double-free may occur if Access initialization fails |
| 720695-2 | 3-Major | Export then import of APM access Profile/Policy with advanced customization is failing | |
| 720030-3 | 3-Major | Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U) | |
| 718208-1 | 3-Major | Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO | |
| 715207-2 | 3-Major | coapi errors while modifying per-request policy in VPE | |
| 714542-1 | 3-Major | 'Always Connected Mode' text is missing in EdgeClient tray | |
| 712924 | 3-Major | In VPE SecurID servers list are not being displayed in SecurID authentication dialogue | |
| 712857-1 | 3-Major | SWG-Explicit rejects large POST bodies during policy evaluation | |
| 706374-2 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to memory corruption | |
| 704524-2 | 3-Major | [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries | |
| 684937-6 | 3-Major | K26451305 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users |
| 683113-6 | 3-Major | K22904904 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users |
| 658664-3 | 3-Major | K21390304 | VPN connection drops when 'prohibit routing table change' is enabled |
| 609793-1 | 3-Major | HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response. | |
| 602429-1 | 3-Major | DNS suffix is not restored after disconnecting Network Access | |
| 543344-3 | 3-Major | ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event | |
| 516736-1 | 3-Major | URLs with backslashes in the path may not be handled correctly in Portal Access |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 703515-5 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
| 698338-2 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
| 685708-3 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
| 669739-1 | 2-Critical | K71963740 | Potential core when using MRF SIP with SCTP |
| 659173-1 | 2-Critical | K76352741 | Diameter Message Length Limit Changed from 1024 to 4096 Bytes |
| 700571-2 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
| 696049-3 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | |
| 688942-3 | 3-Major | ICAP: Chunk parser performs poorly with very large chunk | |
| 679114-2 | 3-Major | Persistence record expires early if an error is returned for a BYE command | |
| 674747-2 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
| 673814-4 | 3-Major | K37822302 | Custom bidirectional persistence entries are not updated to the session timeout |
| 642298-3 | 3-Major | Unable to create a bidirectional custom persistence record in MRF SIP | |
| 640384-3 | 3-Major | New iRule options for MR::message route command | |
| 620759-4 | 3-Major | Persist timeout value gets truncated when added to the branch parameter. | |
| 632658-4 | 4-Minor | Enable SIP::persist command to operate during SIP_RESPONSE event | |
| 617690-4 | 4-Minor | enable SIP::respond iRule command to operate during MR_FAILED event |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 677473-1 | 2-Critical | MCPD core is generated on multiple add/remove of Mgmt-Rules | |
| 663770-2 | 3-Major | K04025134 | AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 699531-3 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
| 696294-3 | 2-Critical | TMM core may be seen when using Application reporting with flow filter in PEM | |
| 715090 | 3-Major | PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers | |
| 711570-1 | 3-Major | PEM iRule subscriber policy name query using subscriber ID, may not return applied policies | |
| 711093-2 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
| 709610-1 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
| 697718-3 | 3-Major | Increase PEM HSL reporting buffer size to 4K. | |
| 648802-3 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 667662-1 | 3-Major | K06579313 | Autolasthop does not work for PPTP-GRE traffic. |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 625114-2 | 2-Critical | K08062851 | Internal sync-change conflict after update to local users table |
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 708956 | 1-Blocking | K51206433 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
| 696732 | 2-Critical | K54431534 | tmm may crash in a compression provider |
| 697616 | 3-Major | Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests | |
| 692239-1 | 3-Major | K31554905 | AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds |
| 689730-2 | 3-Major | Software installations from v13.1.0 might fail★ | |
| 674455-7 | 3-Major | Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS | |
| 680388-2 | 4-Minor | f5optics should not show function name in non-debug log messages | |
| 653759-2 | 4-Minor | Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★ |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 701538-1 | 2-Critical | SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured | |
| 662078-1 | 2-Critical | Occasionally connections are dropped in response to timing errors | |
| 694778-2 | 3-Major | Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size | |
| 686631-1 | 3-Major | Deselect a compression provider at the end of a job and reselect a provider for a new job | |
| 679494-2 | 3-Major | Change the default compression strategy to speed | |
| 632824-1 | 3-Major | K00722715 | SSL TPS limit can be reached if the system clock is adjusted |
| 495443-10 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
| 679496-1 | 4-Minor | Add 'comp_req' to the output of 'tmctl compress' |
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 695901-2 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
| 693312-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
| 688516-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
| 704580-3 | CVE-2018-5549 | K05018525 | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP |
| 701359-2 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
| 688009-5 | CVE-2018-5519 | K46121888 | Appliance Mode TMSH hardening |
| 671497-4 | CVE-2017-3142 | K59448931 | TSIG authentication bypass in AXFR requests |
| 615269-1 | CVE-2016-2183 | K13167034 | CVE-2016-2183: AFM SSH Proxy Vulnerability |
| 603758-1 | CVE-2018-5540 | K82038789 | Big3D security hardening |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 680850-1 | 3-Major | K48342409 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. |
| 570570-5 | 3-Major | Default crypto failure action is now 'go-offline-downlinks'. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 711547 | 1-Blocking | Update cipher support for Common Criteria compliance | |
| 708054-3 | 2-Critical | Web Acceleration: TMM may crash on very large HTML files with conditional comments | |
| 706305-2 | 2-Critical | bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled | |
| 703761-1 | 2-Critical | Disable DSA keys for public-key and host-based authentication in Common Criteria mode | |
| 677937-1 | 2-Critical | K41517253 | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets |
| 673484-1 | 2-Critical | K85405312 | IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO |
| 664549-2 | 2-Critical | K55105132 | TMM restart while processing rewrite filter |
| 599423-1 | 2-Critical | K24584925 | merged cores and restarts |
| 583111-1 | 2-Critical | BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured | |
| 701626-1 | 3-Major | K16465222 | GUI resets custom Certificate Key Chain in child client SSL profile |
| 686029-1 | 3-Major | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces | |
| 664737-2 | 3-Major | Do not reboot on ctrl-alt-del | |
| 655005-1 | 3-Major | K23355841 | "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync |
| 646890-1 | 3-Major | K12068427 | IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512 |
| 635703-1 | 3-Major | K14508857 | Interface description may cause some interface level commands to be removed |
| 614486-1 | 3-Major | BGP community lower bytes of zero is not allowed to be set in route-map | |
| 612721-4 | 3-Major | FIPS: .exp keys cannot be imported when the local source directory contains .key file | |
| 609967-2 | 3-Major | K55424912 | qkview missing some HugePage memory data |
| 586412-2 | 3-Major | BGP peer-group members address-family configuration not saved to configuration | |
| 583108-1 | 3-Major | Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart. | |
| 581101-1 | 3-Major | non-admin user running list cmd: can't get object count | |
| 557155-8 | 3-Major | K33044393 | BIG-IP Virtual Edition becomes completely unresponsive under very heavy load. |
| 421797-3 | 3-Major | ePVA continues to accelerate hardware offloaded traffic in Standby. | |
| 651413-2 | 4-Minor | K34042229 | tmsh list ltm node does not return an error when node does not exist |
| 598437-1 | 4-Minor | SNMP process monitoring is incorrect for tmm and bigd |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 706631 | 2-Critical | A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. | |
| 705611-1 | 2-Critical | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | |
| 704666-2 | 2-Critical | memory corruption can occur when using certain certificates | |
| 701202-1 | 2-Critical | K35023432 | SSL memory corruption |
| 700862-2 | 2-Critical | K15130240 | tmm SIGFPE 'valid node' |
| 700393-2 | 2-Critical | K53464344 | Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash |
| 685254-1 | 2-Critical | K14013100 | RAM Cache Exceeding Watchdog Timeout in Header Field Search |
| 678416-2 | 2-Critical | Some tmm/umem_usage_stat counters may be incorrect under memory pressure. | |
| 676028-2 | 2-Critical | K09689143 | SSL forward proxy bypass may fail to release memory used for ssl_hs instances |
| 673951-4 | 2-Critical | K56466330 | Memory leak when using HTTP2 profile |
| 670814-2 | 2-Critical | Wrong SE Linux label breaks nethsm DNSSEC keys | |
| 665185-1 | 2-Critical | K20994524 | SSL handshake reference is not dropped if forward proxy certificate lookup failed |
| 657463-2 | 2-Critical | SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake. | |
| 648320-3 | 2-Critical | K38159538 | Downloading via APM tunnels could experience performance downgrade. |
| 647757-2 | 2-Critical | K96395052 | RATE-SHAPER:Fred not properly initialized may halt traffic |
| 613088-3 | 2-Critical | pkcs11d thread has session initialization problem. | |
| 452283-2 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
| 705794-1 | 3-Major | Under certain circumstances a stale HTTP/2 stream might cause a tmm crash | |
| 690042-3 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
| 689449-3 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
| 687205-3 | 3-Major | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
| 686972-1 | 3-Major | The change of APM log settings will reset the SSL session cache. | |
| 686395 | 3-Major | With DTLS version1, when client hello uses version1.2, handshake shall proceed | |
| 683697-3 | 3-Major | K00647240 | SASP monitor may use the same UID for multiple HA device group members |
| 677962-3 | 3-Major | Invalid use of SETTINGS_MAX_FRAME_SIZE | |
| 677457 | 3-Major | K13036194 | HTTP/2 Gateway appends semicolon when a request has one or more cookies |
| 677400-3 | 3-Major | K82502883 | pimd daemon may exit on failover |
| 673399-1 | 3-Major | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | |
| 665652-2 | 3-Major | K41193475 | Multicast traffic not forwarded to members of VLAN group |
| 664528-1 | 3-Major | K53282793 | SSL record can be larger than maximum fragment size (16384 bytes) |
| 663551-1 | 3-Major | K14942957 | SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event |
| 662911-2 | 3-Major | K93119070 | SASP monitor uses same UID for all vCMP guests in a chassis or appliance |
| 654368-7 | 3-Major | K15732489 | ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require |
| 654086-3 | 3-Major | Incorrect handling of HTTP2 data frames larger than minimal frame size | |
| 653976-2 | 3-Major | K00610259 | SSL handshake fails if server certificate contains multiple CommonNames |
| 651901-2 | 3-Major | Removed unnecessary ASSERTs in MPTCP code | |
| 640369-2 | 3-Major | TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan | |
| 633333-3 | 3-Major | During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent | |
| 619844-2 | 3-Major | Packet leak if reject command is used in FLOW_INIT rule | |
| 611691-5 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN | |
| 608991-7 | 3-Major | BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed | |
| 605480-4 | 3-Major | BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection | |
| 604880-4 | 3-Major | tmm assert "valid pcb" in tcp.c | |
| 604549-7 | 3-Major | MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data | |
| 592731-1 | 3-Major | K34220124 | Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck. |
| 653746-2 | 4-Minor | K83324551 | Unable to display detailed CPU graphs if the number of CPU is too large |
| 569814-2 | 4-Minor | K30240351 | iRule "nexthop IP_ADDR" rejected by validator |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 710424-3 | 2-Critical | Possible SIGSEGV in GTMD when GTM persistence is enabled. | |
| 699135-2 | 2-Critical | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | |
| 691287-3 | 2-Critical | tmm crashes on iRule with GTM pool command | |
| 682335-3 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
| 699339-1 | 3-Major | K24634702 | Geolocation upgrade files fail to replicate to secondary blades |
| 696808-3 | 3-Major | Disabling a single pool member removes all GTM persistence records | |
| 687128-3 | 3-Major | gtm::host iRule validation for ipv4 and ipv6 addresses | |
| 679149-2 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
| 663310-3 | 3-Major | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ | |
| 619158-1 | 3-Major | iRule DNS request with trailing dot times out with empty response | |
| 595293-4 | 3-Major | Deleting GTM links could cause gtm_add to fail on new devices. |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 679221-1 | 1-Blocking | APMD may generate core file or appears locked up after APM configuration changed | |
| 702278-3 | 2-Critical | Potential XSS security exposure on APM logon page. | |
| 678715-1 | 2-Critical | Large volume of query result update to SessionDB fails and locks down ApmD | |
| 712315-1 | 3-Major | LDAP and AD Group Resource Assign are not displaying Static ACLs correctly | |
| 710211 | 3-Major | Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. | |
| 702490-4 | 3-Major | Windows Credential Reuse feature may not work | |
| 702487-1 | 3-Major | AD/LDAP admins with spaces in names are not supported | |
| 700780-4 | 3-Major | F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses | |
| 699267-1 | 3-Major | LDAP Query may fail to resolve nested groups | |
| 681415-1 | 3-Major | Copying of profile with advanced customization or images might fail | |
| 675775-2 | 3-Major | TMM crashes inside dynamic ACL building session db callback | |
| 672250-1 | 3-Major | SessionDB update from ApmD with large volume fails | |
| 671149-3 | 3-Major | Captive portal login page is not rendered until it is refreshed | |
| 669459-2 | 3-Major | Efect of bad connection handle between APMD and memcachd | |
| 639283-4 | 3-Major | Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate | |
| 569542-1 | 3-Major | After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★ | |
| 667237-3 | 4-Minor | Edge Client logs the routing and IP tables repeatedly |
Wan Optimization Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 673463-2 | 2-Critical | K68275280 | SDD v3 symmetric deduplication may start performing poorly after a failover event |
| 685693 | 3-Major | APM AppTunnels memory leak |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 702738 | 3-Major | K32181540 | Tmm might crash activating new blob when changing firewall rules |
| 528499-3 | 4-Minor | AFM address lists are not sorted while trying to create a new rule. |
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 706086-1 | CVE-2018-5515 | K62750376 | PAM RADIUS authentication subsystem hardening |
| 704490 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
| 704483 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 467709-1 | 4-Minor | FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 707226-2 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
| 704804-2 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
| 704733-2 | 3-Major | NAS-IP-Address is sent with the bytes in reverse order | |
| 703869-1 | 3-Major | Waagent updated to 2.2.21 | |
| 701249-2 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
| 699147 | 3-Major | Hourly billed cloud images are now pre-licensed | |
| 687098 | 3-Major | IPv6 RADIUS servers not supported for remote authentication | |
| 674288-2 | 3-Major | K62223225 | FQDN nodes - monitor attribute doesn't reliably show in GUI |
| 649465-1 | 3-Major | SELinux warning messages regarding nsm daemon |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 695117 | 2-Critical | K30081842 | bigd cores and sends corrupted MCP messages with many FQDN nodes |
| 668883 | 2-Critical | FQDN pool member status may become out-of-sync when enabled/disabled through GUI | |
| 707675 | 3-Major | FQDN nodes or pool members flap when DNS response received | |
| 701609 | 3-Major | Static member of pool with FQDN members may revert to user-disabled after being re-enabled | |
| 685344-2 | 3-Major | Monitor 'min 1 of' not working as expected with FQDN nodes/members | |
| 673075-1 | 3-Major | Reduced Issues for Monitors configured with FQDN | |
| 671228-1 | 3-Major | Multiple FQDN ephemeral nodes may be created with autopopulate disabled | |
| 667560-3 | 3-Major | K69205908 | FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed |
| 573602-1 | 3-Major | FQDN pool members not shown by tmsh show ltm monitor | |
| 573302-1 | 3-Major | FQDN pool member remains in disabled state after removing monitor | |
| 571095-1 | 3-Major | Monitor probing to pool member stops after FQDN pool member with same IP address is deleted | |
| 699262-2 | 5-Cosmetic | FQDN pool member status remains in 'checking' state after full config sync |
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 700556-2 | CVE-2018-5504 | K11718033 | TMM may crash when processing WebSockets data |
| 698080-1 | CVE-2018-5503 | K54562183 | TMM may consume excessive resources when processing with PEM |
| 691504-3 | CVE-2018-5503 | K54562183 | PEM content insertion in a compressed response may cause a crash. |
| 686305-2 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
| 677193-2 | CVE-2017-6154 | K38243073 | ASM BD Daemon Crash. |
| 674189 | CVE-2016-0718 | K52320548 | iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0 |
| 673078-1 | CVE-2017-6150 | K62712037 | TMM may crash when processing FastL4 traffic |
| 670822-3 | CVE-2017-6148 | K55225440 | TMM may crash when processing SOCKS data |
| 668501-2 | CVE-2017-6151 | K07369970 | HTTP2 does not handle some URIs correctly |
| 630446-1 | CVE-2016-0718 | K52320548 | Expat vulnerability CVE-2016-0718 |
| 621233-1 | CVE-2018-5509 | K49440608 | FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm |
| 699455-3 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
| 699346-2 | CVE-2018-5524 | K53931245 | NetHSM capacity reduces when handling errors |
| 694274-2 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 |
| 688625-2 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
| 688011-5 | CVE-2018-5520 | K02043709 | Dig utility does not apply best practices |
| 676457-3 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
| 671638-4 | CVE-2018-5500 | K33211839 | TMM crash when load-balancing mptcp traffic |
| 670405-4 | CVE-2017-1000366 | K20486351 | K20486351: glibc vulnerability CVE-2017-1000366: |
| 662850-2 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
| 662663-6 | CVE-2018-5507 | K52521791 | Decryption failure Nitrox platforms in vCMP mode |
| 643375-1 | CVE-2018-5508 | K10329515 | TMM may crash when processing compressed data |
| 631204-1 | CVE-2018-5521 | K23124150 | GeoIP lookups incorrectly parse IP addresses |
| 617273-7 | CVE-2016-5300 | K70938105 | Expat XML library vulnerability CVE-2016-5300 |
| 593139-9 | CVE-2014-9761 | K31211252 | glibc vulnerability CVE-2014-9761 |
| 572272-5 | CVE-2018-5506 | K65355492 | BIG-IP - Anonymous Certificate ID Enumeration |
| 673607-2 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 |
| 672667-4 | CVE-2017-7679 | K75429050 | CVE-2017-7679: Apache vulnerability |
| 605579-8 | CVE-2012-6702 | K65460334 | iControl-SOAP expat client library is subjected to entropy attack |
| 578983-4 | CVE-2015-8778 | K51079478 | glibc: Integer overflow in hcreate and hcreate_r |
| 684033-1 | CVE-2017-9798 | K70084351 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 686389-3 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
| 685020-1 | 3-Major | Enhancement to SessionDB provides timeout | |
| 653772-2 | 3-Major | fastL4 fails to evict flows from the ePVA | |
| 639505-3 | 3-Major | BGP may not send all configured aggregate routes | |
| 587107-3 | 3-Major | Allow iQuery to negotiate up to version TLS1.2 |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 667148-1 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
| 689577-1 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
| 678833 | 2-Critical | IPv6 prefix SPDAG causes packet drop | |
| 676203-1 | 2-Critical | Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. | |
| 667405-2 | 2-Critical | K61251939 | Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM. |
| 667404-2 | 2-Critical | K77576404 | Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts |
| 651362 | 2-Critical | eventd crashes during boot | |
| 631700-1 | 2-Critical | K72453283 | sod may kill bcm56xxd under heavy load |
| 617733-1 | 2-Critical | Error message: subscriber id response; Subscription not found | |
| 580753-1 | 2-Critical | K82583534 | eventd might core on transition to secondary. |
| 563661-2 | 2-Critical | Datastor may crash | |
| 694696-3 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
| 687658-2 | 3-Major | Monitor operations in transaction will cause it to stay unchecked | |
| 687353-3 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
| 682213-3 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
| 679480-1 | 3-Major | User able to create node when an ephemeral with the same IP already exists | |
| 674320-2 | 3-Major | K11357182 | Syncing a large number of folders can prevent the configuration getting saved on the peer systems |
| 672815-2 | 3-Major | Incorrect disaggregation on VIPRION B4200 blades | |
| 671082-1 | 3-Major | K85168072 | snmpd constantly restarting |
| 669888-2 | 3-Major | No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96 | |
| 669462-1 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
| 669415-1 | 3-Major | Flow eviction for hardware-accelerated flow might fail | |
| 664894-1 | 3-Major | K11070206 | PEM sessions lost when new blade is inserted in chassis |
| 664057-2 | 3-Major | Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached | |
| 664017-3 | 3-Major | OCSP may reject valid responses | |
| 652968-2 | 3-Major | K88825548 | IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys |
| 645723-2 | 3-Major | K74371937 | Dynamic routing update can delete admin ip route from the kernel |
| 632366-1 | 3-Major | Prevent a spurious Broadcom switch driver failure. | |
| 631316 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
| 626990-1 | 3-Major | K64915164 | restjavad logs flooded with messages from ChildWrapper |
| 624362-1 | 3-Major | VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file | |
| 623803-2 | 3-Major | K12921801 | General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP' |
| 610122-1 | 3-Major | Hotfix installation fails: can't create /service/snmpd/run★ | |
| 598724-1 | 3-Major | Abandoned indefinite lifetime SessionDB entries on STANDBY devices. | |
| 586887-2 | 3-Major | K25883308 | SCTP tmm crash with virtual server destination. |
| 579760-3 | 3-Major | K55703840 | HSL::send may fail to resume after log server pool member goes down/up |
| 471237-2 | 3-Major | K12155235 | BIG-IP VE instances do not work with an encrypted disk in AWS. |
| 699281 | 4-Minor | Version format of hypervisor bundle matches Version format of ISO | |
| 669255-2 | 4-Minor | K20100613 | An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms |
| 660239-3 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present | |
| 655085-2 | 4-Minor | While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors | |
| 613275-2 | 4-Minor | K62581339 | SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up |
| 601168-1 | 4-Minor | Incorrect virtual server CPU utilization may be observed. | |
| 509980-1 | 4-Minor | Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members. |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 692970-3 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
| 687603-1 | 2-Critical | K36243347 | tmsh query for dns records may cause tmm to crash |
| 686228-3 | 2-Critical | K23243525 | TMM may crash in some circumstances with VLAN failsafe |
| 682682-3 | 2-Critical | tmm asserts on a virtual server-to-virtual server connection | |
| 681175-1 | 2-Critical | K32153360 | TMM may crash during routing updates |
| 676982-2 | 2-Critical | K21958352 | Active connection count increases over time, long after connections expire |
| 674576-4 | 2-Critical | Outage may occur with VIP-VIP configurations | |
| 665924-1 | 2-Critical | K24847056 | The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios |
| 665732-2 | 2-Critical | K45001711 | FastHTTP may crash when receiving a fragmented IP packet |
| 664461-3 | 2-Critical | K16804728 | Replacing HTTP payload can cause tmm restart |
| 658989-2 | 2-Critical | Memory leak when connection terminates in iRule process | |
| 639039-4 | 2-Critical | K33754014 | Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons |
| 614702-1 | 2-Critical | K24172560 | Race condition when using SSL Orchestrator can cause TMM to core |
| 704073-3 | 3-Major | K24233427 | Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm |
| 698000-1 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
| 689089-3 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
| 686307-1 | 3-Major | K10665315 | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later |
| 686065-1 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
| 685955 | 3-Major | TMM hud_message_ctx leak | |
| 685110-3 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
| 683683-1 | 3-Major | ASN1::encode returns wrong binary data | |
| 682104-1 | 3-Major | HTTP PSM leaks memory when looking up evasion descriptions | |
| 680755-1 | 3-Major | K27015502 | max-request enforcement no longer works outside of OneConnect |
| 673621-2 | 3-Major | Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile. | |
| 670816-2 | 3-Major | K44519487 | HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters |
| 669974-1 | 3-Major | K90395411 | Encoding binary data using ASN1::encode may truncate result |
| 668522-1 | 3-Major | bigd might try to read from a file descriptor that is not ready for read | |
| 668419-1 | 3-Major | K53322151 | ClientHello sent in multiple packets results in TCP connection close |
| 666315 | 3-Major | Global SNAT sets TTL to 255 instead of decrementing | |
| 666160-1 | 3-Major | K63132146 | L7 Policy reconfiguration causes a slow memory leak |
| 665022-1 | 3-Major | Rateshaper stalls when TSO packet length exceeds max ceiling. | |
| 664769-1 | 3-Major | TMM may restart when using SOCKS profile and an iRule | |
| 663821-3 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
| 661881-2 | 3-Major | K00030614 | Memory and performance issues when using certain ASN.1 decoding formats in iRules |
| 659648-2 | 3-Major | LTM Policy rule name migration doesn't properly handle whitespace | |
| 657795-1 | 3-Major | K51498984 | Possible performance impact on some SSL connections |
| 655432-7 | 3-Major | K85522235 | SSL renegotiation failed intermittently with AES-GCM cipher |
| 651681-4 | 3-Major | Orphaned bigd instances may exist (within multi-process bigd) | |
| 651135-4 | 3-Major | K41685444 | LTM Policy error when rule names contain slash (/) character★ |
| 645220-2 | 3-Major | bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs | |
| 645197-3 | 3-Major | Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change | |
| 640565-1 | 3-Major | K11564859 | Incorrect packet size sent to clone pool member |
| 636149-3 | 3-Major | Multiple monitor response codes to single monitor probe failure | |
| 628721-1 | 3-Major | In rare conditions, DNS cache resolver outbound TCP connections fail to expire. | |
| 627926-1 | 3-Major | K21211001 | Retrieving a server-side SSL session ID in iRules does not work |
| 584865-1 | 3-Major | Primary slot mismatch after primary cluster member leaves and then rejoins the cluster | |
| 582487-2 | 3-Major | K22210514 | 'merged.method' set to 'slow_merge,' does not update system stats |
| 574526-1 | 3-Major | K55542554 | HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter |
| 573366-4 | 3-Major | parking command used in the nesting script of clientside and serverside command can cause tmm core | |
| 692095-3 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
| 625892-2 | 4-Minor | Nagle Algorithm Not Fully Enforced with TSO | |
| 530877-7 | 4-Minor | K13887095 | TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 692941-3 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
| 678861-3 | 2-Critical | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ | |
| 580537-1 | 2-Critical | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
| 562921-4 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
| 700527-1 | 3-Major | cmp-hash change can cause repeated iRule DNS-lookup hang | |
| 691498-1 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
| 690166-3 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
| 671326-2 | 3-Major | K81052338 | DNS Cache debug logging might cause tmm to crash. |
| 667469-1 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
| 665347-2 | 3-Major | K17060443 | GTM listener object cannot be created via tmsh while in non-Common partition |
| 636853-2 | 3-Major | K19401488 | Under some conditions, a change in the order of GTM topology records does not take effect. |
| 621374-1 | 3-Major | "abbrev" argument in "whereis" iRule returns nothing | |
| 487144-2 | 3-Major | tmm intermittently reports that it cannot find FIPS key |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 701327-1 | 2-Critical | failed configuration deletion may cause unwanted bd exit | |
| 699720-3 | 2-Critical | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | |
| 691670-3 | 2-Critical | Rare BD crash in a specific scenario | |
| 684312-2 | 2-Critical | K54140729 | During Apply Policy action, bd agent crashes, causing the machine to go Offline |
| 681109-2 | 2-Critical | K46212485 | BD crash in a specific scenario |
| 679603-2 | 2-Critical | K15460886 | bd core upon request, when profile has sensitive element configured. |
| 678462-2 | 2-Critical | after chassis failover: asmlogd CPU 100% on secondary | |
| 678228-1 | 2-Critical | K27568142 | Repeated Errors in ASM Sync |
| 672301-2 | 2-Critical | ASM crashes when using a logout object configuration in ASM policy | |
| 664708-2 | 2-Critical | TMM memory leak when DoS profile is attached to VS | |
| 662281-2 | 2-Critical | Inconsistencies in Automatic sync ASM Device Group | |
| 637252-1 | 2-Critical | K73107660 | Rest worker becomes unreliable after processing a call that generated an error |
| 633070-1 | 2-Critical | Sync Inconsistencies when using Autosync ASM Group between Chassis devices | |
| 631609-1 | 2-Critical | ASM Centralized Management Infrastructure Sync issues | |
| 614441-4 | 2-Critical | K04950182 | False Positive for illegal method (GET) |
| 611154-1 | 2-Critical | BD crash | |
| 599221-1 | 2-Critical | ASM Policy cannot be created in non-default partition via the Import Policy Task | |
| 576123-3 | 2-Critical | K23221623 | ASM policies are created as inactive policies on the peer device |
| 702946-2 | 3-Major | Added option to reset staging period for signatures | |
| 701841-1 | 3-Major | Unnecessary file recovery_db/conf.tar.gz consumes /var disk space | |
| 700564-2 | 3-Major | JavaScript errors shown when debugging a mobile device with ASM deviceID enabled | |
| 700330 | 3-Major | AJAX blocking page isn't shown when a webpage uses jQuery framework. | |
| 700143-1 | 3-Major | ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages | |
| 698919-1 | 3-Major | Anti virus false positive detection on long XML uploads | |
| 697303-3 | 3-Major | BD crash | |
| 696265-3 | 3-Major | K60985582 | BD crash |
| 694922-4 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
| 691477-1 | 3-Major | ASM standby unit showing future date and high version count for ASM Device Group | |
| 685743-3 | 3-Major | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
| 685207-2 | 3-Major | DoS client side challenge does not encode the Referer header. | |
| 683508-3 | 3-Major | K00152663 | WebSockets: umu memory leak of binary frames when remote logger is configured |
| 682612 | 3-Major | Event Correlation is disabled on vCMP even though all the prerequisites are met. | |
| 679384-1 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
| 678293-1 | 3-Major | K25066531 | Uncleaned policy history files cause /var disk exhaustion |
| 676416-2 | 3-Major | BD restart when switching FTP profiles | |
| 675232-3 | 3-Major | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction | |
| 674494-1 | 3-Major | K77993010 | BD memory leak on specific configuration and specific traffic |
| 671675-1 | 3-Major | Centralized Management Infrastructure: asm_config_server restart on device group change | |
| 668184-1 | 3-Major | Huge values are shown in the AVR statistics for ASM violations | |
| 668181-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
| 667922 | 3-Major | K44692860 | Alternative unicode encoding in JSON objects not being parsed correctly |
| 666986-2 | 3-Major | K50320144 | Filter by Support ID is not working in Request Log |
| 663535-1 | 3-Major | Sending ASM cookies with "secure" attribute even without client-ssl profile | |
| 654925-1 | 3-Major | K25952033 | Memory Leak in ASM Sync Listener Process |
| 654873-2 | 3-Major | ASM Auto-Sync Device Group | |
| 619516-1 | 3-Major | Inconsistencies in Automatic sync ASM Device Group | |
| 605982-1 | 3-Major | Policy settings change during export/import | |
| 434821-1 | 3-Major | Remote logging of staged signatures and staged sets | |
| 694073-1 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
| 655159-1 | 4-Minor | K84550544 | Wrong XML profile name Request Log details for XML violation |
| 625602-3 | 4-Minor | ASM Auto-Sync Device Group Does Not Sync |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 658343-2 | 3-Major | K33043439 | AVR tcp-analytics: per-host RTT average may show incorrect values |
| 648242 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
| 582029-4 | 3-Major | AVR might report incorrect statistics when used together with other modules. | |
| 682105 | 4-Minor | Adding widget in Analytics Overview can cause measures list to empty out on Page change | |
| 649161-1 | 4-Minor | K42340304 | AVR caching mechanism not working properly |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 693739-3 | 2-Critical | VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled | |
| 660711-1 | 2-Critical | K05265457 | MCPd might crash when user trying to import a access policy |
| 649234-3 | 2-Critical | K64131101 | TMM crash from a possible memory corruption. |
| 639929-2 | 2-Critical | Session variable replace with value containing these characters ' " & < > = may cause tmm crash | |
| 632178-1 | 2-Critical | LDAP Query agent creates only two session variables when required attributes list is empty | |
| 703984-2 | 3-Major | Machine Cert agent improperly matches hostname with CN and SAN | |
| 703429-1 | 3-Major | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | |
| 700783-3 | 3-Major | Machine certificate check does not check against all FQDN hostnames | |
| 692307-1 | 3-Major | User with 'operator' role may not be able to view some session variables | |
| 689826-2 | 3-Major | K95422068 | Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese) |
| 686282-1 | 3-Major | APMD intermittently crash when processing access policies | |
| 684325-3 | 3-Major | APMD Memory leak when applying a specific access profile | |
| 683389-1 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
| 682500-1 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
| 680112-1 | 3-Major | K18131781 | SWG-Explicit rejects large POST bodies during policy evaluation |
| 678851-1 | 3-Major | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | |
| 676690-3 | 3-Major | Windows Edge Client sometimes crashes when user signs out from Windows | |
| 675866-1 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
| 675399-3 | 3-Major | K14304639 | Network Access does not work when empty variables are assigned for WINS and DNS |
| 674593-1 | 3-Major | APM configuration snapshot takes a long time to create | |
| 674410-3 | 3-Major | K59281892 | AD auth failures due to invalid Kerberos tickets |
| 673748-1 | 3-Major | K19534801 | ng_export, ng_import might leave security.configpassword in invalid state |
| 672868-1 | 3-Major | Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly | |
| 672040-3 | 3-Major | Access Policy Causing Duplicate iRule Event Execution | |
| 671597-1 | 3-Major | Import, export, copy and delete is taking too long on 1000 entries policy | |
| 670910-2 | 3-Major | Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined | |
| 669510-2 | 3-Major | When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled. | |
| 669154-1 | 3-Major | K25342114 | Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases. |
| 668623-5 | 3-Major | K85991425 | macOS Edge client fails to detect correct system language for regions other than USA |
| 668503-3 | 3-Major | Edge Client fails to reconnect to virtual server after disabling Network Adapter | |
| 668129-1 | 3-Major | BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers. | |
| 666689-1 | 3-Major | Occasional "profile not found" errors following activate access policy | |
| 666058-2 | 3-Major | K86091857 | XenApp 6.5 published icons are not displayed on APM Webtop |
| 665416-3 | 3-Major | K02016491 | Old versions of APM configuration snapshots need to be reaped more aggressively if not used |
| 665330-1 | 3-Major | MSIE 11 should avoid compatibility mode | |
| 664507-3 | 3-Major | When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration | |
| 663127-1 | 3-Major | Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration. | |
| 655364-1 | 3-Major | Portal access rewriting window.opener causes JS exception | |
| 655146-2 | 3-Major | APM Profile access stats are not updated correctly | |
| 654508-2 | 3-Major | SharePoint MS-OFBA browser window displays Javascript errors | |
| 654046-1 | 3-Major | K22121533 | BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs. |
| 653771-2 | 3-Major | tmm crash after per-request policy error | |
| 653324-3 | 3-Major | K87979026 | On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly |
| 651910-2 | 3-Major | Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later | |
| 649613-3 | 3-Major | Multiple UDP/TCP packets packed into one DTLS Record | |
| 632646-4 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
| 629921-4 | 3-Major | [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work. | |
| 621682-1 | 3-Major | Portal Access: problem with specific JavaScript code | |
| 616104-2 | 3-Major | VMware View connections to pool hit matching BIG-IP virtuals | |
| 613373-2 | 3-Major | Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page | |
| 610582-2 | 3-Major | Device Guard prevents Edge Client connections | |
| 601420-3 | 3-Major | Possible SAML authentication loop with IE and multi-domain SSO. | |
| 596083-1 | 3-Major | Error running custom APM Reports with "session creation time" on Viprion Platform | |
| 590992-3 | 3-Major | If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working | |
| 578413-1 | 3-Major | Missing reference to customization-group from connectivity profile if created via portal access wizard | |
| 575444-1 | 3-Major | Wininfo agent incorrectly reports OS version on Windows 10 in some cases | |
| 563135-3 | 3-Major | SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt | |
| 466068-1 | 3-Major | Allow setting of the AAA Radius server timeout value larger than 60 seconds | |
| 447565-5 | 3-Major | K33692321 | Renewing machine-account password does not update the serviceId for associated ntlm-auth. |
| 691017-1 | 4-Minor | Preventing ng_export hangs | |
| 684414-1 | 4-Minor | Retrieving too many groups is causing out of memory errors in TMUI and VPE | |
| 673717-1 | 4-Minor | VPE loading times can be very long | |
| 671627-1 | 4-Minor | K06424790 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. |
| 667304-1 | 4-Minor | K68108551 | Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled |
| 561892-2 | 4-Minor | K08121752 | Kerberos cache is not cleared when Administrator password is changed in AAA AD Server |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 662844 | 2-Critical | K87735013 | TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x. |
| 643785-3 | 2-Critical | diadb crashes if it cannot find pool name | |
| 699431 | 3-Major | Possible memory leak in MRF under low memory |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 456376-4 | 1-Blocking | K53153545 | BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32 |
| 671052-3 | 2-Critical | K50324413 | AFM NAT security RST the traffic with (FW NAT) dst_trans failed |
| 644822-2 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
| 564058-1 | 2-Critical | K91467162 | AutoDoS daemon aborts intermittently after it's being up for several days |
| 620543-1 | 3-Major | Security Address Lists and Port Lists can't change Description field |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 696383-2 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
| 694717-3 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
| 616008-3 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
| 696789-2 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
| 695968-3 | 3-Major | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | |
| 694319-3 | 3-Major | CCA without a request type AVP cannot be tracked in PEM. | |
| 694318-3 | 3-Major | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | |
| 684333-3 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
| 678820-2 | 3-Major | Potential memory leak if PEM Diameter sessions are not created successfully. | |
| 678714-3 | 3-Major | After HA failover, subscriber data has stale session ID information | |
| 660187-3 | 3-Major | TMM core after intra-chassis failover for some instances of subscriber creation | |
| 642068-1 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
| 638594-3 | 3-Major | TMM crash when handling unknown Gx messages. | |
| 627616-3 | 3-Major | CCR-U missing upon VALIDITY TIMER expiry when quota is zero | |
| 624231-5 | 3-Major | No flow control when using content-insertion with compression | |
| 680729-3 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
| 678822-3 | 4-Minor | Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 663333-1 | 2-Critical | TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high | |
| 615432-1 | 2-Critical | Multiple TFTP data transfers cannot be initiated in a single session | |
| 663974-2 | 3-Major | TMM crash when using LSN inbound connections |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 692123-2 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed | |
| 667892-2 | 3-Major | FPS: BLFN inheritance won't take effect until GUI refresh |
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 681710-4 | CVE-2017-6155 | K10930474 | Malformed HTTP/2 requests may cause TMM to crash |
| 673595-2 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 |
| 648786-5 | CVE-2017-6169 | K31404801 | TMM crashes when categorizing long URLs |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 673129 | 3-Major | K41458656 | New feature: revoke license |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 682837 | 1-Blocking | Compression watchdog period too brief. | |
| 675921 | 1-Blocking | Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running | |
| 696468 | 2-Critical | Active compression requests can become starved from too many queued requests. | |
| 667173 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 | |
| 665656-1 | 2-Critical | BWC with iSession may memory leak | |
| 663366-3 | 2-Critical | SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms. | |
| 621386-1 | 2-Critical | K91988084 | restjavad spawns too many icrd_child instances |
| 683114-1 | 3-Major | Need support for 4th element version in Update Check | |
| 679959-1 | 3-Major | Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000 | |
| 672988-2 | 3-Major | K03433341 | MCP memory leak when performing incremental ConfigSync |
| 669288-3 | 3-Major | K76152943 | Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist. |
| 668352-2 | 3-Major | High Speed Logging unbalance in log distribution for multiple pool destination. | |
| 668048-1 | 3-Major | K02551403 | TMM memory leak when manually enabling/disabling pool member used as HSL destination |
| 663063-2 | 3-Major | Disabling pool member used in busy HSL TCP destination can result service disruption. | |
| 659057-1 | 3-Major | BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD | |
| 658636-2 | 3-Major | K51355172 | When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped. |
| 652691-1 | 3-Major | Installation fails if only .iso.384.sig (new format signature file) is present★ | |
| 652689-2 | 3-Major | K14243280 | Displaying 100G interfaces |
| 642952 | 3-Major | platform_check doesn't run PCI check on i11800 | |
| 640636-3 | 3-Major | F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade | |
| 638881-1 | 3-Major | Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances | |
| 628739-1 | 3-Major | BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD | |
| 628735-1 | 3-Major | Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles | |
| 604547-1 | 3-Major | K21551422 | Unix daemon configuration may lost or not be updated upon reboot |
| 674515 | 4-Minor | New revoke license feature for VE only implemented | |
| 663580-1 | 4-Minor | K31981624 | logrotate does not automatically run when /var/log reaches 90% usage |
| 644723-1 | 4-Minor | cm56xxd logs link 'DOWN' message when an interface is admin DISABLED | |
| 507206-1 | 4-Minor | Multicast Out stats always zero for management interface. |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 689080 | 2-Critical | Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value | |
| 463097-3 | 3-Major | Clock advanced messages with large amount of data maintained in DNS Express zones |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 672504-1 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
| 614788-1 | 2-Critical | zxfrd crash due to lack of disk space | |
| 655233-1 | 3-Major | K93338593 | DNS Express using wrong TTL for SOA RRSIG record in NoData response |
| 648766-1 | 3-Major | K57853542 | DNS Express responses missing SOA record in NoData responses if CNAMEs present |
| 645615-2 | 3-Major | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
| 433678-2 | 3-Major | K32401561 | A monitor removed from GTM link cannot be deleted: 'monitor is in use' |
| 646615-1 | 4-Minor | Improved default storage size for DNS Express database |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 652796-1 | 1-Blocking | When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled. | |
| 652792-1 | 2-Critical | When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled. | |
| 678976-2 | 3-Major | K24756214 | Do not print all HTTP headers to avoid printing user credentials to /var/log/apm. |
| 677058-3 | 3-Major | K31757417 | Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 679440-2 | 2-Critical | K14120433 | MCPD Cores with SIGABRT |
| 591828-4 | 3-Major | K52750813 | For unmatched connection, TCP RST may not be sent for data packet |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 668252-2 | 2-Critical | K22784428 | TMM crash in PEM_DIAMETER component |
| 628311-3 | 2-Critical | K87863112 | Potential TMM crash due to duplicate installed PEM policies by the PCRF |
| 675928-2 | 3-Major | Periodic content insertion could add too many inserts to multiple flows if http request is outstanding | |
| 674686-2 | 3-Major | Periodic content insertion of new flows fails, if an outstanding flow is a long flow | |
| 673683-2 | 3-Major | Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener | |
| 673678-2 | 3-Major | Periodic content insertion fails, if http request/response get interleaved by second subscriber http request | |
| 673472-2 | 3-Major | After classification rule is updated, first periodic Insert content action fails for existing subscriber | |
| 639486-4 | 3-Major | TMM crash due to PEM usage reporting after a CMP state change. | |
| 634015-3 | 3-Major | K49315364 | Potential TMM crash due to a PEM policy content triggered buffer overflow |
| 572568-2 | 3-Major | Gy CCR-i requests are not being re-sent after initial configured re-transmits |
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 687193-1 | CVE-2018-5533 | K45325728 | TMM may leak memory when processing SSL Forward Proxy traffic |
| 684879-2 | CVE-2017-6164 | K02714910 | TMM may crash while processing TLS traffic |
| 662022-5 | CVE-2017-6138 | K34514540 | The URI normalization functionality within the TMM may mishandle some malformed URIs. |
| 653993-3 | CVE-2017-6132 | K12044607 | A specific sequence of packets to the HA listener may cause tmm to produce a core file |
| 653880 | CVE-2017-6214 | K81211720 | Kernel Vulnerability: CVE-2017-6214 |
| 652539 | CVE-2016-0634 CVE-2016-7543 CVE-2016-9401 |
K73705133 | Multiple Bash Vulnerabilities |
| 652516 | CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 | K31603170 | Multiple Linux Kernel Vulnerabilities |
| 651221-2 | CVE-2017-6133 | K25033460 | Parsing certain URIs may cause the TMM to produce a core file. |
| 650286-2 | CVE-2017-6167 | K24465120 | REST asynchronous tasks permissions issues |
| 650059-1 | CVE-2017-6129 | K20087443 | TMM may crash when processing VPN traffic |
| 649907-2 | CVE-2017-3137 | K30164784 | BIND vulnerability CVE-2017-3137 |
| 649904-2 | CVE-2017-3136 | K23598445 | BIND vulnerability CVE-2017-3136 |
| 644904-5 | CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 |
K55129614 | tcpdump 4.9 |
| 644693-3 | CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 | K15518610 | Fix for multiple CVE for openjdk-1.7.0 |
| 638556-2 | CVE-2016-10045 | K73926196 | PHP Vulnerability: CVE-2016-10045 |
| 634779-1 | CVE-2017-6147 | K43945001 | TMM may crash will processing SSL Forward Proxy traffic |
| 625860-2 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on B4450 platform. |
| 624903-6 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms. |
| 600069-6 | CVE-2017-0301 | K54358225 | Portal Access: Requests handled incorrectly |
| 659791-2 | CVE-2017-6136 | K81137982 | TFO and TLP could produce a core file under specific circumstances |
| 655059-3 | CVE-2017-6134 | K37404773 | TMM Crash |
| 653224-1 | CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337 |
K59836191 | Multiple GnuTLS Vulnerabilities |
| 653217-2 | CVE-2016-2125 CVE-2016-2126 |
K03644631 | Multiple Samba Vulnerabilities |
| 645480-3 | CVE-2017-6139 | K45432295 | Unexpected APM response |
| 645101-2 | CVE-2017-3731, CVE-2017-3732 | K44512851 | OpenSSL vulnerability CVE-2017-3732 |
| 642659-2 | CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540 | K34527393 | Multiple LibTIFF Vulnerabilities |
| 640768 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | Kernel vulnerability: CVE-2016-10088 |
| 639729-2 | CVE-2017-0304 | K39428424 | Request validation failure in AFM UI Policy Editor |
| 637666-2 | CVE-2016-10033 | K74977440 | PHP Vulnerability: CVE-2016-10033 |
| 635314-5 | CVE-2016-1248 | K22183127 | vim Vulnerability: CVE-2016-1248 |
| 622178-1 | CVE-2017-6158 | K19361245 | Improve flow handling when Autolasthop is disabled |
| 597176-1 | CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE | K01837042 | Multiple Wireshark (tshark) vulnerabilities |
| 583678-1 | CVE-2016-3115 | K93532943 | SSHD session.c vulnerability CVE-2016-3115 |
| 582773-5 | CVE-2018-5532 | K48224824 | DNS server for child zone can continue to resolve domain names after revoked from parent |
| 567233-1 | CVE-2015-5252, CVE-2015-5296, CVE-2015-5299 | K92616530 | Multiple samba vulnerabilities |
| 353229-2 | CVE-2018-5522 | K54130510 | Buffer overflows in DIAMETER |
| 656912-4 | CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458 | K32262483 | Various NTP vulnerabilities |
| 632875-3 | CVE-2018-5516 | K37442533 | Non-Administrator TMSH users no longer allowed to run dig |
| 615226-5 | CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300 | K13074505 | Libarchive vulnerabilities: CVE-2016-8687 and others |
| 590840-2 | CVE-2015-8325 | K20911042 | OpenSSH vulnerability CVE-2015-8325 |
| 655021-2 | CVE-2017-3138 | K23598445 | BIND vulnerability CVE-2017-3138 |
| 652638-2 | CVE-2016-10167 | K23731034 | php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx() |
| 627203-1 | CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597 | K63427774 | Multiple Oracle Java SE vulnerabilities |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 654549-1 | 2-Critical | PVA support for uncommon protocols DoS vector | |
| 653729-2 | 2-Critical | Support IP Uncommon Protocol | |
| 653234 | 2-Critical | Many objects must be reconfigured before use when loading a UCS from another device.★ | |
| 652094-2 | 2-Critical | K49190243 | Improve traffic disaggregation for uncommon IP protocols |
| 643210-2 | 2-Critical | K45444280 | Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM |
| 643054-2 | 2-Critical | ARP and NDP packets should be CoS marked by the swtich on ingress | |
| 663521-2 | 3-Major | Intermittent dropping of multicast packets on certain BIG-IP platforms | |
| 651772-3 | 3-Major | IPv6 host traffic may use incorrect IPv6 and MAC address after route updates | |
| 643143-2 | 3-Major | ARP and NDP packets should be QoS/DSCP marked on egress | |
| 610710-2 | 3-Major | Pass IP TOS bits from incoming connection to outgoing connection | |
| 584545-2 | 3-Major | Failure to stabilize internal HiGig link will not trigger failover event | |
| 567177-1 | 4-Minor | Log all attempts of key export in ltm log | |
| 650074-1 | 5-Cosmetic | Changed Format of RAM Cache REST Status output. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 642703-2 | 1-Blocking | Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★ | |
| 619097 | 1-Blocking | iControl REST slow performace on GET request for virtual servers | |
| 539093-1 | 1-Blocking | K26104530 | VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface. |
| 697878 | 2-Critical | High crypto request completion time under some workload patterns | |
| 666790-2 | 2-Critical | K06619044 | Use HSB HiGig MAC reset to recover both FCS errors and link instability |
| 665354-2 | 2-Critical | K31190471 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log |
| 658574-2 | 2-Critical | K61847644 | An accelerated flow transmits packets to a stale (incorrect) destination MAC address. |
| 655357-2 | 2-Critical | K06245820 | Corrupted L2 FDB entries on B4450 blades might result in dropped traffic |
| 653376-5 | 2-Critical | bgpd may crash on receiving a BGP update with >= 32 extended communities | |
| 649866-1 | 2-Critical | fsck should not run during first boot on public clouds | |
| 638997-2 | 2-Critical | Reboot required after disk size modification in a running BIG-IP VE instance. | |
| 625456-5 | 2-Critical | Pending sector utility may write repaired sector incorrectly | |
| 624826-2 | 2-Critical | K36404710 | mgmt bridge takes HWADDR of guest vm's tap interface |
| 613415-2 | 2-Critical | K22750357 | Memory leak in ospfd when distribute-list is used |
| 609335-1 | 2-Critical | IPsec tmm devbuf memory leak. | |
| 604011-1 | 2-Critical | Sync fails when iRule or policy is in use★ | |
| 595783 | 2-Critical | Changing console baud rate for B2100, B2150 and B2250 blades does not work | |
| 593137-1 | 2-Critical | userDefined property for bot signatures is not shown in REST | |
| 579210-3 | 2-Critical | K11418051 | VIPRION B4400N blades might fail to go Active under rare conditions. |
| 471860-10 | 2-Critical | K16209 | Disabling interface keeps DISABLED state even after enabling |
| 412817-3 | 2-Critical | BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive. | |
| 671920-1 | 3-Major | Accessing SNMP over IPv6 on non-default route domains | |
| 669818-2 | 3-Major | K64537114 | Higher CPU usage for syslog-ng when a syslog server is down |
| 667278-3 | 3-Major | DSC connections between BIG-IP units may fail to establish | |
| 667138-1 | 3-Major | LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★ | |
| 664829-1 | 3-Major | BIG-IP sometimes performs unnecessary reboot on first boot | |
| 662331-1 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 661764-2 | 3-Major | K53762147 | It is possible to configure a number of CPUs that exceeds the licensed throughput |
| 660532-2 | 3-Major | K21050223 | Cannot specify the event parameter for redirects on the policy rule screen. |
| 655671-1 | 3-Major | Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced | |
| 655649-2 | 3-Major | K88627152 | BGP last update timer incorrectly resets to 0 |
| 654011-2 | 3-Major | K33210520 | Pool member's health monitors set to Member Specific does not display the active monitors |
| 651155-1 | 3-Major | HSB continually logs 'loopback ring 0 tx not active' | |
| 650349 | 3-Major | K50168519 | Creation or reconfiguration of iApps fails if high speed logging is configured |
| 650002-1 | 3-Major | tzdata bug fix and enhancement update | |
| 649949-1 | 3-Major | Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★ | |
| 647988-3 | 3-Major | K15331432 | HSL Balanced distribution to Two-member pool may not be balanced correctly. |
| 647944-2 | 3-Major | MCP may crash when making specific changes to a FIX profile attached to more than one virtual server | |
| 645179-6 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime | |
| 644404-1 | 3-Major | Extracting SSD from system leads to Emergency LCD alert★ | |
| 644184-4 | 3-Major | K36427438 | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
| 643294 | 3-Major | IGMP and PIM not in self-allow default list when upgrading from 10.2.x★ | |
| 643121-1 | 3-Major | Failed installation volumes cannot be deleted in the GUI. | |
| 643013 | 3-Major | DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3 | |
| 642982-3 | 3-Major | K23241518 | tmrouted may continually restart after upgrade, adding or renaming an interface★ |
| 642314-2 | 3-Major | K24276198 | CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★ |
| 638825-2 | 3-Major | SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD | |
| 637561-1 | 3-Major | Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice | |
| 636744-1 | 3-Major | K16918340 | IKEv1 phase 2 SAs not deleted |
| 631866-2 | 3-Major | K12402013 | Cannot access LTM policy rules in the web UI when the name contains certain characters |
| 631172-4 | 3-Major | K54071336 | GUI user logged off when idle for 30 minutes, even when longer timeout is set |
| 624692-3 | 3-Major | Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying | |
| 623391-5 | 3-Major | cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★ | |
| 622619-5 | 3-Major | BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD | |
| 622133-1 | 3-Major | VCMP guests may incorrectly obtain incorrect MAC addresses | |
| 621259-3 | 3-Major | Config save takes long time if there is a large number of data groups | |
| 619060 | 3-Major | Reduction in boot time in BIG-IP Virtual Edition platforms | |
| 612752-1 | 3-Major | UCS load or upgrade may fail under certain conditions.★ | |
| 610442-2 | 3-Major | K75051412 | vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★ |
| 607961-1 | 3-Major | Secondary blades restart when modifying a virtual server's route domain in a different partition. | |
| 605792-1 | 3-Major | Installing a new version changes the ownership of administrative users' files★ | |
| 601709-2 | 3-Major | K02314881 | I2C error recovery for BIG-IP 4340N/4300 blades |
| 590938-3 | 3-Major | The CMI rsync daemon may fail to start | |
| 583475-1 | 3-Major | The BIG-IP may core while recompiling LTM policies | |
| 577474-3 | 3-Major | K35208043 | Users with auditor role are unable to use tmsh list sys crypto cert |
| 569100-1 | 3-Major | Virtual server using NTLM profile results in benign Tcl error | |
| 544906-2 | 3-Major | K07388310 | Issues when using remote authentication when users have different partition access on different devices |
| 507240-4 | 3-Major | K13811263 | ICMP traffic cannot be disaggregated based on IP addresses |
| 480983-4 | 3-Major | tmrouted daemon may core due to daemon_heartbeat | |
| 471029-2 | 3-Major | If the configuration contains a filename with the $ character, then saving the UCS fails. | |
| 656900-1 | 4-Minor | Blade family migration may fail | |
| 655314 | 4-Minor | When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★ | |
| 653225-1 | 4-Minor | coreutils security and bug fix update | |
| 645717 | 4-Minor | UCS load does not set directory owner | |
| 644975-4 | 4-Minor | K09554025 | /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost |
| 644799-1 | 4-Minor | K42882011 | TMM may crash when the BIG-IP system processes CGNAT traffic. |
| 642723-3 | 4-Minor | Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect | |
| 634371-2 | 4-Minor | Cisco ethernet NIC driver | |
| 530927-8 | 4-Minor | Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed | |
| 530530-6 | 4-Minor | K07298903 | tmsh sys log filter is displayed in UTC time |
| 527720-1 | 4-Minor | Rare 'No LopCmd reply match found' error in getLopReg | |
| 448409-1 | 4-Minor | K15491 | 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle |
| 626596 | 5-Cosmetic | Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'. |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 670011-2 | 1-Blocking | SSL forward proxy does not create the server certchain when ignoring server certificates | |
| 621452-1 | 1-Blocking | K58146172 | Connections can stall with TCP::collect iRule |
| 659899-1 | 2-Critical | K10589537 | Rare, intermittent system instability observed in dynamic load-balancing modes |
| 657713-5 | 2-Critical | K05052273 | Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. |
| 655628-1 | 2-Critical | TCP analytics does not release resources under specific sequence of packets | |
| 655211-1 | 2-Critical | bigd crash (SIGSEGV) when running FQDN node monitors | |
| 650317-3 | 2-Critical | The TMM on the next-active panics with message: "Missing oneconnect HA context" | |
| 649171-4 | 2-Critical | tmm core in iRule with unreachable remote address | |
| 648037-2 | 2-Critical | LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash | |
| 646643-2 | 2-Critical | K43005132 | HA standby virtual server with non-default lasthop settings may crash. |
| 646604-5 | 2-Critical | K21005334 | Client connection may hang when NTLM and OneConnect profiles used together |
| 645663 | 2-Critical | Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus. | |
| 644112-2 | 2-Critical | K56150996 | Permanent connections may be expired when endpoint becomes unreachable |
| 643631 | 2-Critical | K70938130 | Serverside connections on virtual servers using VDI may become zombies. |
| 635274-1 | 2-Critical | K21514205 | SSL::sessionid command may return invalid values |
| 634265-2 | 2-Critical | K34688632 | Using route pools whose members aren't directly connected may crash the TMM. |
| 632552-2 | 2-Critical | K08634156 | tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event |
| 629178-1 | 2-Critical | K42206046 | Incorrect initial size of connection flow-control window |
| 611704-5 | 2-Critical | tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event | |
| 605983-1 | 2-Critical | tmrouted may crash when being restarted in debug mode | |
| 604926-3 | 2-Critical | K50041125 | The TMM may become unresponsive when using SessionDB data larger than ~400K |
| 604223-2 | 2-Critical | pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM" | |
| 583700-3 | 2-Critical | K32784801 | tmm core on out of memory |
| 583355-1 | 2-Critical | The TMM may crash when changing profiles associated with plugins | |
| 566071-5 | 2-Critical | network-HSM may not be operational on secondary slots of a standby chassis. | |
| 559030-1 | 2-Critical | K65244513 | TMM may core during ILX RPC activity if a connflow closes before the RPC returns |
| 677119 | 3-Major | HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE | |
| 676471-1 | 3-Major | Insufficient space for core files on i11x00-series platforms | |
| 672008-1 | 3-Major | K22122208 | NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds |
| 671935-2 | 3-Major | Possible uneven ephemeral port reuse. | |
| 669025-1 | 3-Major | K11425420 | Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate |
| 668521-2 | 3-Major | Bigd might stall while waiting for an external monitor process to exit | |
| 666032-3 | 3-Major | K05145506 | Secure renegotiation is set while data is not available. |
| 663326-2 | 3-Major | Thales HSM: "fipskey.nethsm --export" fails to make stub keys | |
| 662881-2 | 3-Major | K10443875 | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
| 662085-1 | 3-Major | iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages | |
| 658214-2 | 3-Major | K20228504 | TCP connection fail intermittently for mirrored fastl4 virtual server |
| 655793-1 | 3-Major | K04178391 | SSL persistence parsing issues due to SSL / TCP boundary mismatch |
| 654109-2 | 3-Major | K01102467 | Configuration loading may fail when iRules calling procs in other iRules are deleted |
| 653511-2 | 3-Major | Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve | |
| 652535-1 | 3-Major | K54443700 | HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented. |
| 652445-2 | 3-Major | K87541959 | SAN with uppercase names result in case-sensitive match or will not match |
| 651651-3 | 3-Major | K54604320 | bigd can crash when a DNS response does not match the expected value |
| 650292-2 | 3-Major | DNS transparent cache can return non-recursive results for recursive queries | |
| 650152-1 | 3-Major | Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms | |
| 648954-5 | 3-Major | K01102467 | Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls |
| 647137 | 3-Major | bigd/tmm con vCMP guests | |
| 646443-1 | 3-Major | K54432535 | Ephemeral Node may be errantly created in bigd, causing crash |
| 645058-3 | 3-Major | Modifying SSL profiles in GUI may fail when key is protected by passphrase | |
| 645036-3 | 3-Major | K85772089 | Removing pool from virtual server does not update its status |
| 644873-2 | 3-Major | K97237310 | ssldump can fail to decrypt captures with certain TCP segmenting |
| 644851-2 | 3-Major | Websockets closes connection on receiving a close frame from one of the peers | |
| 644418-2 | 3-Major | Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate | |
| 643777-2 | 3-Major | K27629542 | LTM policies with more than one IP address in TCP address match may fail |
| 643582-2 | 3-Major | Config load with large ssl profile configuration may cause tmm restart | |
| 641491-2 | 3-Major | K37551222 | TMM core while running iRule LB::status pool poolname member ip port |
| 640376-3 | 3-Major | K46452834 | STPD leaks memory on 2000/4000/i2000/i4000 series |
| 638715-3 | 3-Major | K77010072 | Multiple Diameter monitors to same server ip/port may race on PID file |
| 632001-1 | 3-Major | For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys | |
| 627574-1 | 3-Major | After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft. | |
| 626434-6 | 3-Major | K65283203 | tmm may be killed by sod when a hardware accelerator does not work |
| 624805-1 | 3-Major | ILX node.js process may be restarted if a single operation takes more than 15 seconds | |
| 623940-3 | 3-Major | SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello | |
| 622017-8 | 3-Major | K54106058 | Performance graph data may become permanently lost after corruption. |
| 621736-6 | 3-Major | K00323105 | statsd does not handle SIGCHLD properly in all cases |
| 620788-1 | 3-Major | K05232247 | FQDN pool created with existing FQDN node has RED status |
| 618161-1 | 3-Major | SSL handshake fails when clientssl uses softcard-protected key-certs. | |
| 618121 | 3-Major | "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★ | |
| 607246-10 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires | |
| 603609-2 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" | |
| 602040-3 | 3-Major | Truncated support ID for HTTP protocol security logging profile | |
| 600614-5 | 3-Major | External crypto offload fails when SSL connection is renegotiated | |
| 596433-3 | 3-Major | Virtual with lasthop configured rejects request with no route to client. | |
| 596242-1 | 3-Major | K17065223 | [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record |
| 595275-5 | 3-Major | Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN | |
| 593390-4 | 3-Major | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. | |
| 589006-5 | 3-Major | SSL does not cancel pending sign request before the handshake times out or is canceled. | |
| 587705-5 | 3-Major | K98547701 | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
| 578573-1 | 3-Major | SSL Forward Proxy Forged Certificate Signature Algorithm | |
| 563933-4 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs | |
| 536563-7 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. | |
| 484542-1 | 3-Major | QinQ tag-mode can be set on unsupported platforms | |
| 668802-3 | 4-Minor | K83392557 | GTM link graphs fail to display in the GUI |
| 667318-3 | 4-Minor | BIG-IP DNS/GTM link graphs fail to display in the GUI. | |
| 584210-1 | 4-Minor | TMM may core when running two simultaneous WebSocket collect commands | |
| 578415-2 | 4-Minor | Support for hardware accelerated bulk crypto SHA256 missing | |
| 513288-7 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. | |
| 462043-2 | 4-Minor | DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 620903-1 | 2-Critical | Decreased performance of ICMP attack mitigation. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 636541-3 | 1-Blocking | DNS Rapid Response filters large datagrams | |
| 667028-1 | 2-Critical | DNS Express does not run on i11000 platforms with htsplit disabled. | |
| 649564-2 | 2-Critical | Crash related to GTM monitors with long RECV strings | |
| 663073-1 | 3-Major | GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list. | |
| 659912-1 | 3-Major | K81210772 | GSLB Pool Member Manage page display issues and error message |
| 655807-5 | 3-Major | K40341291 | With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score |
| 655445-2 | 3-Major | Provide the ability to globally specifiy a DSCP value. | |
| 654599-1 | 3-Major | K74132601 | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
| 648286-2 | 3-Major | GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button. | |
| 644447-2 | 3-Major | sync_zones script increasingly consumes memory when there is network connectivity failure | |
| 626141-3 | 3-Major | DNSX Performance Graphs are not displaying Requests/sec" | |
| 615222-1 | 3-Major | K79580892 | GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★ |
| 605260-1 | 3-Major | [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0 | |
| 659969-1 | 4-Minor | tmsh command for gtm-application disabled contexts does not work with none and replace-all-with | |
| 644220-3 | 4-Minor | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page | |
| 604371-1 | 4-Minor | Pagination controls missing for GSLB pool members |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 653014-1 | 2-Critical | Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name | |
| 652200-1 | 2-Critical | K81349220 | Failure to update ASM enforcer about account change. |
| 651001-1 | 2-Critical | massive prints in tmm log: "could not find conf for profile crc" | |
| 638629-2 | 2-Critical | Bot can be classified as human | |
| 619110-1 | 2-Critical | Slow to delete URLs, CPU spikes with Automatic Policy Builder | |
| 672695-1 | 3-Major | Internal perl process listening on all interfaces when ASM enabled | |
| 665905 | 3-Major | K83305000 | Signature System corruption from specific ASU prevents ASU load after upgrade |
| 664930-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
| 655617-1 | 3-Major | K36442669 | Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge |
| 650081-1 | 3-Major | K53010710 | Proactive Bot Defense JavaScript challenges may introduce high latencies and cause some browsers to display a blank page. |
| 648617 | 3-Major | K23432927 | JavaScript challenge repeating in loop when URL has path parameters |
| 644855-2 | 3-Major | irules with commands which may suspend processing cannot be used with proactive bot defense | |
| 631444-2 | 3-Major | Bot Name for ASM Search Engines is case sensitive | |
| 630356-1 | 3-Major | JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge | |
| 628351-1 | 3-Major | Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled | |
| 618656-2 | 3-Major | JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters | |
| 606521-1 | 3-Major | Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade | |
| 605616-1 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error | |
| 602975-1 | 3-Major | Unable to update the HTTP URL's "Header-Based Content Profiles" values | |
| 596685-1 | 3-Major | K76841626 | Request Log failure on request with XML format violation |
| 595900-4 | 3-Major | K11833633 | Cookie Signature overrides may be ignored after Signature Update |
| 563727-1 | 3-Major | Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked' | |
| 534247-1 | 3-Major | Issue a Body in Get sub violation for GET request with content type header | |
| 519612-1 | 3-Major | JavaScript challenge fails when coming within iframe with different domain than main page |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 604191-1 | 2-Critical | AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★ | |
| 629573-1 | 3-Major | K66001885 | No drill-down filter for virtual-servers is mentioned on exported reports when using partition |
| 603875-2 | 3-Major | The statistic ASM memory Utilization - bd swap size: stats are wrong | |
| 601536-1 | 3-Major | Analytics load error stops load of configuration★ | |
| 639395-2 | 4-Minor | K91614278 | AVR does not display 'Max read latency' units. |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 647108-1 | 1-Blocking | Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction | |
| 679235-5 | 2-Critical | Inspection Host NPAPI Plugin for Safari can not be installed | |
| 669341 | 2-Critical | Category Lookup by Subject.CN will result in a reset | |
| 666454-2 | 2-Critical | K05520115 | Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update |
| 663506-7 | 2-Critical | K30533350 | apmd crash during ldap cache initialization |
| 652004-2 | 2-Critical | K45320415 | Show /apm access-info all-properties causes memory leaks in tmm |
| 662639-2 | 3-Major | Policy Sync fails when policy object include FIPS key | |
| 659371-2 | 3-Major | K54310201 | apmd crashes executing iRule policy evaluate |
| 658852-5 | 3-Major | Empty User-Agent in iSessions requests from APM client on Windows | |
| 654513-6 | 3-Major | K11003951 | APM daemon crashes when the LDAP query agent returns empty in its search results. |
| 649929-1 | 3-Major | saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it | |
| 648053-1 | 3-Major | K94477320 | Rewrite plugin may crash on some JavaScript files |
| 646928-1 | 3-Major | Landing URI incorrect when changing URI | |
| 645684-2 | 3-Major | Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting. | |
| 618957-1 | 3-Major | Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates | |
| 601919-2 | 3-Major | Custom categories and custom url filter assignment must be specific to partition instead of global lookup | |
| 583272-2 | 3-Major | "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth | |
| 580567-1 | 3-Major | LDAP Query agent failed to resolve nested group membership | |
| 551795-1 | 3-Major | Portal Access: corrections to CORS support for XMLHttpRequest | |
| 550547-2 | 3-Major | URL including a "token" query fails results in a connection reset |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 664535-1 | 2-Critical | Diameter failure: load balancing fails when all pool members use same IP Address | |
| 640407-1 | 2-Critical | Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF | |
| 568545-2 | 2-Critical | K17124802 | iRules commands that refer to a transport-config will fail validation |
| 559953-1 | 2-Critical | tmm core on long DIAMETER::host value | |
| 662364-2 | 3-Major | MRF DIAMETER: IP ToS not passing through with DIAMETER | |
| 644946-2 | 3-Major | K05053251 | Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation |
| 644565-1 | 3-Major | MRF Message metadata lost when routing message to a connection on a different TMM | |
| 634078-2 | 3-Major | MRF: Routing using a virtual with SNAT set to none may select a source port of zero | |
| 624155-2 | 3-Major | MRF Per-Client mode connections unable to return responses if used by another client connection | |
| 620929-4 | 3-Major | New iRule command, MR::ignore_peer_port | |
| 651640-3 | 4-Minor | queue full dropped messages incorrectly counted as responses |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 670400-3 | 2-Critical | SSH Proxy public key authentication can be circumvented in some cases | |
| 655470 | 2-Critical | K79924625 | IP Intelligence logging publisher removal can cause tmm crash |
| 618902-4 | 3-Major | PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 658261-2 | 2-Critical | K12253471 | TMM core after HA during GY reporting |
| 658148-2 | 2-Critical | K23150504 | TMM core after intra-chassis failover for some instances of subscriber creation |
| 657632-4 | 2-Critical | Rarely if a subscriber delete is performed following HA switchover, tmm may crash | |
| 653285-1 | 2-Critical | PEM rule deletion with HSL reporting may cause tmm coredump | |
| 652973-2 | 2-Critical | Coredump observed at system bootup time when many DHCP packets arrive | |
| 650422-2 | 2-Critical | TMM core after a switchover involving GY quota reporting | |
| 659567-1 | 3-Major | K94685557 | iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions |
| 652052-3 | 3-Major | PEM:sessions iRule made the order of parameters strict | |
| 635257-2 | 3-Major | K41151808 | Inconsistencies in Gx usage record creation. |
| 623037-2 | 3-Major | delete of pem session attribute does not work after a update |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 676808-2 | 2-Critical | FPS: tmm may crash on response with large payload from server | |
| 669364-1 | 2-Critical | TMM core when server responds fast with server responses such as 404. | |
| 669359 | 2-Critical | WebSafe might cause connections to hang | |
| 674931 | 3-Major | FPS modified responses/injections might result in a corrupted response | |
| 674909-3 | 3-Major | Application CSS injection might not work as expected when connection is congested | |
| 667872-1 | 3-Major | Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports | |
| 658321-2 | 3-Major | Websafe features might break in IE8 | |
| 657502-2 | 3-Major | JS error when leaving page opened for several minutes | |
| 644694 | 3-Major | FPS security update check ends up with an empty page when error occurs. | |
| 618185-1 | 3-Major | Mismatch in URL CRC32 calculation | |
| 643602-2 | 4-Minor | 'Select All' checkbox selects items on hidden pages |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 605123-1 | 2-Critical | IAppLX objects fail to sync after establishing HA in auto-sync mode★ |
iApp Technology Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 606316-4 | 1-Blocking | HTTPS request to F5 licensing server fails | |
| 665778-1 | 2-Critical | K34503519 | Non-admin BIG-IP users can now view/re-deploy iApps through TMUI. |
| 599424-2 | 2-Critical | iApps LX fails to sync★ | |
| 632060-1 | 4-Minor | restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★ |
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 693211-3 | CVE-2017-6168, CVE-2020-5929 | K21905460 | CVE-2017-6168 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 664063-1 | 2-Critical | K03203976 | Azure displays failure for deployment of BIG-IP from a Resource Manager template |
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 652151-1 | CVE-2017-6131 | K61757346 | Azure VE: Initialization improvement |
| 623885-4 | CVE-2016-9251 | K41107914 | Internal authentication improvements |
| 621371-2 | CVE-2016-9257 | K43523962 | Output Errors in APM Event Log |
| 648865-2 | CVE-2017-6074 | K82508682 | Linux kernel vulnerability: CVE-2017-6074 |
| 643187-2 | CVE-2017-3135 | K80533167 | BIND vulnerability CVE-2017-3135 |
| 641445-1 | CVE-2017-6145 | K22317030 | iControl improvements |
| 641360-2 | CVE-2017-0303 | K30201296 | SOCKS proxy protocol error |
| 641256-1 | CVE-2016-9257 | K43523962 | APM access reports display error |
| 636702-3 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
| 636699-5 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
| 631582 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
| 630475-5 | CVE-2017-6162 | K13421245 | TMM Crash |
| 628836-4 | CVE-2016-9245 | K22216037 | TMM crash during request normalization |
| 624570-1 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
| 624526-3 | CVE-2017-6159 | K10002335 | TMM core in mptcp |
| 624457-5 | CVE-2016-5195 | K10558632 | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
| 623093-1 | CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320 | K38871451 | TIFF vulnerability CVE-2015-7554 |
| 620400-1 | CVE-2017-6141 | K21154730 | TMM crash during TLS processing |
| 610255-1 | CVE-2017-6161 | K62279530 | CMI improvement |
| 596340-8 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
| 580026-5 | CVE-2017-6165 | K74759095 | HSM logging error |
| 648879-2 | CVE-2016-6136 CVE-2016-9555 | K90803619 | Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555 |
| 641612-2 | CVE-2017-0302 | K87141725 | APM crash |
| 638137 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 | K51201255 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 |
| 635412 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
| 635252-1 | CVE-2016-9256 | K47284724 | CVE-2016-9256 |
| 631688-7 | CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 | K55405388 K87922456 K63326092 K51444934 K80996302 | Multiple NTP vulnerabilities |
| 630150-1 | CVE-2016-9253 | K51351360 | Websockets processing error |
| 627916-1 | CVE-2017-6144 | K81601350 | Improve cURL Usage |
| 627907-1 | CVE-2017-6143 | K11464209 | Improve cURL usage |
| 627747-1 | CVE-2017-6142 | K20682450 | Improve cURL Usage |
| 625372-5 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
| 623119 | CVE-2016-4470 | K55672042 | Linux kernel vulnerability CVE-2016-4470 |
| 622496 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
| 622126-1 | CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 | K54308010 | PHP vulnerability CVE-2016-7124 |
| 621337-6 | CVE-2016-7469 | K97285349 | XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469 |
| 618261-6 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
| 615267-2 | CVE-2016-2183 | K13167034 | OpenSSL vulnerability CVE-2016-2183 |
| 613225-7 | CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
| 606710-10 | CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 | K15479471 | Mozilla NSS vulnerability CVE-2016-2834 |
| 605420-5 | CVE-2016-5387, CVE-2007-6750 | K80513384 | httpd security update - CVE-2016-5387 |
| 600232-9 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
| 600223-2 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
| 599858-7 | CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 | K68785753 | ImageMagick vulnerability CVE-2015-8898 |
| 635933-3 | CVE-2004-0790 | K23440942 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
| 628832-4 | CVE-2016-6161 | K71581599 | libgd vulnerability CVE-2016-6161 |
| 622662-7 | CVE-2016-6306 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
| 617901-1 | CVE-2018-5525 | K00363258 | GUI to handle file path manipulation to prevent GUI instability. |
| 609691-1 | CVE-2014-4617 | K21284031 | GnuPG vulnerability CVE-2014-4617 |
| 600205-9 | CVE-2016-2178 | K53084033 | OpenSSL Vulnerability: CVE-2016-2178 |
| 600198-2 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
| 599285-2 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
| 598002-10 | CVE-2016-2178 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
| 621937-1 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
| 621935-6 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
| 606771-2 | CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 | K35799130 | Multiple PHP vulnerabilities |
| 601268-5 | CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 | K43267483 | PHP vulnerability CVE-2016-5766 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 653453 | 2-Critical | ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs. | |
| 628972-2 | 2-Critical | BMC version 2.51.7 for iSeries appliances | |
| 624831-2 | 2-Critical | BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps | |
| 616918-1 | 2-Critical | BMC version 2.50.3 for iSeries appliances | |
| 633723-3 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot | |
| 633391-1 | 3-Major | GUI Error trying to modify IP Data-Group | |
| 609614-3 | 3-Major | Yafuflash 4.25 for iSeries appliances | |
| 597797-4 | 3-Major | K78449695 | Allow users to disable enforcement of RFC 7507 Fallback SCSV |
| 584471-1 | 3-Major | K34343741 | Priority order of clientssl profile selection of virtual server. |
| 581840-5 | 3-Major | K46576869 | Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ. |
| 564876-2 | 3-Major | New DB variable log.lsn.comma changes CGNAT logs to CSV format | |
| 609084-2 | 4-Minor | K03808942 | Max number of chunks not configurable above 1000 chunks |
| 597270-2 | 4-Minor | tcpdump support missing for VXLAN-GPE NSH |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 655500 | 1-Blocking | Rekey SSH sessions after one hour | |
| 642058-1 | 1-Blocking | CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances | |
| 641390-5 | 1-Blocking | K00216423 | Backslash removal in LTM monitors after upgrade |
| 627433-1 | 1-Blocking | HSB transmitter failure on i2x00 and i4x00 platforms | |
| 602830-1 | 1-Blocking | BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode | |
| 648056-2 | 2-Critical | K16503454 | bcm56xxd core when configuring QinQ VLAN with vCMP provisioned. |
| 645805 | 2-Critical | K92637255 | LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses |
| 641248 | 2-Critical | IPsec-related tmm segfault | |
| 641013-5 | 2-Critical | GRE tunnel traffic pinned to one TMM | |
| 638935-3 | 2-Critical | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
| 636918-2 | 2-Critical | Fix for crash when multiple tunnels use the same traffic selector | |
| 636290 | 2-Critical | vCMP support for B4450 blade | |
| 627898-2 | 2-Critical | K53050234 | tmm leaks memory in the ECM subsystem |
| 625824-1 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory | |
| 624263-4 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response | |
| 618779-1 | 2-Critical | Route updates during IPsec tunnel setup can cause tmm to restart | |
| 616059-1 | 2-Critical | K19545861 | Modifying license.maxcores Not Allowed Error |
| 614296-1 | 2-Critical | Dynamic routing process ripd may core | |
| 613536-5 | 2-Critical | tmm core while running the iRule STATS:: command | |
| 610295-1 | 2-Critical | K32305923 | TMM may crash due to internal backplane inconsistency after reprovisioning |
| 583516-2 | 2-Critical | tmm ASSERT's "valid node" on Active, after timer fire.. | |
| 567457-2 | 2-Critical | TMM may crash when changing the IKE peer config. | |
| 652484-2 | 3-Major | tmsh show net f5optics shows information for only 1 chassis slot in a cluster | |
| 649617-2 | 3-Major | qkview improvement for OVSDB management | |
| 648544-5 | 3-Major | K75510491 | HSB transmitter failure may occur when global COS queues enabled |
| 646760 | 3-Major | Common Criteria Mode Disrupts Administrative SSH Access | |
| 644892-1 | 3-Major | Files captured multiple times in qkview | |
| 644490-1 | 3-Major | Finisar 100G LR4 values need to be revised in f5optics | |
| 637559-1 | 3-Major | Modifying iRule online could cause TMM to be killed by SIGABRT | |
| 636535 | 3-Major | K24844444 | HSB lockup in vCMP guest doesn't generate core file |
| 635961-1 | 3-Major | gzipped and truncated files may be saved in qkview | |
| 635129 | 3-Major | Chassis systems in HA configuration become Active/Active during upgrade★ | |
| 635116-1 | 3-Major | K34100550 | Memory leak when using replicated remote high-speed logging. |
| 634115-1 | 3-Major | Not all topology records may sync. | |
| 633879-1 | 3-Major | K52833014 | Fix IKEv1 md5 phase1 hash algorithm so config takes effect |
| 633512-1 | 3-Major | HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION. | |
| 633413-1 | 3-Major | IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI | |
| 631627-4 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start | |
| 630622-1 | 3-Major | tmm crash possible if high-speed logging pool member is deleted and reused | |
| 630610-5 | 3-Major | K43762031 | BFD session interface configuration may not be stored on unit state transition |
| 630546-1 | 3-Major | Very large core files may cause corrupted qkviews | |
| 629499-9 | 3-Major | tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found" | |
| 629085-1 | 3-Major | K55278069 | Any CSS content truncated at a quoted value leads to a segfault |
| 628202-4 | 3-Major | Audit-forwarder can take up an excessive amount of memory during a high volume of logging | |
| 628164-3 | 3-Major | K20766432 | OSPF with multiple processes may incorrectly redistribute routes |
| 628009-1 | 3-Major | f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800 | |
| 627961-3 | 3-Major | K15130343 | nic_failsafe reboot doesn't trigger if HSB fails to disable interface |
| 627914-1 | 3-Major | Unbundled 40GbE optics reporting as Unsupported Optic | |
| 627214-3 | 3-Major | BGP ECMP recursive default route not redistributed to TMM | |
| 626839 | 3-Major | sys-icheck error for /var/lib/waagent in Azure. | |
| 626721-5 | 3-Major | "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart | |
| 625703-2 | 3-Major | SELinux: snmpd is denied access to tmstat files | |
| 625085 | 3-Major | lasthop rmmod causes kernel panic | |
| 624361-1 | 3-Major | Responses to some of the challenge JS are not zipped. | |
| 623930-3 | 3-Major | vCMP guests with vlangroups may loop packets internally | |
| 623401-1 | 3-Major | Intermittent OCSP request failures due to non-optimal default TCP profile setting | |
| 623336-4 | 3-Major | After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★ | |
| 623055-1 | 3-Major | Kernel panic during unic initialization | |
| 622183-5 | 3-Major | The alert daemon should remove old log files but it does not. | |
| 621909-4 | 3-Major | K23562314 | Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members |
| 621273-1 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. | |
| 620659-3 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots | |
| 620366-4 | 3-Major | Alertd can not open UDP socket upon restart | |
| 617628-1 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID | |
| 615934-1 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
| 615107-1 | 3-Major | Cannot SSH from AOM/SCCP to host without password (host-based authentication). | |
| 613765-3 | 3-Major | Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors. | |
| 612809-1 | 3-Major | Bootup script fails to run on on a vCMP guest due to a missing reference file. | |
| 611658-3 | 3-Major | "less" utility logs an error for remotely authenticated users using the tmsh shell | |
| 611512-1 | 3-Major | AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name. | |
| 611487-3 | 3-Major | vCMP: VLAN failsafe does not trigger on guest | |
| 610417-1 | 3-Major | K54511423 | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
| 609119-7 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: | |
| 608320-3 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response | |
| 604727-1 | 3-Major | Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★ | |
| 604237-3 | 3-Major | Vlan allowed mismatch found error in VCMP guest | |
| 604061-2 | 3-Major | Link Aggregation Control Protocol May Lose Synchronization after TMM Crash | |
| 602376-1 | 3-Major | qkview excludes files | |
| 598498-7 | 3-Major | Cannot remove Self IP when an unrelated static ARP entry exists. | |
| 598134-1 | 3-Major | Stats query may generate an error when tmm on secondary is down | |
| 596067-2 | 3-Major | GUI on VIPRION hangs on secondary blade reboot | |
| 590211-2 | 3-Major | jitterentropy-rngd quietly fails to start | |
| 586738-4 | 3-Major | The tmm might crash with a segfault. | |
| 583754-7 | 3-Major | When TMM is down, executing 'show ltm persist persist-records' results in a blank error message. | |
| 575027-1 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. | |
| 562928-2 | 3-Major | Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled | |
| 559080-5 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs | |
| 557471-3 | 3-Major | LTM Policy statistics showing zeros in GUI | |
| 543208-1 | 3-Major | Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★ | |
| 534520-1 | 3-Major | qkview may exclude certain log files from /var/log | |
| 424542-5 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments | |
| 418349-2 | 3-Major | Update/overwrite of FIPS keys error | |
| 643404-2 | 4-Minor | K30014507 | 'tmsh system software status' does not display properly in a specific cc-mode situation★ |
| 636520-3 | 4-Minor | K88813435 | Detail missing from power supply 'Bad' status log messages |
| 633181-1 | 4-Minor | A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section | |
| 632668-5 | 4-Minor | When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds | |
| 632069-3 | 4-Minor | Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076 | |
| 621957-2 | 4-Minor | Timezone data on AOM not syncing with host | |
| 609107-1 | 4-Minor | mcpd does not properly validate missing 'sys folder' config in bigip_base.conf | |
| 599191-2 | 4-Minor | One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card | |
| 589379-2 | 4-Minor | K20937139 | ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route. |
| 585097-1 | 4-Minor | Traffic Group score formula does not result in unique values. | |
| 541550-3 | 4-Minor | Defining more than 10 remote-role groups can result in authentication failure | |
| 541320-10 | 4-Minor | K50973424 | Sync of tunnels might cause restore of deleted tunnels. |
| 500452-8 | 4-Minor | K28520025 | PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware |
| 642015-2 | 5-Cosmetic | SSD Manufacturer "unavailable" | |
| 524277-2 | 5-Cosmetic | Missing power supplies issue warning message that should be just a notice message. |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 651476 | 2-Critical | bigd may core on non-primary bigd when FQDN in use | |
| 648715-2 | 2-Critical | BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0 | |
| 643396-2 | 2-Critical | K34553627 | Using FLOW_INIT iRule may lead to TMM memory leak or crash |
| 642400-2 | 2-Critical | Path MTU discovery occasionally fails | |
| 640352-2 | 2-Critical | K01000259 | Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet |
| 639744-1 | 2-Critical | K84228882 | Memory leak in STREAM::expression iRule |
| 637181-4 | 2-Critical | VIP-on-VIP traffic may stall after routing updates | |
| 632685 | 2-Critical | bigd memory leak for FQDN nodes on non-primary bigd instance | |
| 630306-1 | 2-Critical | TMM crash in DNS processing on UDP virtual server with no available pool members | |
| 629145-1 | 2-Critical | External datagroups with no metadata can crash tmm | |
| 628890-1 | 2-Critical | Memory leak when modifying large datagroups | |
| 627403-2 | 2-Critical | HTTP2 can can crash tmm when stats is updated on aborting of a new connection | |
| 626311-2 | 2-Critical | K75419237 | Potential failure of DHCP relay functionality credits to incorrect route lookup. |
| 625198-1 | 2-Critical | TMM might crash when TCP DSACK is enabled | |
| 622856-1 | 2-Critical | BIG-IP may enter SYN cookie mode later than expected | |
| 621870-2 | 2-Critical | Outage may occur with VIP-VIP configurations | |
| 619663-3 | 2-Critical | K49220140 | Terminating of HTTP2 connection may cause a TMM crash |
| 619528-4 | 2-Critical | TMM may accumulate internal events resulting in TMM restart | |
| 619071-3 | 2-Critical | OneConnect with verified accept issues | |
| 614509-1 | 2-Critical | iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart | |
| 609027-1 | 2-Critical | TMM crashes when SSL forward proxy is enabled. | |
| 608304-1 | 2-Critical | K55292305 | TMM crash on memory corruption |
| 603667-2 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use | |
| 603082-3 | 2-Critical | Ephemeral pool members are getting deleted/created over and over again. | |
| 602136-5 | 2-Critical | iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server. | |
| 601828-1 | 2-Critical | K13338433 | An untrusted certificate can cause tmm to crash. |
| 600982-5 | 2-Critical | TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0" | |
| 599720-2 | 2-Critical | TMM may crash in bigtcp due to null pointer dereference | |
| 597828-1 | 2-Critical | SSL forward proxy crashes in some cases | |
| 596450-1 | 2-Critical | TMM may produce a core file after updating SSL session ticket key | |
| 594642-3 | 2-Critical | Stream filter may require large allocations by Tcl leading TMM to core on allocation failure. | |
| 581746-1 | 2-Critical | K42175594 | MPTCP or SSL traffic handling may cause a BIG-IP outage |
| 557358-5 | 2-Critical | TMM SIGSEGV and crash when memory allocation fails. | |
| 423629-3 | 2-Critical | K08454006 | bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted |
| 653201 | 3-Major | Update the default CA certificate bundle file to the latest version and remove expiring certificates from it | |
| 651106 | 3-Major | memory leak on non-primary bigd with changing node IPs | |
| 649571-1 | 3-Major | Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello | |
| 648990 | 3-Major | Serverside SSL renegotiation does not occur after block cipher data limit is exceeded | |
| 641512-4 | 3-Major | K51064420 | DNSSEC key generations fail with lots of invalid SSL traffic |
| 632324-2 | 3-Major | PVA stats does not show correct connection number | |
| 629412-3 | 3-Major | BIG-IP closes a connection when a maximum size window is attempted | |
| 627246-1 | 3-Major | K09336400 | TMM memory leak when ASM policy configured on virtual server |
| 626386-1 | 3-Major | K28505256 | SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled |
| 626106-3 | 3-Major | LTM Policy with illegal rule name loses its conditions and actions during upgrade★ | |
| 625106-2 | 3-Major | Policy Sync can fail over a lossy network | |
| 624616-1 | 3-Major | Safenet uninstall is unable to remove libgem.so | |
| 620625-2 | 3-Major | K38094257 | Changes to the Connection.VlanKeyed db key may not immediately apply |
| 620079-3 | 3-Major | Removing route-domain may cause monitors to fail | |
| 619849-4 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. | |
| 618430-2 | 3-Major | iRules LX data not included in qkview | |
| 618428 | 3-Major | iRules LX - Debug mode does not function in dedicated mode | |
| 618254-4 | 3-Major | Non-zero Route domain is not always used in HTTP explicit proxy | |
| 617858-2 | 3-Major | bigd core when using Tcl monitors | |
| 616022-2 | 3-Major | K46530223 | The BIG-IP monitor process fails to process timeout conditions |
| 613326-1 | 3-Major | SASP monitor improvements | |
| 612694-5 | 3-Major | TCP::close with no pool member results in zombie flows | |
| 610429-5 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument | |
| 610302-1 | 3-Major | Link throughput graphs might be incorrect. | |
| 609244-4 | 3-Major | tmsh show ltm persistence persist-records leaks memory | |
| 608551-3 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. | |
| 607152-1 | 3-Major | Large Websocket frames corrupted | |
| 604496-4 | 3-Major | SQL (Oracle) monitor daemon might hang. | |
| 603979-4 | 3-Major | Data transfer from the BIG-IP system self IP might be slow | |
| 603723-2 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
| 603550-1 | 3-Major | K63164073 | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. |
| 600827-8 | 3-Major | K21220807 | Stuck Nitrox crypto queue can erroneously be reported |
| 600593-1 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests | |
| 600052-1 | 3-Major | GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system | |
| 599121-2 | 3-Major | K24036315 | Under heavy load, hardware crypto queues may become unavailable. |
| 592871-3 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. | |
| 591666-3 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members | |
| 589400-1 | 3-Major | K33191529 | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. |
| 584310-1 | 3-Major | K83393638 | TCP:Collect ignores the 'skip' parameter when used in serverside events |
| 584029-6 | 3-Major | Fragmented packets may cause tmm to core under heavy load | |
| 582769-1 | 3-Major | K99405272 | WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual |
| 579926-1 | 3-Major | HTTP starts dropping traffic for a half-closed connection when in passthrough mode | |
| 568543-4 | 3-Major | Syncookie mode is activated on wildcard virtuals | |
| 562267-3 | 3-Major | FQDN nodes do not support monitor alias destinations. | |
| 517756-6 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains | |
| 509858-5 | 3-Major | BIG-IP FastL4 profile vulnerability | |
| 419741-3 | 3-Major | Rare crash with vip-targeting-vip and stale connections on VIPRION platforms | |
| 352957-4 | 3-Major | K03005026 | Route lookup after change in route table on established flow ignores pool members |
| 660170-1 | 4-Minor | K28505910 | tmm may crash at ~75% of VLAN failsafe timeout expiration |
| 631862-1 | 4-Minor | K32107573 | Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk |
| 618517-1 | 4-Minor | K61255401 | bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring |
| 611161-3 | 4-Minor | K28540353 | VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default. |
| 587966-1 | 4-Minor | K77283304 | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
| 583943-1 | 4-Minor | K27491104 | Forward proxy does not work when netHSM is configured on TMM interfaces |
| 574020-5 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 621115-1 | 2-Critical | IP/IPv6 TTL/hoplimit may not be preserved for host traffic |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 642039-2 | 2-Critical | K20140595 | TMM core when persist is enabled for wideip with certain iRule commands triggered. |
| 584374-2 | 2-Critical | K67622400 | iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address. |
| 642330-2 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
| 640903-1 | 3-Major | Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen | |
| 632423-4 | 3-Major | K40256229 | DNS::query can cause tmm crash if AXFR/IXFR types specified. |
| 629530-2 | 3-Major | K53675033 | Under certain conditions, monitors do not time out. |
| 628897-1 | 3-Major | Add Hyperlink to gslb server and vs on the Pool Member List Page | |
| 625671-4 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. | |
| 624876-1 | 3-Major | Response Policy Zones can trigger even after entry removed from zone | |
| 624193-2 | 3-Major | Topology load balancing not working as expected | |
| 623023-1 | 3-Major | Unable to set DNS Topology Continent to Unknown via GUI | |
| 621239-2 | 3-Major | Certain DNS queries bypass DNS Cache RPZ filter. | |
| 620215-5 | 3-Major | TMM out of memory causes core in DNS cache | |
| 619398-7 | 3-Major | TMM out of memory causes core in DNS cache | |
| 612769-1 | 3-Major | K33842313 | Hard to use search capabilities on the Pool Members Manage page. |
| 601180-2 | 3-Major | K73505027 | Link Controller base license does not allow DNS namespace iRule commands.★ |
| 567743-2 | 3-Major | K70663134 | Possible gtmd crash under certain conditions. |
| 557434-4 | 3-Major | After setting a Last Resort Pool on a Wide IP, cannot reset back to None | |
| 366695-1 | 5-Cosmetic | Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 646511-1 | 2-Critical | BD crashes repeatedly after interrupted roll-forward upgrade★ | |
| 636397-1 | 2-Critical | bd cores when persistent storage configuration and under some memory conditions. | |
| 634001-2 | 2-Critical | ASM restarts after deleting a VS that has an ASM security policy assigned to it | |
| 627117-1 | 2-Critical | crash with wrong ceritifcate in WSS | |
| 625783-1 | 2-Critical | Chassis sync fails intermittently due to sync file backlog | |
| 618771-1 | 2-Critical | Some Social Security Numbers are not being masked | |
| 601378-2 | 2-Critical | Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons | |
| 584082-3 | 2-Critical | BD daemon crashes unexpectedly | |
| 540928-1 | 2-Critical | Memory leak due to unnecessary logging profile configuration updates. | |
| 640824-1 | 3-Major | K20770267 | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ |
| 635754-1 | 3-Major | K65531575 | Wildcard URL pattern match works inncorectly in Traffic Learning |
| 632344-2 | 3-Major | POP DIRECTIONAL FORMATTING causes false positive | |
| 632326-2 | 3-Major | K52814351 | relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation |
| 631737-1 | 3-Major | K61367823 | ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations |
| 630929-1 | 3-Major | K69767100 | Attack signature exception list upload times-out and fails |
| 627360-1 | 3-Major | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ | |
| 626438-1 | 3-Major | Frame is not showing in the browser and/ or an error appears | |
| 625832-4 | 3-Major | A false positive modified domain cookie violation | |
| 622913-2 | 3-Major | Audit Log filled with constant change messages | |
| 621524-2 | 3-Major | Processing Timeout When Viewing a Request with 300+ Violations | |
| 620635-2 | 3-Major | Request having upper case JSON login parameter is not detected as a failed login attempt | |
| 614563-3 | 3-Major | AVR TPS calculation is inaccurate | |
| 611151-2 | 3-Major | An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive | |
| 608245 | 3-Major | Reporting missing parameter details when attack signature is matched against parameter value | |
| 583024-1 | 3-Major | TMM restart rarely during startup | |
| 581406-1 | 3-Major | SQL Error on Peer Device After Receiving ASM Sync in a Device Group | |
| 580168-4 | 3-Major | Information missing from ASM event logs after a switchboot and switchboot back | |
| 576591-6 | 3-Major | Support for some future credit card number ranges | |
| 572885-1 | 3-Major | Policy automatic learning mode changes to manual after failover | |
| 392121-3 | 3-Major | TMSH Command to retrieve the memory consumption of the bd process | |
| 642874-1 | 4-Minor | K15329152 | Ready to be Enforced filter for Policy Signatures returns too many signatures |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 634215-1 | 2-Critical | False detection of attack after restarting dosl7d | |
| 573764-1 | 2-Critical | In some cases, only primary blade retains it's statistics after upgrade on multi bladed system | |
| 642221-2 | 3-Major | Incorrect entity is used when exporting TCP analytics from GUI | |
| 641574 | 3-Major | K06503033 | AVR doesn't report on virtual and client IP in DNS statistics |
| 635561-1 | 3-Major | Heavy URLs statistics are not shown after upgrade. | |
| 631722 | 3-Major | Some HTTP statistics not displayed after upgrade | |
| 631131-3 | 3-Major | Some tmstat-adapters based reports stats are incorrect | |
| 605010-1 | 3-Major | Thrift::TException error | |
| 560114-6 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 645339-2 | 1-Blocking | TMM may crash when processing APM data | |
| 637308-8 | 2-Critical | K41542530 | apmd may crash when HTTP Auth agent is used in an Access Policy |
| 632005-1 | 2-Critical | BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes | |
| 622244-2 | 2-Critical | Edge client can fail to upgrade when always connected is selected | |
| 617310-2 | 2-Critical | Edge client can fail to upgrade when Always Connected is selected★ | |
| 614322-1 | 2-Critical | K31063537 | TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway |
| 608424-2 | 2-Critical | Dynamic ACL agent error log message contains garbage data | |
| 608408-2 | 2-Critical | TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library | |
| 593078-1 | 2-Critical | CATEGORY::filetype command may cause tmm to crash and restart | |
| 643547-1 | 3-Major | K43036745 | APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP |
| 638799-1 | 3-Major | Per-request policy branch expression evaluation fails | |
| 638780-3 | 3-Major | Handle 302 redirects for VMware Horizon View HTML5 client | |
| 636044-1 | 3-Major | K68018520 | Large number of glob patterns affects custom category lookup performance |
| 634576 | 3-Major | K48181045 | TMM core in per-request policy |
| 634252 | 3-Major | K99114539 | TMM crash with per-request policy in SWG explicit |
| 632504-1 | 3-Major | K31277424 | APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list |
| 632499-1 | 3-Major | K70551821 | APM Policy Sync: Resources under webtop section are not sync'ed automatically |
| 632472-1 | 3-Major | Frequently logged "Silent flag set - fail" messages | |
| 632386-1 | 3-Major | EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists | |
| 630571-1 | 3-Major | K35254214 | Edge Client on Mac OSX Sierra stuck in a reconnect loop |
| 629801-2 | 3-Major | Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain. | |
| 629698-1 | 3-Major | Edge client stuck on "Initializing" state | |
| 629069-2 | 3-Major | Portal Access may delete scripts from HTML page in some cases | |
| 628687-2 | 3-Major | Edge Client reconnection issues with captive portal | |
| 628685-2 | 3-Major | K79361498 | Edge Client shows several security warnings after roaming to a network with Captive Portal |
| 627972-2 | 3-Major | K11327511 | Unable to save advanced customization when using Exchange iApp |
| 627059-1 | 3-Major | In some rare cases TMM may crash while handling VMware View client connection | |
| 626910-1 | 3-Major | Policy with assigned SAML Resource is exported with error | |
| 625474-1 | 3-Major | POST request body is not saved in session variable by access when request is sent using edge client | |
| 625159-1 | 3-Major | Policy sync status not shown on standby device in HA case | |
| 624966-2 | 3-Major | Edge client starts new APM session when Captive portal session expire | |
| 623562-3 | 3-Major | Large POSTs rejected after policy already completed | |
| 622790-1 | 3-Major | EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP | |
| 621976-4 | 3-Major | OneDrive for Business thick client shows javascript errors when rendering APM logon page | |
| 621974-4 | 3-Major | Skype For Business thick client shows javascript errors when rendering APM logon page | |
| 621447-1 | 3-Major | In some rare cases, VDI may crash | |
| 621210-2 | 3-Major | Policy sync shows as aborted even if it is completed | |
| 621126-2 | 3-Major | Import of config with saml idp connector with reuse causes certificate not found error | |
| 620829-2 | 3-Major | K34213161 | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly |
| 620801-3 | 3-Major | Access Policy is not able to check device posture for Android 7 devices | |
| 620614-4 | 3-Major | Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account | |
| 619879-1 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked | |
| 619811-2 | 3-Major | Machine Cert OCSP check fails with multiple Issuer CA | |
| 619486-3 | 3-Major | Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self | |
| 619473-2 | 3-Major | Browser may hang at APM session logout | |
| 618170-3 | 3-Major | Some URL unwrapping functions can behave bad | |
| 617063-1 | 3-Major | After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel | |
| 617002-1 | 3-Major | SWG with Response Analytics agent in a Per-Request policy fails with some URLs | |
| 616838-3 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character | |
| 615970-1 | 3-Major | SSO logging level may cause failover | |
| 615254-2 | 3-Major | Network Access Launch Application item fails to launch in some cases | |
| 612419-1 | 3-Major | APM - suspected memory leak (umem_alloc_32/network access (variable)) | |
| 611968-3 | 3-Major | JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow | |
| 611669-4 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra | |
| 610180-2 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. | |
| 597214-5 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
| 595819-1 | 3-Major | Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached, | |
| 595272-1 | 3-Major | Edge client may show a windows displaying plain text in some cases | |
| 591246-1 | 3-Major | Unable to launch View HTML5 connections in non-zero route domain virtual servers | |
| 584582-1 | 3-Major | JavaScript: 'baseURI' property may be handled incorrectly | |
| 570217-2 | 3-Major | BIG-IP APM now uses Airwatch v2 API to retreive device posture information | |
| 533956-3 | 3-Major | K30515450 | Portal Access: Space-like characters in EUC character sets may be handled incorrectly. |
| 503842-4 | 3-Major | Microsoft WebService HTML component does not work after rewriting | |
| 640521-1 | 4-Minor | EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices | |
| 636254-2 | 4-Minor | Cannot reinitiate a sync on a target device when sync is completed | |
| 618404-1 | 4-Minor | Access Profile copying might be invalid if policies are named series of names. | |
| 606257-3 | 4-Minor | K56716107 | TCP FIN sent with Connection: Keep-Alive header for webtop page resources |
WebAccelerator Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 630661-2 | 3-Major | K30241432 | WAM may leak memory when a WAM policy node has multiple variation header rules |
Wan Optimization Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 644970-1 | 2-Critical | Editing a virtual server config loses SSL encryption on iSession connections | |
| 644489-1 | 3-Major | K14899014 | Unencrypted iSession connection established even though data-encrypt configured in profile |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 639236-1 | 2-Critical | K66947004 | Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute |
| 624023-3 | 2-Critical | TMM cores in iRule when accessing a SIP header that has no value | |
| 569316-1 | 2-Critical | Core occurs on standby in MRF when routing to a route using a transport config | |
| 649933-1 | 3-Major | Fragmented RADIUS messages may be dropped | |
| 629663-1 | 3-Major | K23210890 | CGNAT SIP ALG will drop SIP INVITE |
| 625542-1 | 3-Major | SIP ALG with Translation fails for REGISTER refresh. | |
| 625098-3 | 3-Major | SCTP::local_port iRule not supported in MRF events | |
| 601255-4 | 3-Major | RTSP response to SETUP request has incorrect client_port attribute |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 632731-2 | 2-Critical | K21964367 | specific external logging configuration can cause TMM service restart |
| 628623-1 | 2-Critical | tmm core with AFM provisioned | |
| 639193-1 | 3-Major | K03453591 | For HA BIG-IP devices, deleting parent policy causes sync to fail. |
| 631025-1 | 3-Major | 500 internal error on inline rule editor for certain firewall policies | |
| 610129-3 | 3-Major | K43320840 | Config load failure when cluster management IP is not defined, but instead uses address-list. |
| 592113-5 | 3-Major | tmm core on the standby unit with dos vectors configured | |
| 590805-4 | 3-Major | Active Rules page displays a different time zone. | |
| 431840-3 | 3-Major | Cannot add vlans to whitelist if they contain a hyphen |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 627257-2 | 2-Critical | Potential PEM crash during a Gx operation | |
| 626851-2 | 2-Critical | K37665112 | Potential crash in a multi-blade chassis during CMP state changes. |
| 624744-1 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
| 624733-1 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
| 624228-1 | 2-Critical | Memory leak when using insert action in pem rule and flow gets aborted | |
| 623922-5 | 2-Critical | K64388805 | TMM failure in PEM while processing Service-Provider Disaggregation |
| 641482-2 | 3-Major | Subscriber remains in delete pending state until CCR-t ack has success as result code is received | |
| 640510-3 | 3-Major | BWC policy category attachment may fail during a PEM policy update for a subscriber. | |
| 640457-2 | 3-Major | Session Creation failure after HA | |
| 635233-3 | 3-Major | K80902149 | Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages |
| 630611-1 | 3-Major | K84324392 | PEM module crash when subscriber not fund |
| 627798-3 | 3-Major | Buffer length check for quota bucket objects | |
| 627279-2 | 3-Major | Potential crash in a multi-blade chassis during CMP state changes. | |
| 623927-2 | 3-Major | K41337253 | Flow entry memory leaked after DHCP DORA process |
| 564281-3 | 3-Major | TMM (debug) assert seen during Failover with Gy | |
| 628869-4 | 4-Minor | Unconditional logs seen due to the presence of a PEM iRule. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 609788 | 2-Critical | PCP may pick an endpoint outside the deterministic mapping | |
| 642284 | 3-Major | Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption. | |
| 629871-2 | 3-Major | FTP ALG deployment should not rewrite PASV response 464 XLAT cases |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 639750-1 | 2-Critical | username aliases are not supported | |
| 636370 | 3-Major | Application Layer Encryption AJAX support | |
| 629627-1 | 3-Major | FPS Log Publisher is not grouped nor filtered by partition | |
| 629127-1 | 3-Major | Parent profiles cannot be saved using FPS GUI | |
| 628348-1 | 3-Major | Cannot configure any Mobile Security list having 11 records or more via the GUI | |
| 628337-1 | 3-Major | Forcing a single injected tag configuration is restrictive | |
| 625275-1 | 3-Major | Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI | |
| 624198-1 | 3-Major | Unable to add multiple User-Defined alerts with the same search category | |
| 623518-1 | 3-Major | Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition | |
| 594127-2 | 3-Major | Pages using Angular may hang when Websafe is enabled | |
| 635541 | 4-Minor | "Application CSS Locations" is not inherited if changing parent profile |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 625172-1 | 2-Critical | tmm crashes when classification is enabled and ftp traffic is flowing trough the box | |
| 631472-1 | 3-Major | Reseting classification signatures to default may result in non-working configuration |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 606518-3 | 2-Critical | K00762373 | iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username. |
| 642983-1 | 3-Major | K94534313 | Update to max message size limit doesn't work sometimes |
| 629845-2 | 3-Major | Disallowing TLSv1 connections to HTTP causes iControl/REST issues | |
| 626542-2 | 3-Major | Unable to set maxMessageBodySize in iControl REST after upgrade★ |
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 618306-2 | CVE-2016-9247 | K33500120 | TMM vulnerability CVE-2016-9247 |
| 616864-1 | CVE-2016-2776 | K18829561 | BIND vulnerability CVE-2016-2776 |
| 613282-2 | CVE-2016-2086, CVE-2016-2216, CVE-2016-1669 | K15311661 | NodeJS vulnerability CVE-2016-2086 |
| 611469-3 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
| 597394-2 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
| 591328-7 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
| 591325-8 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
| 591042-17 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
| 560109-7 | CVE-2017-6160 | K19430431 | Client capabilities failure |
| 618549-1 | CVE-2016-9249 | K71282001 | Fast Open can cause TMM crash CVE-2016-9249 |
| 618263-1 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
| 614147-1 | CVE-2017-6157 | K02692210 | SOCKS proxy defect resolution |
| 614097-1 | CVE-2017-6157 | K02692210 | HTTP Explicit proxy defect resolution |
| 607314-1 | CVE-2016-3500 CVE-2016-3508 | K25075696 | Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508 |
| 605039-3 | CVE-2016-2775 | K92991044 | lwresd and bind vulnerability CVE-2016-2775 |
| 601059-6 | CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 | K14614344 | libxml2 vulnerability CVE-2016-1840 |
| 599536-1 | CVE-2017-6156 | K05263202 | IPsec peer with wildcard selector brings up wrong phase2 SAs |
| 597023-1 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
| 595242-1 | CVE-2016-3705 | K54225343 | libxml2 vulnerabilities CVE-2016-3705 |
| 595231-1 | CVE-2016-3627 | K54225343 | libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705 |
| 594496-1 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
| 593447-1 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
| 592485 | CVE-2015-5157 CVE-2015-8767 | K17326 | Linux kernel vulnerability CVE-2015-5157 |
| 592001-1 | CVE-2016-4071 CVE-2016-4073 | K64412100 | CVE-2016-4073 PHP vulnerabilities |
| 591455-7 | CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 | K24613253 | NTP vulnerability CVE-2016-2516 |
| 591447-1 | CVE-2016-4070 | K42065024 | PHP vulnerability CVE-2016-4070 |
| 591358-1 | CVE-2016-3425 CVE-2016-0695 CVE-2016-3427 | K81223200 | Oracle Java SE vulnerability CVE-2016-3425 |
| 585424-1 | CVE-2016-1979 | K20145801 | Mozilla NSS vulnerability CVE-2016-1979 |
| 580747-1 | CVE-2016-0739 | K57255643 | libssh vulnerability CVE-2016-0739 |
| 557190-3 | CVE-2017-6166 | K65615624 | 'packet_free: double free!' tmm core |
| 597010-1 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
| 596997-1 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
| 591767-8 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
| 591438-7 | CVE-2015-8865 | K54924436 | PHP vulnerability CVE-2015-8865 |
| 575629-3 | CVE-2015-8139 | K00329831 | NTP vulnerability: CVE-2015-8139 |
| 573343-1 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 615377-3 | 3-Major | Unexpected rate limiting of unreachable and ICMP messages for some addresses. | |
| 590122-2 | 3-Major | Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification. | |
| 581438-2 | 3-Major | Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision. | |
| 561348-7 | 3-Major | krb5.conf file is not synchronized between blades and not backed up | |
| 541549-2 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. | |
| 530109-3 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. | |
| 246726-1 | 3-Major | K8940 | System continues to process virtual server traffic after disabling virtual address |
| 225634-1 | 3-Major | The rate class feature does not honor the Burst Size setting. | |
| 599839-3 | 4-Minor | Add new keyords to SIP::persist command to specify how Persistence table is updated | |
| 591733-4 | 4-Minor | K83175883 | Save on Auto-Sync is missing from the configuration utility. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 625784 | 1-Blocking | TMM crash on i4x00 and i2x00 platforms with large ASM configuration. | |
| 617622 | 1-Blocking | In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure | |
| 621422 | 2-Critical | i2000 and i4000 series appliances do not warn when an incorrect optic is in a port | |
| 620056-1 | 2-Critical | Assert on deletion of paired in-and-out IPsec traffic selectors | |
| 617935 | 2-Critical | IKEv2 VPN tunnels fail to establish | |
| 617481-1 | 2-Critical | TMM can crash when HTML minification is configured | |
| 614865-5 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. | |
| 610354-1 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object | |
| 605476-3 | 2-Critical | statsd can core when reading corrupt stats files. | |
| 601527-4 | 2-Critical | mcpd memory leak and core | |
| 600894-1 | 2-Critical | In certain situations, the MCPD process can leak memory | |
| 598748 | 2-Critical | IPsec AES-GCM IVs are now based on a monotonically increasing counter | |
| 598697-1 | 2-Critical | vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★ | |
| 595712-1 | 2-Critical | Not able to add remote user locally | |
| 591495-2 | 2-Critical | VCMP guests sflow agent can crash due to duplicate vlan interface indices | |
| 591104-1 | 2-Critical | ospfd cores due to an incorrect debug statement. | |
| 588686 | 2-Critical | High-speed logging to remote logging node stops sending logs after all logging nodes go down | |
| 587698-3 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured | |
| 585745-2 | 2-Critical | sod core during upgrade from 10.x to 12.x. | |
| 583936-5 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM | |
| 557680-4 | 2-Critical | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
| 355806-7 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd | |
| 622877-1 | 3-Major | i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away | |
| 622199 | 3-Major | sys-icheck reports error with /var/lib/waagent | |
| 622194 | 3-Major | sys-icheck reports error with ssh_host_rsa_key | |
| 621423 | 3-Major | sys-icheck reports error with /config/ssh/ssh_host_dsa_key | |
| 621242-1 | 3-Major | Reserve enough space in the image for future upgrades. | |
| 621225 | 3-Major | LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0" | |
| 620782 | 3-Major | Azure cloud now supports hourly billing | |
| 619410-1 | 3-Major | TMM hardware accelerated compression not registering for all compression levels. | |
| 617986-2 | 3-Major | Memory leak in snmpd | |
| 617229-1 | 3-Major | K54245014 | Local policy rule descriptions disappear when policy is re-saved |
| 616242-3 | 3-Major | K39944245 | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
| 614530-2 | 3-Major | Dynamic ECMP routes missing from Linux host | |
| 614180-1 | 3-Major | ASM is not available in LTM policy when ASM is licensed as the main active module | |
| 610441-3 | 3-Major | When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received. | |
| 610352-1 | 3-Major | sys-icheck reports error with /etc/sysconfig/modules/unic.modules | |
| 610350-1 | 3-Major | sys-icheck reports error with /config/bigpipe/defaults.scf | |
| 610273-3 | 3-Major | Not possible to do targeted failover with HA Group configured | |
| 605894-3 | 3-Major | Remote authentication for BIG-IP users can fail | |
| 603149-2 | 3-Major | Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy | |
| 602854-8 | 3-Major | Missing ASM control option from LTM policy rule screen in the Configuration utility | |
| 602502-2 | 3-Major | Unable to view the SSL Cert list from the GUI | |
| 601989-3 | 3-Major | K88516119 | Remote LDAP system authenticated username is case sensitive★ |
| 601893-2 | 3-Major | K89212666 | TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero. |
| 601502-4 | 3-Major | Excessive OCSP traffic | |
| 600558-5 | 3-Major | Errors logged after deleting user in GUI | |
| 599816-2 | 3-Major | Packet redirections occur when using VLAN groups with members that have different cmp-hash settings. | |
| 598443-1 | 3-Major | Temporary files from TMSH not being cleaned up intermittently. | |
| 598039-6 | 3-Major | MCP memory may leak when performing a wildcard query | |
| 597729-5 | 3-Major | Errors logged after deleting user in GUI | |
| 596104-1 | 3-Major | K84539934 | HA trunk unavailable for vCMP guest★ |
| 595773-4 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades | |
| 594426-2 | 3-Major | Audit forwarding Radius packets may be rejected by Radius server | |
| 592870-2 | 3-Major | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
| 592344-2 | 3-Major | NTP Security Updates | |
| 592320-5 | 3-Major | ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1 | |
| 589083-2 | 3-Major | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. | |
| 586878-4 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ | |
| 585833-3 | 3-Major | Qkview will abort if /shared partition has less than 2GB free space | |
| 585547-1 | 3-Major | NTP configuration items are no longer collected by qkview★ | |
| 585485-3 | 3-Major | inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system | |
| 584583-3 | 3-Major | K18410170 | Timeout error when using the REST API to retrieve large amount of data |
| 583285-5 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 582084-1 | 3-Major | BWC policy in device sync groups. | |
| 580500-1 | 3-Major | /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed. | |
| 578551-5 | 3-Major | bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot | |
| 576305-7 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code | |
| 575649-5 | 3-Major | MCPd might leak memory in IPFIX destination stats query | |
| 575591-6 | 3-Major | Potential MCPd leak in IKE message stats query code | |
| 575589-5 | 3-Major | Potential MCPd leak in IKE event stats query code | |
| 575587-7 | 3-Major | Potential MCPd leak in BWC policy class stats query code | |
| 575176-1 | 3-Major | K58275035 | Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic |
| 575066-1 | 3-Major | Management DHCP settings do not take effect | |
| 570818-4 | 3-Major | Address lease-pool in IKEv2 might interfere with IKEv2 negotiations. | |
| 568672-1 | 3-Major | Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI | |
| 566507-4 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment | |
| 553795-7 | 3-Major | Differing cert/key after successful config-sync | |
| 547479-5 | 3-Major | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | |
| 546145-1 | 3-Major | Creating local user for previously remote user results in incomplete user definition. | |
| 540872-1 | 3-Major | Config sync fails after creating a partition. | |
| 527206-5 | 3-Major | Management interface may flap due to LOP sync error | |
| 393270-1 | 3-Major | Configuration utility may become non-responsive or fail to load. | |
| 618421 | 4-Minor | Some mass storage is left un-used | |
| 617124 | 4-Minor | Cannot map hardware type (12) to HardwareType enumeration | |
| 581835-1 | 4-Minor | Command failing: tmsh show ltm virtual vs_name detail. | |
| 567546-1 | 4-Minor | Files with file names larger than 100 characters are omitted from qkview | |
| 564771-1 | 4-Minor | cron sends purge_mysql_logs.pl email error on LTM-only device | |
| 564522-2 | 4-Minor | K40547220 | cron is configured with MAILTO=root but mailhost defaults to 'mail' |
| 559837-4 | 4-Minor | Misleading error message in catalina.out when listing certificates. | |
| 551349-5 | 4-Minor | K80203854 | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
| 460833-5 | 4-Minor | MCPD sync errors and restart after multiple modifications to file object in chassis | |
| 572133-5 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr | |
| 442231-4 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 618905-1 | 1-Blocking | tmm core while installing Safenet 6.2 client | |
| 616215-4 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule | |
| 615388-1 | 2-Critical | L7 policies using normalized HTTP URI or Referrer operands may corrupt memory | |
| 612229-1 | 2-Critical | TMM may crash if LTM a disable policy action for 'LTM Policy' is not last | |
| 609628-2 | 2-Critical | CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session | |
| 609199-6 | 2-Critical | Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join | |
| 608555-1 | 2-Critical | Configuring asymmetric routing with a VE rate limited license will result in tmm crash | |
| 607724-2 | 2-Critical | K25713491 | TMM may crash when in Fallback state. |
| 607524-2 | 2-Critical | Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down. | |
| 607360-5 | 2-Critical | Safenet 6.2 library missing after upgrade★ | |
| 606573-3 | 2-Critical | FTP traffic does not work through SNAT when configured without Virtual Server★ | |
| 605865-4 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets | |
| 604133-2 | 2-Critical | Ramcache may leave the HTTP Cookie Cache in an inconsistent state | |
| 603032-1 | 2-Critical | clientssl profiles with sni-default enabled may leak X509 objects | |
| 602326-1 | 2-Critical | Intermittent pkcs11d core when stopping or restarting pkcs11d service | |
| 599135-2 | 2-Critical | B2250 blades may suffer from high TMM CPU utilisation with tcpdump | |
| 588959-2 | 2-Critical | K34453301 | TMM may crash or behave abnormally on a Standby BIG-IP unit |
| 588351-5 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. | |
| 586449-1 | 2-Critical | Incorrect error handling in HTTP cookie results in core when TMM runs out of memory | |
| 584213-1 | 2-Critical | Transparent HTTP profiles cannot have iRules configured | |
| 575011-1 | 2-Critical | K21137299 | Memory leak. Nitrox3 Hang Detected. |
| 574880-3 | 2-Critical | Excessive failures observed when connection rate limit is configured on a fastl4 virtual server. | |
| 549329-3 | 2-Critical | K02020031 | L7 mirrored ACK from standby to active box can cause tmm core on active |
| 545810-3 | 2-Critical | K14304373 | TMM halts and restarts |
| 459671-4 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. | |
| 617862-2 | 3-Major | Fastl4 handshake timeout is absolute instead of relative | |
| 617824-3 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken | |
| 615143-1 | 3-Major | VDI plugin-initiated connections may select inappropriate SNAT address | |
| 613429-2 | 3-Major | Unable to assign wildcard wide IPs to various BIG-IP DNS objects. | |
| 613369-4 | 3-Major | Half-Open TCP Connections Not Discoverable | |
| 613079-4 | 3-Major | Diameter monitor watchdog timeout fires after only 3 seconds | |
| 613065-1 | 3-Major | User can't generate netHSM key with Safenet 6.2 client using GUI | |
| 612040-4 | 3-Major | Statistics added for all crypto queues | |
| 611320-3 | 3-Major | Mirrored connection on Active unit of HA pair may be unexpectedly torndown | |
| 610609-3 | 3-Major | Total connections in bigtop, SNMP are incorrect | |
| 608024-3 | 3-Major | Unnecessary DTLS retransmissions occur during handshake. | |
| 607803-3 | 3-Major | K33954223 | DTLS client (serverssl profile) fails to complete resumed handshake. |
| 607304-5 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. | |
| 606940-3 | 3-Major | Clustered Multiprocessing (CMP) peer connection may not be removed | |
| 606575-6 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. | |
| 606565-2 | 3-Major | K52231531 | TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection |
| 604977-2 | 3-Major | K08905542 | Wrong alert when DTLS cookie size is 32 |
| 603236-1 | 3-Major | 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware | |
| 602385-1 | 3-Major | Add zLib compression | |
| 602366-1 | 3-Major | Safenet 6.2 HA performance | |
| 602358-5 | 3-Major | BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version | |
| 601496-4 | 3-Major | iRules and OCSP Stapling | |
| 601178-6 | 3-Major | HTTP cookie persistence 'preferred' encryption | |
| 598874-2 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout | |
| 597978-2 | 3-Major | GARPs may be transmitted by active going offline | |
| 597879-1 | 3-Major | CDG Congestion Control can lead to instability | |
| 597532-1 | 3-Major | iRule: RADIUS avp command returns a signed integer | |
| 597089-8 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration | |
| 593530-6 | 3-Major | K26430211 | In rare cases, connections may fail to expire |
| 592784-2 | 3-Major | Compression stalls, does not recover, and compression facilities cease. | |
| 592497-1 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. | |
| 591659-5 | 3-Major | K47203554 | Server shutdown is propagated to client after X-Cnection: close transformation. |
| 591476-7 | 3-Major | K53220379 | Stuck crypto queue can erroneously be reported |
| 591343-5 | 3-Major | K03842525 | SSL::sessionid output is not consistent with the sessionid field of ServerHello message. |
| 589223-1 | 3-Major | TMM crash and core dump when processing SSL protocol alert. | |
| 588115-1 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw | |
| 588089-3 | 3-Major | SSL resumed connections may fail during mirroring | |
| 587016-3 | 3-Major | SIP monitor in TLS mode marks pool member down after positive response. | |
| 585813-3 | 3-Major | K22111214 | SIP monitor with TLS mode fails to find cert and key files. |
| 585412-4 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines | |
| 583957-6 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. | |
| 582465-1 | 3-Major | Cannot generate key after SafeNet HSM is rebooted | |
| 580303-5 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. | |
| 579843-1 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states | |
| 579371-4 | 3-Major | K70126130 | BIG-IP may generate ARPs after transition to standby |
| 578951-2 | 3-Major | TCP Fast Open connection timeout during handshake does not decrement pre_established_connections | |
| 572281-5 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script | |
| 570057-2 | 3-Major | Can't install more than 16 SafeNet HSMs in its HA group | |
| 569288-6 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures | |
| 565799-4 | 3-Major | CPU Usage increases when using masquerade addresses | |
| 551208-6 | 3-Major | Nokia alarms are not deleted due to the outdated alert_nokia.conf. | |
| 550161-4 | 3-Major | Networking devices might block a packet that has a TTL value higher than 230. | |
| 545796-5 | 3-Major | [iRule] [Stats] iRule is not generating any stats for executed iRules. | |
| 545450-5 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure | |
| 537553-8 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration | |
| 534457-4 | 3-Major | Dynamically discovered routes might fail to remirror connections. | |
| 530266-7 | 3-Major | Rate limit configured on a node can be exceeded | |
| 506543-5 | 3-Major | Disabled ephemeral pool members continue to receive new connections | |
| 483953-1 | 3-Major | Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value. | |
| 472571-7 | 3-Major | Memory leak with multiple client SSL profiles. | |
| 464801-3 | 3-Major | Intermittent tmm core | |
| 423392-6 | 3-Major | tcl_platform is no longer in the static:: namespace | |
| 371164-1 | 3-Major | BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs. | |
| 598860-4 | 4-Minor | IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address | |
| 587676-2 | 4-Minor | SMB monitor fails due to internal configuration issue | |
| 560471-1 | 4-Minor | Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down | |
| 544033-5 | 4-Minor | K30404012 | ICMP fragmentation request is ignored by BIG-IP |
| 222034-4 | 4-Minor | HTTP::respond in LB_FAILED with large header/body might result in truncated response |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 510631-1 | 3-Major | B4450 L4 No ePVA or L7 throughput lower than expected |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 603598-3 | 2-Critical | big3d memory under extreme load conditions | |
| 587656-2 | 2-Critical | GTM auto discovery problem with EHF for ID574052 | |
| 587617-1 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core | |
| 615338-2 | 3-Major | The value returned by "matchregion" in an iRule is inconsistent in some cases. | |
| 613576-1 | 3-Major | QOS load balancing links display as gray | |
| 613045-7 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down | |
| 607658-1 | 3-Major | GUI becomes unresponsive when managing GSLB Pool | |
| 589256-1 | 3-Major | K71283501 | DNSSEC NSEC3 records with different type bitmap for same name. |
| 588289-1 | 3-Major | GTM is Re-ordering pools when adding pool including order designation | |
| 584623-2 | 3-Major | Response to -list iRules command gets truncated when dealing with MX type wide IP | |
| 574052-4 | 3-Major | GTM autoconf can cause high CPU usage for gtmd | |
| 370131-4 | 3-Major | Loading UCS with low GTM Autoconf Delay drops pool Members from config |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 609499-1 | 2-Critical | Compiled signature collections use more memory than prior versions | |
| 603945-2 | 2-Critical | BD config update should be considered as config addition in case of update failure | |
| 588087-1 | 2-Critical | Attack prevention isn't escalating under some conditions in session opening mitigation | |
| 587629-2 | 2-Critical | IP exceptions may have issues with route domain | |
| 575133-1 | 2-Critical | asm_config_server_rpc_handler_async.pl SIGSEGV and core | |
| 622386-1 | 3-Major | Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled | |
| 621808-1 | 3-Major | Proactive Bot Defense failing in IE11 with Compatibility View enabled | |
| 616169 | 3-Major | ASM Policy Export returns HTML error file | |
| 613459-1 | 3-Major | Non-common browsers blocked by Proactive Bot Defense | |
| 613396-1 | 3-Major | Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs | |
| 611385-1 | 3-Major | "Learn Explicit Entities" may continue to work as if it is 'Add All Entities' | |
| 610857-1 | 3-Major | DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver. | |
| 610830-1 | 3-Major | FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page. | |
| 609496-2 | 3-Major | Improved diagnostics in BD config update (bd_agent) added | |
| 608509-1 | 3-Major | Policy learning is slow under high load | |
| 606875-1 | 3-Major | DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page | |
| 604923-5 | 3-Major | REST id for Signatures change after update | |
| 604612-1 | 3-Major | K20323120 | Modified ASM cookie violation happens after upgrade to 12.1.x★ |
| 602221-2 | 3-Major | Wrong parsing of redirect Domain | |
| 601924-1 | 3-Major | Selenium detection by ports scanning doesn't work even if the ports are opened | |
| 596502-1 | 3-Major | Unable to force Bot Defense action to Allow in iRule | |
| 584642-1 | 3-Major | Apply Policy Failure | |
| 584103-2 | 3-Major | FPS periodic updates (cron) write errors to log | |
| 582683-2 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan | |
| 582133-1 | 3-Major | Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.) | |
| 581315-1 | 3-Major | Selenium detection not blocked | |
| 579917-1 | 3-Major | User-defined signature set cannot be created/updated with Signature Type = "All" | |
| 579495-1 | 3-Major | Error when loading Upgrade UCS★ | |
| 521204-2 | 3-Major | Include default values in XML Policy Export | |
| 501892-1 | 3-Major | Selenium is not detected by headless mechanism when using client version without server |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 602654-2 | 2-Critical | TMM crash when using AVR lookups | |
| 602434-1 | 2-Critical | Tmm crash with compressed response | |
| 601056 | 2-Critical | TCP-Analytics, error message not using rate-limit mechanism can halt TMM | |
| 622735 | 3-Major | TCP Analytics statistics does not list all virtual servers | |
| 618944-1 | 3-Major | AVR statistic is not save during the upgrade process | |
| 601035 | 3-Major | TCP-Analytics can fail to collect all the activity |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 618506 | 2-Critical | TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual. | |
| 618324-1 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor | |
| 592868-3 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value | |
| 591117-3 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory | |
| 569563-3 | 2-Critical | Sockets resource leak after loading complex policy | |
| 619250-1 | 3-Major | Returning to main menu from "RSS Feed" breaks ribbon | |
| 617187-1 | 3-Major | APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate | |
| 614891-2 | 3-Major | Routing table doesn't get updated when EDGE client roams among wireless networks | |
| 613613-2 | 3-Major | Incorrect handling of form that contains a tag with id=action | |
| 611922-1 | 3-Major | Policy sync fails with policy that includes custom CA Bundle. | |
| 611240-3 | 3-Major | Import of config with securid might fail | |
| 610224-3 | 3-Major | APM client may fetch expired certificate when a valid and an expired certificate co-exist | |
| 608941-1 | 3-Major | AAA RADIUS system authentication fails on IPv6 network | |
| 604767-1 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. | |
| 601905-1 | 3-Major | POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server | |
| 600119-3 | 3-Major | DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions | |
| 598981-3 | 3-Major | K06913155 | APM ACL does not get enforced all the time under certain conditions |
| 598211-1 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. | |
| 597431-2 | 3-Major | VPN establishment may fail when computer wakes up from sleep | |
| 596116-3 | 3-Major | LDAP Query does not resolve group membership, when required attribute(s) specified | |
| 595227-1 | 3-Major | SWG Custom Category: unable to have a URL in multiple custom categories | |
| 594288-1 | 3-Major | Access profile configured with SWG Transparent results in memory leak. | |
| 592414-4 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed | |
| 591840-1 | 3-Major | encryption_key in access config is NULL in whitelist | |
| 591590-1 | 3-Major | APM policy sync results are not persisted on target devices | |
| 591268-1 | 3-Major | VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions | |
| 590820-3 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. | |
| 588888-3 | 3-Major | K80124134 | Empty URI rewriting is not done as required by browser. |
| 586718-1 | 3-Major | Session variable substitutions are logged | |
| 586006-1 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present | |
| 585562-3 | 3-Major | VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari | |
| 583113-1 | 3-Major | NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event | |
| 582752-3 | 3-Major | Macrocall could be topologically not connected with the rest of policy.★ | |
| 582526-3 | 3-Major | Unable to display and edit huge policies (more than 4000 elements) | |
| 580893-2 | 3-Major | K08731969 | Support for Single FQDN usage with Citrix Storefront Integration mode |
| 573643-3 | 3-Major | flash.utils.Proxy functionality is not negotiated | |
| 572558-1 | 3-Major | Internet Explorer: incorrect handling of document.write() to closed document | |
| 569309-3 | 3-Major | Clientside HTML parser does not recognize HTML event attributes without value | |
| 562636-2 | 3-Major | K05489319 | Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases. |
| 525429-11 | 3-Major | DTLS renegotiation sequence number compatibility | |
| 455975-1 | 3-Major | Separate MIBS needed for tracking Access Sessions and Connectivity Sessions | |
| 389484-6 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later | |
| 386517-1 | 3-Major | Multidomain SSO requires a default pool be configured | |
| 238444-3 | 3-Major | K14219 | An L4 ACL has no effect when a layered virtual server is used. |
| 605627 | 4-Minor | Selinux denial seen for apmd when it is being shutdown. | |
| 584373-2 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes | |
| 573611-1 | 4-Minor | Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs | |
| 557411-1 | 4-Minor | Full Webtop resources appear overlapping in IE11 compatibility mode |
Wan Optimization Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 619757-1 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 613297-3 | 2-Critical | Default generic message routing profile settings may core | |
| 612135-3 | 2-Critical | Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic | |
| 603397-2 | 2-Critical | tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config | |
| 596631-2 | 2-Critical | SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later | |
| 609575-5 | 3-Major | BIG-IP drops ACKs containing no max-forwards header | |
| 609328-3 | 3-Major | K53447441 | SIP Parser incorrectly parsers empty header |
| 607713-3 | 3-Major | SIP Parser fails header with multiple sequential separators inside quoted string. | |
| 603019-3 | 3-Major | Inserted SIP VIA branch parameter not unique between INVITE and ACK | |
| 599521-5 | 3-Major | Persistence entries not added if message is routed via an iRule | |
| 598854-3 | 3-Major | sipdb tool incorrectly displays persistence records without a pool name | |
| 598700-6 | 3-Major | MRF SIP Bidirectional Persistence does not work with multiple virtual servers | |
| 597835-3 | 3-Major | K12228503 | Branch parameter in inserted VIA header not consistent as per spec |
| 583010-4 | 3-Major | Sending a SIP invite with 'tel' URI fails with a reset | |
| 578564-4 | 3-Major | ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response | |
| 573075-4 | 3-Major | ADAPT recursive loop when handling successive iRule events | |
| 566576-6 | 3-Major | ICAP/OneConnect reuses connection while previous response is in progress | |
| 401815-1 | 3-Major | BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic | |
| 585807-2 | 4-Minor | 'ICAP::method <method>' iRule is documented but is read-only | |
| 561500-4 | 4-Minor | ICAP Parsing improvement |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 612874-1 | 2-Critical | iRule with FLOW_INIT stage execution can cause TMM restart | |
| 609095-1 | 2-Critical | mcpd memory grows when updating firewall rules | |
| 622281-1 | 3-Major | Network DoS logging configuration change can cause TMM crash | |
| 614284-2 | 3-Major | Performance fix to not reset a data structure in the packet receive hotpath. | |
| 608566-1 | 3-Major | The reference count of NW dos log profile in tmm log is incorrect | |
| 605427-1 | 3-Major | TMM may crash when adding and removing virtual servers with security log profiles | |
| 594869-4 | 3-Major | AFM can log DoS attack against the internal mpi interface and not the actual interface | |
| 594075-2 | 3-Major | Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically | |
| 586070 | 3-Major | 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings | |
| 585823-1 | 3-Major | FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode) |
Policy Enforcement Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 609005-2 | 1-Blocking | Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67). | |
| 611467-3 | 2-Critical | TMM coredump at dhcpv4_server_set_flow_key(). | |
| 608009-1 | 2-Critical | Crash: Tmm crashing when active system connections are deleted from cli | |
| 603825-2 | 2-Critical | Crash when a Gy update message is received by a debug TMM | |
| 593070-2 | 2-Critical | TMM may crash with multiple IP addresses per session | |
| 472860-5 | 2-Critical | RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented. | |
| 623491-2 | 3-Major | After receiving the first Gx response from the PCRF, the BWC action against a rule is lost. | |
| 622220-2 | 3-Major | Disruption during manipulation of PEM data with suspected flow irregularity | |
| 618657-4 | 3-Major | Bogus ICMP unreachable messages in PEM with ipother profile in use | |
| 617014-3 | 3-Major | tmm core using PEM | |
| 608742-2 | 3-Major | K48561135 | DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode. |
| 608591-1 | 3-Major | Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers | |
| 592070-5 | 3-Major | DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied | |
| 588456-3 | 3-Major | K60250444 | PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed). |
| 577863-5 | 3-Major | K56504204 | DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 606066-2 | 2-Critical | LSN_DELETE messages may be lost after HA failover | |
| 605525-1 | 2-Critical | Deterministic NAT combined with NAT64 may cause a TMM core | |
| 587106-1 | 2-Critical | Inbound connections are reset prematurely when zombie timeout is configured. | |
| 602171-1 | 3-Major | TMM may core when remote LSN operations time out |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 617648 | 2-Critical | Surfing with IE8 sometimes results with script error | |
| 603234-3 | 2-Critical | Performance Improvements | |
| 597471 | 2-Critical | Some Alerts are sent with outdated username value | |
| 617688 | 3-Major | Encryption is not activated unless "real-time encryption" is selected | |
| 613671-2 | 3-Major | Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation | |
| 610897-2 | 3-Major | FPS generated request failure throw "unspecified error" error in old IE. | |
| 609098-1 | 3-Major | Improve details of ajax failure | |
| 604885-1 | 3-Major | Redirect/Route action doesn't work if there is an alert logging iRule | |
| 601083-1 | 3-Major | FPS Globally Forbidden Words lists freeze in IE 11 | |
| 588058-3 | 3-Major | False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer | |
| 609114-1 | 4-Minor | Add the ability to control dropping of alerts by before-load-function | |
| 605125-2 | 4-Minor | Sometimes, passwords fields are readonly | |
| 592274-3 | 4-Minor | RAT-Detection alerts sent with incorrect duration details |
Anomaly Detection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 588405-1 | 3-Major | BADOS - BIG-IP Self-protection during (D)DOS attack | |
| 608826-1 | 4-Minor | Greylist (bad actors list) is not cleaned when attack ends |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 624370-1 | 2-Critical | tmm crash during classification hitless upgrade if virtual server configuration is modified |
Device Management Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 621401 | 3-Major | When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load |
iApp Technology Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 615824-1 | 3-Major | REST API calls to invalid REST endpoint log level change |
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 613127-3 | CVE-2016-5696 | K46514822 | Linux TCP Stack vulnerability CVE-2016-5696 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 612564 | 1-Blocking | mysql does not start | |
| 618382-4 | 2-Critical | qkview may cause tmm to restart or may take 30 or more minutes to run | |
| 614766-1 | 3-Major | lsusb uses unknown ioctl and spams kernel logs | |
| 612952-1 | 3-Major | PSU FW revision not displayed correctly | |
| 611352 | 3-Major | K68092141 | Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms |
| 610307 | 3-Major | Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber | |
| 609325 | 3-Major | Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported | |
| 606807-1 | 3-Major | i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error | |
| 604459-1 | 3-Major | On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up | |
| 597309-2 | 3-Major | Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms | |
| 561444-1 | 3-Major | LCD might display incorrect output. | |
| 521270-1 | 3-Major | Hypervisor might replace vCMP guest SYN-Cookie secrets | |
| 434573-6 | 3-Major | K25051022 | Tmsh 'show sys hardware' displays Platform ID instead of platform name |
| 609677-1 | 4-Minor | Dossier warning 14 | |
| 607857-1 | 4-Minor | Some information displayed in "list net interface" will be stale for interfaces that change bundle state | |
| 607200-1 | 4-Minor | Switch interfaces may seem up after bcm56xxd goes down | |
| 602061 | 4-Minor | i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages | |
| 601309 | 4-Minor | Locator LED no longer persists across reboots | |
| 592716-1 | 4-Minor | BMC timezone value was not being synchronized by BIG-IP |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 597708-4 | 3-Major | Stats are unavailable and vCMP state and status are incorrect |
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 598294-1 | CVE-2016-7472 | K17119920 | BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472 |
| 601938-2 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 542097-4 | 2-Critical | Update to RHEL6 kernel | |
| 601927-1 | 4-Minor | K52180214 | Security hardening of control plane |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 602653-1 | 2-Critical | TMM may crash after updating bot-signatures | |
| 599769 | 2-Critical | TMM may crash when managing APM clients. | |
| 605682-2 | 3-Major | With forward proxy enabled, sometimes the client connection will not complete. | |
| 599054-2 | 3-Major | LTM policies may incorrectly use those of another virtual server |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 585120-1 | 2-Critical | Memory leak in bd under rare scenario |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 596674-2 | 2-Critical | High memory usage when using CS features with gzip HTML responses. | |
| 575170-2 | 2-Critical | Analytics reports may not identify virtual servers correctly | |
| 590074-1 | 3-Major | Wrong value for TCP connections closed measure |
Fraud Protection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 603997 | 2-Critical | Plugin should not inject nonce to CSP header with unsafe-inline | |
| 594910-1 | 3-Major | FPS flags no cookie when length check fails | |
| 590608-1 | 3-Major | Alert is not redirected to alert server when unseal fails | |
| 590578-4 | 3-Major | False positive "URL error" alerts on URLs with GET parameters | |
| 593355 | 4-Minor | FPS may erroneously flag missing cookie | |
| 589318-1 | 4-Minor | Clicking 'Customize All' checkbox does not work. |
iApp Technology Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 603605-1 | 2-Critical | Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active | |
| 608373-2 | 3-Major | Some iApp LX packages will not be saved during upgrade or UCS save/restore |
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 596488-1 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
| 579955-6 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
| 587077-1 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
| 579220-1 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
| 570697-1 | CVE-2015-8138 | K71245322 | NTP vulnerability CVE-2015-8138 |
| 580340-1 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
| 580313-1 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
| 579829-7 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
| 579085-6 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
| 578570-1 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
| 569355-1 | CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 | K50118123 | Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 |
| 565895-1 | CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 | K17235 | Multiple PCRE Vulnerabilities |
| 570667-2 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 606509-4 | 2-Critical | Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★ | |
| 595605 | 2-Critical | Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★ | |
| 591119 | 2-Critical | OOM with session messaging may result in TMM crash | |
| 601076 | 3-Major | Fix watchdog event for accelerated compression request overflow | |
| 597303 | 3-Major | "tmsh create net trunk" may fail | |
| 595693 | 3-Major | Incorrect PVA indication on B4450 blade | |
| 591261 | 3-Major | BIG-IP VPR-B4450N shows "unknown" SNMP Object ID | |
| 590904-1 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active | |
| 589661 | 3-Major | PS2 power supply status incorrect after removal | |
| 588327 | 3-Major | Observe "err bcm56xxd' liked log from /var/log/ltm | |
| 587735 | 3-Major | False alarm on LCD indicating bad fan | |
| 587668 | 3-Major | LCD Checkmark button does not always bring up clearing prompt on VIPRION blades. | |
| 585332 | 3-Major | Virtual Edition network settings aren't pinned correctly on startup★ | |
| 584670 | 3-Major | Output of tmsh show sys crypto master-key | |
| 584661 | 3-Major | Last good master key | |
| 584655 | 3-Major | platform-migrate won't import password protected master-keys from a 10.2.4 UCS file | |
| 583177 | 3-Major | LCD text truncated by heartbeat icon on VIPRION | |
| 581945-2 | 3-Major | Device-group 'datasync-global-dg' becomes out-of-sync every hour | |
| 581811 | 3-Major | The blade alarm LED may not reflect the warning that non F5 optics is used. | |
| 579529 | 3-Major | Stats file descriptors kept open in spawned child processes | |
| 578064 | 3-Major | tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade | |
| 578036-1 | 3-Major | incorrect crontab can cause large number of email alerts | |
| 573584 | 3-Major | CPLD update success logs at the same error level as an update failure | |
| 563592 | 3-Major | Content diagnostics and LCD | |
| 559655 | 3-Major | Post RMA, system does not display correct platform name regardless of license | |
| 555039-4 | 3-Major | K24458124 | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
| 539360 | 3-Major | Firmware update that includes might take over 15 minutes. Do not turn off device. | |
| 526708 | 3-Major | system_check shows fan=good on removed PSU of 4000 platform | |
| 433357 | 3-Major | Management NIC speed reported as 'none' | |
| 400778 | 3-Major | Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete | |
| 400550 | 3-Major | LCD listener error during shutdown | |
| 587780 | 4-Minor | warning: HSBe2 XLMAC initial recovery failed after 11 retries. | |
| 478986 | 4-Minor | Powered down DC PSU is treated as not-present | |
| 418009 | 5-Cosmetic | Hardware data display inaccuracies |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 603700 | 2-Critical | tmm core on multiple SSL::disable calls | |
| 598052-1 | 2-Critical | SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails | |
| 591139 | 2-Critical | TMM QAT segfault after zlib/QAT compression conflation. | |
| 585654 | 2-Critical | Enhanced implementation of AES in Common Criteria mode | |
| 579953 | 2-Critical | Updated the list of Common Criteria ciphersuites | |
| 584926-1 | 3-Major | Accelerated compression segfault when devices are all in error state. | |
| 566342 | 3-Major | Cannot set 10T-FD or 10T-HD on management port |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 599803 | 1-Blocking | TMM accelerated compression incorrectly destroying in-flight contexts. | |
| 588879-2 | 2-Critical | apmd crash under rare conditions with LDAP |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 581824-2 | 3-Major | "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 588049-1 | 2-Critical | Improve detection of browser capabilities | |
| 585352-2 | 2-Critical | bruteForce record selfLink gets corrupted by change to brute force settings in GUI | |
| 585054-1 | 2-Critical | BIG-IP imports delay violations incorrectly, causing wrong policy enforcement | |
| 583686-2 | 3-Major | High ASCII meta-characters can be disallowed on UTF-8 policy via XML import | |
| 581991-1 | 3-Major | Logging filter for remote loggers doesn't work correctly with more than one logging profile | |
| 521370-1 | 3-Major | Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8 | |
| 518201-4 | 3-Major | ASM policy creation fails with after upgrading |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 587419-1 | 3-Major | TMM may restart when SAML SLO is performed after APM session is closed | |
| 585442-2 | 3-Major | Provisioning APM to 'none' creates a core file |
Advanced Firewall Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 596809-1 | 3-Major | It is possible to create ssh rules with blank space for auth-info | |
| 593925-1 | 3-Major | ssh profile should not contain rules that begin and end with spaces (cannot be deleted) | |
| 593696-1 | 3-Major | Sync fails when deleting an ssh profile |
Carrier-Grade NAT Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 584921-1 | 2-Critical | Inbound connections fail to keep port block alive |
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 600662-9 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
| 599168-7 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
| 598983-7 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
| 580596-1 | CVE-2013-0169 CVE-2016-6907 CVE-2019-6593 | K14190 K39508724 K10065173 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 604211-1 | 2-Critical | K72931250 | License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★ |
| 600859-2 | 2-Critical | Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★ | |
| 599033-5 | 2-Critical | Traffic directed to incorrect instance after network partition is resolved | |
| 595394-3 | 2-Critical | Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★ | |
| 606110-2 | 3-Major | BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets. | |
| 596814-4 | 3-Major | HA Failover fails in certain valid AWS configurations | |
| 596603-2 | 3-Major | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. |
Application Security Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 600357-2 | 3-Major | bd crash when asm policy is removed from virtual during specific configuration change |
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 569467-5 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
| 591806-8 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
| 591918-2 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
| 591908-2 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
| 591894-2 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
| 591881-1 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
Functional Change Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 583631-2 | 1-Blocking | ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers. | |
| 590993 | 3-Major | Unable to load configs from /usr/libexec/aws/. | |
| 576478 | 3-Major | Enable support for the Purpose-Built DDoS Hybrid Defender Platform | |
| 544477 | 3-Major | New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support. |
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 591039 | 2-Critical | DHCP lease is saved on the Custom AMI used for auto-scaling VE | |
| 590779 | 2-Critical | Rest API - log profile in json return does not include the partition but needs to | |
| 588140 | 2-Critical | Pool licensing fails in some KVM/OpenStack environments | |
| 587791-1 | 2-Critical | Set execute permission on /var/lib/waagent | |
| 565137 | 2-Critical | K12372003 | Pool licensing fails in some KVM/OpenStack environments. |
| 554713-2 | 2-Critical | Deployment failed: Failed submitting iControl REST transaction | |
| 592363 | 3-Major | Remove debug output during first boot of VE | |
| 592354 | 3-Major | Raw sockets are not enabled on Cloud platforms |
Local Traffic Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 592699-3 | 2-Critical | IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance | |
| 594302-1 | 3-Major | Connection hangs when processing large compressed responses from server | |
| 592854-1 | 3-Major | Protocol version set incorrectly on serverssl renegotiation | |
| 592682-1 | 3-Major | TCP: connections may stall or be dropped | |
| 531979-6 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. |
Application Visibility and Reporting Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 582629-1 | 2-Critical | User Sessions lookups are not cleared, session stats show marked as invalid |
Access Policy Manager Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 590601-2 | 3-Major | BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed | |
| 590428-1 | 3-Major | The "ACCESS::session create" iRule command does not work | |
| 590345-1 | 3-Major | ACCESS policy running iRule event agent intermittently hangs | |
| 585905-1 | 3-Major | Citrix Storefront integration mode with pass-through authentication fails | |
| 581834-5 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
Anomaly Detection Services Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 588399-1 | 3-Major | BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated | |
| 582374-1 | 3-Major | Multiple 'Loading state for virtual server' messages in admd.log | |
| 569121-1 | 3-Major | Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low | |
| 547053-1 | 4-Minor | Bad actor quarantining |
Traffic Classification Engine Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 590795-1 | 2-Critical | tmm crash when loading default signatures or updating classification signature★ |
Cumulative fix details for BIG-IP v12.1.5.3 that are included in this release
981169-5 : F5 TMUI XSS vulnerability CVE-2021-22994
Solution Article: K66851119
975233-5 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K52510511
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K52510511
Impact:
For more information, please see:
https://support.f5.com/csp/article/K52510511
Workaround:
None
Fix:
For more information, please see:
https://support.f5.com/csp/article/K52510511
973333-1 : TMM buffer-overflow vulnerability CVE-2021-22991
Solution Article: K56715231
955145-5 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
954381-5 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
953729-5 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
Solution Article: K56142644
953677-5 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
Solution Article: K18132488
950077-5 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
Solution Article: K18132488
949861 : Wr_urldbd returns unknown results for customdb on some blades
Component: Traffic Classification Engine
Symptoms:
Some blades return 'Unknown' for newly added URLs in a custom database
Conditions:
This might occur under when feedlist updates are done quickly in a loop
Impact:
BIG-IP is unable to classify using url categories defined in the custom database.
Workaround:
Restart wr_urldbd
Fix:
Customdb classification now work as expected with the provided fix
949145-2 : Improve TCP's response to partial ACKs during loss recovery
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
948769-2 : TMM panic with SCTP traffic
Component: TMOS
Symptoms:
TMM panics and generates a core file. The panic message is "balanced nodes".
Conditions:
SCTP enabled virtual server
Impact:
Traffic interrupted while TMM restarts
Workaround:
Ensure that you have a route to the server's alternate address (like a default route since the remote server might not be under direct control) or
On versions earlier than 13.0 make sure that auto-lasthop is enabled for the virtual server (either via global, vlan or virtual setting)
Fix:
TMM now handles SCTP traffic properly
943125-5 : Web-Socket request with JSON payload causing core during the payload parsing
Component: Application Security Manager
Symptoms:
Any web-socket request with JSON payload may cause a core witihin the JSON parser, depending on the used machine memory distribution.
Conditions:
Depends on the memory distribution of the used machine.
Sending web-socket request with JSON payload to the backend server.
Impact:
BD crash while parsing the JSON payload.
Workaround:
N/A
Fix:
No crashes during JSON payload parsing.
941853-4 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
941089-5 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
940401-5 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
939845-5 : Invalid MPTCP JOIN messages not immediately dropped
Component: Local Traffic Manager
Symptoms:
An invalid MPTCP JOIN message is not dropped immediately. Instead a RST will be sent to the originator after a few second timeout
Conditions:
A standard virtual server processing TCP traffic is configured
Impact:
A brief delay before the connection is closed may be noticed
Workaround:
None
Fix:
Invalid MPTCP messages are now dropped immediately
939841-5 : BIG-IP MPTCP vulnerability CVE-2021-23003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K43470422
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K43470422
Impact:
For more information, please see:
https://support.f5.com/csp/article/K43470422
Workaround:
None
Fix:
For more information, please see:
https://support.f5.com/csp/article/K43470422
939529-5 : Branch parameter not parsed properly when topmost via header received with comma separated values
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
935401-6 : BIG-IP ASM iControl REST vulnerability CVE-2021-23001
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K06440657
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K06440657
Impact:
For more information, please see:
https://support.f5.com/csp/article/K06440657
Workaround:
None
Fix:
For more information, please see:
https://support.f5.com/csp/article/K06440657
933741-6 : Security hardening in FPS GUI
Solution Article: K63497634
933461-1 : BGP multi-path candidate selection does not work properly in all cases.
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
932697 : BIG-IP TMM vulnerability CVE-2021-23000
Solution Article: K34441555
932065-5 : iControl REST framework exception handling hardening
Solution Article: K87502622
931837-4 : NTP has predictable timestamps
Component: TMOS
Symptoms:
No known symptoms.
Conditions:
Ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 are vulnerable.
Two main prerequisites for this to be exploited.
1. Having the BIG-IP act as an NTP server.
2. Sources for BIG-IP's time being unreliable/unauthenticated upstream NTP servers
Impact:
A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. An attacker who can send a large number of packets with the spoofed IPv4 address of the upstream server can use this flaw to modify the victim's clock by a limited amount or cause ntpd to exit.
Workaround:
Redhat suggested the following mitigations:
1. Have enough trustworthy sources of time.
2. If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.
3. Use NTP packet authentication where appropriate.
4. Pay attention to error messages logged by ntpd.
5. Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.
6. If you must get unauthenticated time over IPv4 on a hostile network, Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.
927617-5 : "Illegal Base64 value" violation is detected for cookie with valid base64 value
Component: Application Security Manager
Symptoms:
Request that should be passed to the backend server with cookie header which contain cookie valid value encoded to base64 is blocked.
Conditions:
A cookie name has to be defined in "Security ›› Application Security : Headers : Cookies List ›› New Cookie..." with enabled "Base64 Decoding".
Impact:
Blocking page, while the request should not be blocked.
Workaround:
Disable "Base64 Decoding" for the desired cookie.
Fix:
Requests with valid base64 encoding cookies should not get blocked by the enforcer.
921337-4 : ASM processes some web-sockets requests longer than usual
Solution Article: K88230177
918933-5 : Some ASM attack signatures do not match on cookies
Solution Article: K88162221
Component: Application Security Manager
Symptoms:
Some ASM attack signatures are not matching as expected on a cookie value.
Conditions:
Matching enabled for specific attack signatures.
Impact:
False negative. A signature does not match and an attack is getting through.
Workaround:
There is no valid workaround except creating custom signatures for cookies from all these signatures.
Fix:
Signatures now match on cookies as expected.
917509-6 : ASM processes some requests longer than usual
Solution Article: K58102101
915281-7 : Do not rearm TCP Keep Alive timer under certain conditions
Component: Local Traffic Manager
Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.
Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.
Impact:
Continuous rearming results in consuming CPU resources unnecessarily.
Workaround:
None.
Fix:
Rearming of TCP Keep Alive timer is improved.
913441-1 : Tmm cores while doing Hitless Upgrade while there are active flows
Component: Traffic Classification Engine
Symptoms:
Tmm cores.
Conditions:
Addition of new flows to existing lib while Hitless Upgrade is in progress.
Impact:
Tmm core while doing app detection for new flows. Traffic disrupted while tmm restarts.
Workaround:
Restrict addition of new flows if a Hitless Upgrade is in progress.
Fix:
New flows are no longer added to the classification engine to any of the library if the Hitless Upgrade process is in progress.
911761-6 : F5 TMUI XSS vulnerability CVE-2020-5948
Solution Article: K42696541
909237-2 : CVE-2020-8617: BIND Vulnerability
Solution Article: K05544642
909233-2 : DNS Hardening
Solution Article: K97810133
908673-1 : TMM may crash while processing DNS traffic
Solution Article: K43850230
905905-5 : TMUI CSRF vulnerability CVE-2020-5904
Solution Article: K31301245
904937-6 : Excessive resource consumption in zxfrd
Solution Article: K25595031
902417-1 : Configuration error caused by Drafts folder in a deleted custom partition★
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
898949-5 : APM may consume excessive resources while processing VPN traffic
Solution Article: K04518313
895993-6 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895981-6 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895881-5 : BIG-IP TMUI XSS vulnerability CVE-2020-5903
Solution Article: K43638305
895525-6 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
888497-6 : Cacheable HTTP Response
Component: TMOS
Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.
Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.
Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.
Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.
Workaround:
Disable caching in browsers.
888493-6 : ASM GUI Hardening
Solution Article: K40843345
887089-6 : Upgrade can fail when filenames contain spaces
Component: TMOS
Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.
The file's content is also significant because that determines the md5sum value.
Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:
Not enough free disk space to install!
Conditions:
Filenames with spaces in /config directory.
Impact:
Upgrade or loading of UCS fails.
Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.
886085-7 : BIG-IP TMM vulnerability CVE-2020-5925
Solution Article: K45421311
883717-5 : BD crash on specific server cookie scenario
Solution Article: K37466356
883097-3 : Radius authentication may consume excessive resources
Solution Article: K11400411
882185-3 : BIG-IP Edge Client Windows ActiveX
Solution Article: K20346072
881445-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
Solution Article: K69154630
880361-5 : TMM may crash while processing iRules LX commands
Solution Article: K13323323
879745-7 : TMM may crash while processing Diameter traffic
Solution Article: K82530456
879413-5 : Statsd fails to start if one or more of its *.info files becomes corrupted
Component: Local Traffic Manager
Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:
-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.
Conditions:
Corrupted *.info file in /var/rrd.
Impact:
Stats are no longer accurate.
Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):
found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done
Fix:
The system now detects corrupt *.info files and deletes and recreates them.
879025-7 : When processing TLS traffic, LTM may not enforce certificate chain restrictions
Solution Article: K72752002
872673-5 : TMM can crash when processing SCTP traffic
Solution Article: K26464312
871657-4 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
Component: TMOS
Symptoms:
Mcpd restarts and produces a core file.
Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.
Impact:
Mcpd crash and restart results in high availability (HA) failover.
Workaround:
Use a lowercase 'a' or 's' as the flag value.
Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.
870273-1 : TMM may consume excessive resources when processing SSL traffic
Solution Article: K44020030
866021-5 : Diameter Mirror connection lost on the standby due to "process ingress error"
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.
Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.
Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.
Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.
860517-5 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
Component: TMOS
Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.
As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash
Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.
Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.
Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.
Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.
860477-7 : SCP hardening
Solution Article: K82518062
860005-5 : Ephemeral nodes/pool members may be created for wrong FQDN name
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.
Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.
The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.
Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.
Workaround:
It may be possible to mitigate this issue by one or more of the following actions:
-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.
-- Reducing the number of FQDN template nodes (FQDN names to be resolved).
-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.
859089-2 : TMSH allows SFTP utility access
Solution Article: K00091341
858301-5 : HTTP RFC compliance now checks that the authority matches between the URI and Host header
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
It is possible to have an absolute URI with an authority different from that in the Host header. The HTTP profile by default does not verify that these are the same.
Conditions:
HTTP profile is enabled.
A request contains an absolute URI with an authority different from that in the Host header.
Impact:
HTTP requests with mismatched authority and Host headers are forwarded to back-end servers.
Workaround:
None.
Fix:
The HTTP RFC compliance option now rejects requests with an absolute URI that contains an authority different than that in the Host header.
HTTP PSM's "invalid host" option now checks that the authorities match between the URI and Host header.
858297-5 : HTTP requests with multiple Host headers are rejected if RFC compliance is enabled
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
HTTP requests with multiple Host headers may confuse servers. The HTTP parser currently uses the last header of a given name in a header block, whereas other software may not. This miss-match in parsing may lead to a security hole.
Note that many servers reject such requests. Such servers are not vulnerable to this kind of attack.
Conditions:
HTTP profile enabled.
Multiple Host headers exist in a HTTP request.
Impact:
HTTP requests with multiple host headers may be forwarded to back-end servers.
Workaround:
None.
Fix:
If HTTP RFC compliance is enabled on the HTTP profile, then a request that has multiple Host headers will be rejected.
HTTP PSM can now be configured to reject multiple Host headers.
858229-1 : XML with sensitive data gets to the ICAP server
Solution Article: K22493037
Component: Application Security Manager
Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.
Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.
Impact:
Sensitive data will reach the ICAP server.
Workaround:
No immediate workaround except policy related changes
Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.
Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.
When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.
858189-6 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.
Component: Device Management
Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.
Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.
Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.
Workaround:
None.
Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.
Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:
restnoded.timeout
restjavad.timeout
icrd.timeout
The default value is 60 seconds for each of these.
A restart of restjavad and restnoded is required for the change to take effect.
tmsh restart /sys service restjavad
tmsh restart /sys service restnoded
858025-6 : Proactive Bot Defense does not validate redirected paths
Solution Article: K33440533
857669 : BIG-IP Edge Client may log sensitive data on Linux client
Solution Article: K33023560
854177-1 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
Component: Application Security Manager
Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.
Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.
Impact:
Latency is introduced to ASM handling.
Workaround:
Set the fast changing nodes to static updates every hour.
Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.
852929-4 : AFM WebUI Hardening
Solution Article: K25160703
852445-6 : Big-IP : CVE-2019-6477 BIND Vulnerability
Solution Article: K15840535
851789-1 : SSL monitors flap with client certs with private key stored in FIPS
Component: Local Traffic Manager
Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.
Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.
Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.
Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.
Fix:
Optimized FIPS API calls to improve performance of SSL monitors.
851045-5 : LTM database monitor may hang when monitored DB server goes down
Component: Local Traffic Manager
Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.
Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).
Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.
Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.
850673-5 : BD sends bad ACKs to the bd_agent for configuration
Component: Application Security Manager
Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.
-- The policy may be incomplete in the bd causing incorrect enforcement actions.
Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.
Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).
-- A partial policy may exist in bd causing improper enforcement.
Workaround:
-- Unassign and reassign the policy.
-- if unassign/reassign does not help, export and then reimport the policy.
Fix:
Fixed inconsistency scenario between bd and bd_agent.
848445-5 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★
Solution Article: K86285055
Component: Application Security Manager
Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.
Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.
Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.
Workaround:
Can defined the parameters as global sensitive parameters.
Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer
848405-7 : TMM may consume excessive resources while processing compressed HTTP traffic
Solution Article: K26244025
846917-6 : lodash Vulnerability: CVE-2019-10744
Solution Article: K47105354
842937-1 : TMM crash due to failed assertion 'valid node'
Component: Local Traffic Manager
Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.
Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Refrain from using ramcache may mitigate the problem.
Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.
842717-2 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
Solution Article: K55102004
842189-1 : Tunnels removed when going offline are not restored when going back online
Component: TMOS
Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.
Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.
Impact:
Failure of tunnel packet traffic.
Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.
Fix:
Tunnels removed when going offline are now restored when going back online.
841953-2 : A tunnel can be expired when going offline, causing tmm crash
Component: TMOS
Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.
If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.
Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.
Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm process no longer crashes under these conditions.
841577-7 : iControl REST hardening
Solution Article: K20606443
841333-2 : TMM may crash when tunnel used after returning from offline
Component: TMOS
Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.
Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
839453-1 : lodash library vulnerability CVE-2019-10744
Solution Article: K47105354
838909-2 : BIG-IP APM Edge Client vulnerability CVE-2020-5893
Solution Article: K97733133
838881-6 : APM Portal Access Vulnerability: CVE-2020-5853
Solution Article: K73183618
837837-6 : F5 SSH server key size vulnerability CVE-2020-5917
Solution Article: K43404629
837773-5 : Restjavad Storage and Configuration Hardening
Solution Article: K12936322
836357-2 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
Component: Service Provider
Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.
Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.
Impact:
This causes the BIG-IP system to abort the flow that originates the message.
Workaround:
None.
Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.
833685-2 : Idle async handlers can remain loaded for a long time doing nothing
Component: Application Security Manager
Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.
Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.
Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.
Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.
832885-6 : Self-IP hardening
Solution Article: K05975972
832757-2 : Linux kernel vulnerability CVE-2017-18551
Solution Article: K48073202
832205-2 : ASU cannot be completed after Signature Systems database corruption following binary Policy import
Component: Application Security Manager
Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database, after a binary policy containing a user-defined Signature Set using an unknown System was imported.
Conditions:
Signature systems are corrupted in configuration database, because a binary policy containing a user-defined Signature Set using an unknown System was imported.
Impact:
Signatures cannot be updated.
Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"
831661-5 : ASMConfig Handler undergoes frequent restarts
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.
Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations
Impact:
Control Plane instability and poor learning performance on the device.
Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.
831325-4 : HTTP PSM detects more issues with Transfer-Encoding headers
Solution Article: K10701310
Component: Local Traffic Manager
Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.
Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.
Impact:
Traffic is not alarmed/blocked as expected.
Workaround:
None.
Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.
831293-1 : SNMP address-related GET requests slow to respond.
Component: TMOS
Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.
Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.
Impact:
Slow performance.
Workaround:
None.
830401-6 : TMM may crash while processing TCP traffic with iRules
Solution Article: K54200228
829121-6 : State mirroring default does not require TLS
Solution Article: K65720640
829117-6 : State mirroring default does not require TLS
Solution Article: K17663061
826601-2 : Prevent receive window shrinkage for looped flows that use a SYN cookie
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Set the initial receive window value of the VIP to 3.
Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.
825049-2 : Windows code signing certificate update 2019
Component: Access Policy Manager
Symptoms:
The certificate for APM Edge Client (v7.1.8.1) expires on 12 Dec. 2019
Conditions:
Code signing certificate expired on December 11,2019.
Impact:
Certificate is expired.
Fix:
Update APM client with the certificate attributes and use the new code singing certificate.
823893-5 : Qkview may fail to completely sanitize LDAP bind credentials
Solution Article: K03318649
822025-5 : HTTP response not forwarded to client during an early response
Component: Local Traffic Manager
Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.
Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.
Impact:
A client does not receive the redirect from the HTTP::respond iRule.
Workaround:
None.
Fix:
The client now receives the redirect from the HTTP:respond iRule.
819397-4 : TMM does not enforce RFC compliance when processing HTTP traffic
Solution Article: K50375550
Component: Local Traffic Manager
Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.
Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client
Impact:
Pool members may be exposed to non-compliant HTTP requests.
Workaround:
None.
Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
Behavior Change:
A new BigDB variable has been added.
The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.
If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.
If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.
819197-7 : BIGIP: CVE-2019-13135 ImageMagick vulnerability
Solution Article: K20336394
819189-6 : BIGIP: CVE-2019-13136 ImageMagick vulnerability
Solution Article: K03512441
818709-5 : TMSH does not follow current best practices
Solution Article: K36814487
818429-1 : TMM may crash while processing HTTP traffic
Solution Article: K70275209
818177-7 : CVE-2019-12295 Wireshark Vulnerability
Solution Article: K06725231
816529 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.
Component: Traffic Classification Engine
Symptoms:
URLCAT lookups to Custom DB return Unknown result.
Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time
Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.
Workaround:
None.
Fix:
Wr_urldbd restores connection to Custom DB after restart.
815877-5 : Information Elements with zero-length value are rejected by the GTP parser
Component: Service Provider
Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.
Conditions:
Virtual server with GTP profile enabled processing GTP traffic.
Impact:
Well-formed GTP messages might get rejected.
Workaround:
Avoid sending GTP messages containing zero-length IEs.
Fix:
Zero-length IEs are now processed correctly.
814761-4 : PostgreSQL monitor fails on second ping with count != 1
Component: Local Traffic Manager
Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.
When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:
Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
at java.lang.Thread.run(Thread.java:748)
Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.
Impact:
Unable to monitor the health of postgresql server pool members accurately.
Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.
Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.
814585-6 : PPTP profile option not available when creating or modifying virtual servers in GUI
Component: TMOS
Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.
Conditions:
Creating or modifying a virtual server in the GUI.
Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.
Workaround:
Use TMSH to add a PPTP profile to the virtual server.
812981-1 : MCPD: memory leak on standby BIG-IP device
Component: TMOS
Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.
Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically
Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.
Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.
811789-5 : Device trust UI hardening
Solution Article: K57214921
811109 : TMM RAM Cache Vulnerability: CVE-2020-5861
Solution Article: K22113131
810957-6 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
Component: TMOS
Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.
Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.
Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.
Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:
tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>
Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.
810557-5 : ASM ConfigSync Hardening
Solution Article: K05123525
809205-2 : CVE-2019-3855: libssh2 Vulnerability
Component: TMOS
Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.
Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.
Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Workaround:
None.
Fix:
libcurl updated
809165-5 : TMM may crash will processing connector traffic
Solution Article: K50046200
809125-4 : CSRF false positive
Component: Application Security Manager
Symptoms:
A CSRF false-positive violation.
Conditions:
CSRF enforcing security policy.
This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.
Impact:
False-positive Blocking / Violation
Workaround:
If this happens change the csrf parameter and restart the asm daemon:
1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>
2. Restart the asm daemon:
restart asm
808409-2 : Unable to specify if giaddr will be modified in DHCP relay chain
Component: Local Traffic Manager
Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.
However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.
Conditions:
DHCP Relay deployments where the giaddr needs to be changed.
Impact:
You are unable to specify whether giaddr will be changed.
Workaround:
None.
Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced
The default is :
sys db tmm.dhcp.relay.giaddr.overwrite {
value "enable"
}
On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP
On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain
807821-1 : ICMP echo requests occasionally go unanswered
Component: Local Traffic Manager
Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.
Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.
Impact:
Possible traffic failures.
Workaround:
None.
Fix:
ICMP echo replies are always sent for a valid ICMP echo request.
807477-4 : ConfigSync Hardening
Solution Article: K04280042
807005-6 : Save-on-auto-sync is not working as expected with large configuration objects
Component: TMOS
Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true
Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions
Impact:
Configuration is not saved, which leads to out-of-sync condition.
Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.
805837-5 : REST does not follow current design best practices
Solution Article: K22441651
805557-5 : TMM may crash while processing crypto data
Solution Article: K43815022
805017-4 : DB monitor marks pool member down if no send/recv strings are configured
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.
Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
803233-5 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
Component: Local Traffic Manager
Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):
1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:
-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.
2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:
-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.
Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.
Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.
Workaround:
None.
801637-2 : Cmp_dest on C2200 platform may give incorrect results
Component: TMOS
Symptoms:
Cmp_dest on C2200 platform may give incorrect results.
Conditions:
Run cmp_dest.
Impact:
Incorrect results from cmp_dest.
Fix:
Cmp_dest now gives correct results.
800185-1 : Saving a large encrypted UCS archive may fail and might trigger failover
Component: TMOS
Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:
# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package
-- If saving UCS is automated you may find related errors in /var/log/audit:
err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))
-- Other services might be restarted due to lack of memory, which might result in failover.
--System management via config utility or command line may be sluggish while UCS saves.
Conditions:
-- Large encrypted UCS files and low free host memory.
-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.
Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.
The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.
Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.
Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)
If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.
Fix:
Saving a large UCS file no longer fails.
799617-5 : ConfigSync Hardening
Solution Article: K05123525
799589-5 : ConfigSync Hardening
Solution Article: K05123525
797885-5 : ConfigSync Hardening
Solution Article: K05123525
796993-2 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
Component: Local Traffic Manager
Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.
Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability
Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.
796469-1 : ConfigSync Hardening
Solution Article: K05123525
795797-5 : AFM WebUI Hardening
Solution Article: K21121741
795649-1 : Loading UCS from one iSeries model to another causes FPGA to fail to load
Component: TMOS
Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.
The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:
-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.
Impact:
FPGA fails to load; the BIG-IP system becomes unusable.
Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:
-- For the i2800:
# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i7800:
# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i11400-ds:
# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
2. Reboot the system
795437-1 : Improve handling of TCP traffic for iRules
Solution Article: K06747393
795197-4 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Solution Article: K26618426
794501-5 : Duplicate if_indexes and OIDs between interfaces and tunnels
Component: TMOS
Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.
Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.
Impact:
SNMP OIDs relating to interfaces may yield incomplete results.
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:
# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
if-index 64 <-------------------------------
net interface mgmt {
if-index 32
net vlan external {
if-index 96
net vlan internal {
if-index 112
net vlan test {
if-index 128
net vlan tmm_bp {
if-index 48
net tunnels tunnel http-tunnel {
if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
if-index 80
# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm
-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289
Workaround:
No workaround currently known.
Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.
794413-5 : BIND vulnerability CVE-2019-6471
Solution Article: K10092301
794389-5 : iControl REST endpoint response inconsistency
Solution Article: K89509323
793149-1 : Adding the Strict-transport-Policy header to internal responses
Component: Application Security Manager
Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.
Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.
Impact:
Responses arrives to the browser without the Strict-transport-Policy header.
Workaround:
Create an iRule to add the header to the response.
Fix:
Adding a BigDB parameter (asm.strict_transport_policy) which allows to add the header to all internal responses. Default is disabled.
789893-5 : SCP file transfer hardening
Solution Article: K54336216
788773-5 : HTTP/2 Vulnerability: CVE-2019-9515
Solution Article: K50233772
788769-5 : HTTP/2 Vulnerability: CVE-2019-9514
Solution Article: K01988340
788577-2 : BFD sessions may be reset after CMP state change
Component: TMOS
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.
It might also lead to a situation where the BFD session is deleted and immediately recreated.
This problem occurs rarely and only on a chassis with more than one blade.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.
Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.
This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There are two workarounds, although the latter is probably impractical:
-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.
Fix:
BFD session is no longer reset during CMP state change.
788513-5 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
Component: Service Provider
Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:
warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]
This appears to be benign, as the configuration loads successfully, and the script works as expected.
Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name
Instead of:
RADIUS::avp replace USER-NAME "static value"
Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.
Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.
788325-5 : Header continuation rule is applied to request/response line
Solution Article: K39794285
Component: Local Traffic Manager
Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.
Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.
Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).
Workaround:
None.
Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.
788301-2 : SNMPv3 Hardening
Solution Article: K58243048
Component: TMOS
Symptoms:
SNMPv3 agents do not follow current best practices.
Conditions:
SNMPv3 agents enabled.
Impact:
SNMPv3 agents do not follow current best practices.
Fix:
SNMPv3 features now follow current best practices.
788057-6 : MCPD may crash while processing syncookies
Solution Article: K00103216
787825-4 : Database monitors debug logs have plaintext password printed in the log file
Solution Article: K58243048
Component: Local Traffic Manager
Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password
Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql
Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.
Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.
785481-5 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
Component: Local Traffic Manager
Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.
Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.
Impact:
Reset packets are not sent back to clients when they should be.
Workaround:
None.
Fix:
Packets that match a BIG-IP object but fail due to connection limits will now be rejected with an RST.
785009-1 : Binary policy import fails with a user-defined Signature Set containing only non-existent signatures
Component: Application Security Manager
Symptoms:
Binary policy import fails if the policy contains a user-defined Signature Set which contains only non-existent Signatures (such as user-defined Signatures).
The error in the GUI:
Failed to insert to PLC.PL_POLICY_NEGSIG_SETS (DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails (`PLC`.`PL_POLICY_NEGSIG_SETS`, CONSTRAINT `PL_POLICY_NEGSIG_SETS_ibfk_2` FOREIGN KEY (`set_id`) REFERENCES `NEGSIG_SETS` (`set_id`) ON DELETE CASCADE) at /usr/local/share/perl5/F5/BatchInsert.pm line 223.
)
The error in /var/log/asm:
crit g_server_rpc_handler_async.pl[26870]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Failed to insert to PLC.PL_POLICY_NEGSIG_SETS (DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails (`PLC`.`PL_POLICY_NEGSIG_SETS`, CONSTRAINT `PL_POLICY_NEGSIG_SETS_ibfk_2` FOREIGN KEY (`set_id`) REFERENCES `NEGSIG_SETS` (`set_id`) ON DELETE CASCADE) at /usr/local/share/perl5/F5/BatchInsert.pm line 223.
Conditions:
A binary policy file contains a user-defined Signature Set which contains only signatures that don't exist on the target device (such as user-defined Signatures).
Impact:
Policy import fails.
Workaround:
You can use either of the following Workarounds:
-- Re-export the policy as XML.
-- Create the missing user-defined Signatures.
Fix:
Binary policy import succeeds even with empty user-defined Signature Sets.
784565-5 : VLAN groups are incompatible with fast-forwarded flows
Component: Local Traffic Manager
Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.
Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.
Impact:
Some connections may fail.
Workaround:
None.
Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.
783505-1 : ASU is very slow on device with hundreds of policies due to table checksums
Component: Application Security Manager
Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.
Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.
Impact:
The ASU process takes hours to complete.
Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.
783113-2 : BGP sessions remain down upon new primary slot election
Component: TMOS
Symptoms:
BGP flapping after new primary slot election.
Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)
-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.
-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.
Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.
Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted
Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.
782529-5 : iRules does not follow current design best practices
Solution Article: K30215839
781377-3 : tmrouted may crash while processing Multicast Forwarding Cache messages
Solution Article: K93417064
781225-4 : HTTP profile Response Size stats incorrect for keep-alive connections
Component: Local Traffic Manager
Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.
Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses
Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.
Workaround:
None.
Fix:
The HTTP Response Size statistics are correctly updated using per-response values.
780817-3 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
Component: TMOS
Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:
notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.
Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.
+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms
-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.
Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.
Guests part of a redundant pair may fail over.
Workaround:
None.
Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.
780601-5 : SCP file transfer hardening
Solution Article: K03585731
779177-5 : Apmd logs "client-session-id" when access-policy debug log level is enabled
Solution Article: K37890841
778077-2 : Virtual to virtual chain can cause TMM to crash
Solution Article: K53183580
777261-1 : When SNMP cannot locate a file it logs messages repeatedly
Component: TMOS
Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.
Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.
Impact:
This can fill up the log with errors.
Fix:
The SNMP daemon has been fixed to log this error once.
774301-1 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:
err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response
Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.
-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.
-- This is also applicable to any SAML requests/responses that are signed:
a) SAML Authentication Request
b) SAML Assertion
c) SAML Artifact Response
e) SAML SLO Request/Response
Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.
Workaround:
None.
Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.
773673-5 : HTTP/2 Vulnerability: CVE-2019-9512
Solution Article: K98053339
773653-3 : APM Client Logging
Solution Article: K23876153
773649-3 : APM Client Logging
Solution Article: K23876153
773641-3 : APM Client Logging
Solution Article: K23876153
773637-3 : APM Client Logging
Solution Article: K23876153
773633-3 : APM Client Logging
Solution Article: K23876153
773621-3 : APM Client Logging
Solution Article: K23876153
773553-5 : ASM JSON parser false positive.
Component: Application Security Manager
Symptoms:
False positive JSON malformed violation.
Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.
Impact:
HTTP request is blocked or an alarm is raised.
Workaround:
There is no workaround other than disabling the JSON profile.
Fix:
JSON parser has been fixed as per RFC8259.
773421-5 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
Component: Local Traffic Manager
Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.
Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).
-- OneConnect is applied.
-- proxy-mss is enabled (the default value starting in v12.0.0).
Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.
Workaround:
Disable proxy-mss in the configured TCP profile.
Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.
771873-2 : TMSH Hardening
Solution Article: K40378764
770477-4 : SSL aborted when client_hello includes both renegotiation info extension and SCSV
Component: Local Traffic Manager
Symptoms:
Client SSL reports an error and terminates handshake.
Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
Impact:
Unable to connect with SSL.
Workaround:
None.
Fix:
Allow both signaling mechanism in client_hello.
769817-5 : BFD fails to propagate sessions state change during blade restart
Component: TMOS
Symptoms:
BFD fails to propagate sessions state change during blade restart.
Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.
Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.
Workaround:
Change BGP hold time to reasonable lower value.
Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.
769809-1 : The vCMP guests 'INOPERATIVE' after upgrade
Component: TMOS
Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.
Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.
Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.
Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.
Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).
Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade
769309-4 : DB monitor reconnects to server on every probe when count = 0
Component: Local Traffic Manager
Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.
Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).
Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.
Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.
Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).
769193-3 : Added support for faster congestion window increase in slow-start for stretch ACKs
Component: Local Traffic Manager
Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.
Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.
Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.
Workaround:
There is no workaround at this time.
Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.
Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
768981-5 : VCMP Hypervisor Hardening
Solution Article: K05765031
767373-4 : CVE-2019-8331: Bootstrap Vulnerability
Solution Article: K24383845
767013-5 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
Component: TMOS
Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.
Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.
Impact:
Reboot the BIG-IP system.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.
766577-5 : APMD fails to send response to client and it already closed connection.
Component: Access Policy Manager
Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer
APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.
Conditions:
Backend server is slow, causing longer-than-usual response times.
Impact:
This causes the client to close the connection. APMD fails to respond to the client.
The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.
Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.
766169-1 : Replacing all VLAN interfaces resets VLAN MTU to a default value
Component: Local Traffic Manager
Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.
Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.
Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.
Workaround:
There are two workarounds:
-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.
Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.
766017-5 : [APM][LocalDB] Local user database instance name length check inconsistencies★
Component: Access Policy Manager
Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.
The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.
Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.
Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.
Workaround:
Delete instance from tmsh and re-create it with a shorter name.
Fix:
Tmsh now enforces the length limit for localdb instance names.
765809 : Memory increases for the bd daemon on cluster environment primary blade
Component: Application Security Manager
Symptoms:
BD memory increases. The increased memory is seen as a very large number in the last column of the bd.log files UMU prints.
Conditions:
-- ASM provisioned on cluster environment.
-- ASM policy attached to a virtual.
-- Brute force protection configured.
Impact:
Memory increase; swap usage.
Workaround:
None.
Fix:
Freed a chunk of memory which was allocated upon a sync from secondary to primary blade.
765533-5 : Sensitive information logged when DEBUG logging enabled
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
762453-4 : Hardware cryptography acceleration may fail
Solution Article: K63558580
762073-3 : Continuous TMM restarts when HSB drops off the PCI bus
Component: TMOS
Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.
Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.
Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.
Workaround:
Manually reboot the BIG-IP system.
Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.
761231-5 : Bot Defense Search Engines getting blocked after configuring DNS correctly
Solution Article: K79240502
Component: Application Security Manager
Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.
A cache is stored for legal / illegal requests to prevent querying the DNS again.
This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.
Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.
Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.
Workaround:
Restart TMM by running the following command:
bigstart restart tmm
Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.
761185-5 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
Solution Article: K50375550
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550
Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550
Impact:
For more information please see: https://support.f5.com/csp/article/K50375550
Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550
Fix:
For more information please see: https://support.f5.com/csp/article/K50375550
761144-2 : Broadcast frames may be dropped
Solution Article: K95117754
761112-6 : TMM may consume excessive resources when processing FastL4 traffic
Solution Article: K76328112
761014-5 : TMM may crash while processing local traffic
Solution Article: K11447758
760950-1 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Note: A previous bug had this same symptom, but was due to a different root cause.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system.
760878-1 : Incorrect enforcement of explicit global parameters
Component: Application Security Manager
Symptoms:
A false positive or false negative enforcement of explicit global parameter.
Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.
Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.
Workaround:
Make the explicit parameters a wildcard parameter.
Fix:
Explicit parameters are enforced correctly on all parameters.
760723-4 : Qemu Vulnerability
Solution Article: K64765350
760629-1 : Remove Obsolete APM keys in BigDB
Component: Access Policy Manager
Symptoms:
Several APM/Access BigDB keys are obsolete and should be removed as they only add confusion
Conditions:
--BigIp is UP and Running
Impact:
Though those keys are not being used they create confusion as a placeholder
Workaround:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade
Fix:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade
760550-2 : Retransmitted TCP packet has FIN bit set
Component: Local Traffic Manager
Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.
Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.
Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.
Workaround:
Set Nagle to disabled in the TCP profile.
Fix:
The incorrect FIN bit is removed.
760471-5 : GTM iQuery connections may be reset during SSL key renegotiation.
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)
Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.
Workaround:
There is no workaround.
Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.
760439-1 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
Component: TMOS
Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).
Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.
Impact:
Unit may become active/standby before intended (e.g., during maintenance).
Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.
760234-3 : Configuring Advanced shell for Resource Administrator User has no effect
Component: TMOS
Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.
Conditions:
Configuring Advanced shell for Resource Administrator User.
Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.
Workaround:
None.
Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.
Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.
759968-1 : Distinct vCMP guests are able to cluster with each other.
Component: Local Traffic Manager
Symptoms:
-- Distinct vCMP guests are able to cluster with each other.
-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:
clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac
Check the 'rebroad_mac' field for duplicate mac addresses.
vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------
Conditions:
-- It is not yet clear under what circumstances the issue occurs.
-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.
Impact:
Only the vCMP guest acting as primary will be operative.
Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:
modify sys db clusterd.communicateovertmmbp value false.
To disable the db variable on the affected guest, log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
Then run the following commands, in sequence:
stop sys service clusterd
modify sys db clusterd.communicateovertmmbp value false
start sys service clusterd
save sys config
Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask and then changing it back.
With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Important: Applying procedure described in K13030 interrupts traffic.
Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.
759596-4 : Tcl errors in iRules 'table' command
Component: TMOS
Symptoms:
The iRules 'table delete' command causes Tcl errors due to improperly handling the return code from SessionDB.
Conditions:
-- iRules 'table delete' command is used.
-- Does not occur consistently, but is more prone to occur when the system is processing more traffic.
Impact:
The 'table delete' command randomly fails and causes disruptions in traffic.
Workaround:
Do not use 'table delete' command
Fix:
Fixed 'table delete' to properly interpret the return code from SessionDB.
759480-1 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
Component: Local Traffic Manager
Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.
Conditions:
When all of the following conditions are met:
-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.
-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).
-- A CLIENT_CLOSED event is present.
-- The pool member fails in some manner, triggering LB_FAILED
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.
759343-3 : MacOS Edge Client installer does not follow best security practices
Solution Article: K49827114
758872-1 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.
Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.
Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.
Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.
Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.
Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.
758764-5 : APMD Core when CRLDP Auth fails to download revoked certificate
Component: Access Policy Manager
Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.
Conditions:
Empty revoked-certificate list handling.
Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.
Workaround:
None.
Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).
758631-1 : ec_point_formats extension might be included in the server hello even if not specified in the client hello
Component: Local Traffic Manager
Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.
Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.
Impact:
Some clients abort the connection in this case.
Workaround:
There is no workaround other than not configuring any EC cipher suites.
Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.
758527-5 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
Solution Article: K39604784
Component: TMOS
Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.
Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.
Impact:
Frames not delivered as expected.
Workaround:
Disable global STP.
Fix:
Frames now delivered as expected.
758336-2 : Incorrect recommendation in Online Help of Proactive Bot Defense
Component: Application Security Manager
Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:
Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.
Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.
The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Conditions:
Application has multiple cross-domain resources.
Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.
Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.
758119-3 : qkview may contain sensitive information
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
758065-3 : TMM may consume excessive resources while processing FIX traffic
Solution Article: K82781208
758018-2 : APD/APMD may consume excessive resources
Solution Article: K61705126
757578-5 : RAM cache is not compatible with verify-accept
Component: Local Traffic Manager
Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature
Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.
Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.
Workaround:
Do not use TCP's verify-accept option together with RAM cache.
Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.
757520 : After a software upgrade, the BIG-IP system does not use the correct hostname for logging.★
Component: TMOS
Symptoms:
After performing a regular software upgrade during which the configuration was rolled forward, the log messages for all daemons except tmm on the upgraded unit, report the default hostname (i.e., localhost) instead of the hostname assigned to the BIG-IP system.
Conditions:
Performing a software upgrade to BIG-IP version 11.5.6, 11.5.7, 11.5.8, or 12.1.4 while rolling forward the existing configuration.
This can also happen when you first set up remote syslog on a new LTM on an affected version.
Impact:
There is no impact to the BIG-IP system itself. However, a BIG-IP Administrator may wrongly assume that the configuration failed to load the configuration due to the default hostname being visible in the logs.
This is not the case; the BIG-IP system correctly loads the configuration post-upgrade. If you are concentrating logs to an external server this may make it difficult to determine where some logs originated.
Workaround:
To work around this issue, run the following command:
bigstart restart syslog-ng
Note: This issue occurs only the very first time one of the affected versions is booted. Once the issue has been worked around once, the issue does not recur. Therefore, this workaround can be considered permanent.
Fix:
After software upgrade, the BIG-IP system now uses the intended hostname for logging.
757455-4 : Excessive resource consumption when processing REST requests
Solution Article: K87920510
757391-1 : Datagroup iRule command class can lead to memory corruption
Component: Local Traffic Manager
Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.
Conditions:
A [class] command used within a foreach loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround aside from removing that iRule.
Fix:
tmm no longer crashes under these conditions.
757088 : TMM clock advances and cluster failover happens during webroot db nightly updates
Component: Traffic Classification Engine
Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.
Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.
Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.
Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.
#vi /etc/wr_urldbd/bcsdk.cfg
DoBcap=true
DoRtu=false
DownloadDatabase=false
Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.
757027-4 : BIND Update
Solution Article: K01713115
757026-4 : BIND Update
Solution Article: K25244852
757025-4 : BIND Update
Solution Article: K00040234
757023-5 : BIND vulnerability CVE-2018-5743
Solution Article: K74009656
756774-3 : Aborted DNS queries to a cache may cause a TMM crash
Solution Article: K24401914
756538-2 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
Solution Article: K15759349
756450-3 : Traffic using route entry that's more specific than existing blackhole route can cause core
Component: Local Traffic Manager
Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.
Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use /32 blackhole routes.
Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.
756270-1 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
Component: Local Traffic Manager
Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.
Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.
Impact:
Handshake failure.
Workaround:
None.
Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.
756153-1 : Add diskmonitor support for MySQL /var/lib/mysql
Component: TMOS
Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.
Conditions:
The disk partition /var/lib/mysql is filled to 100%.
Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.
Workaround:
None.
756094-1 : DNS express in restart loop, 'Error writing scratch database' in ltm log
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd
Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).
Impact:
Zone updates from the DNS master servers are not processed.
Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:
bigstart stop zxfrd
rm /shared/zxfrd/*
bigstart start zxfrd
Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.
Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.
755997-3 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
Component: Local Traffic Manager
Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.
Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.
Impact:
The incorrect source address is used.
Workaround:
None.
Fix:
The IPsec traffic uses now the correct IP source-address.
755727-4 : Ephemeral pool members not created after DNS flap and address record changes
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.
Conditions:
This issue may occur under rare timing conditions when the following factors are present:
-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.
Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.
Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }
To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.
755507-1 : [App Tunnel] 'URI sanitization' error
Component: Access Policy Manager
Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)
Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).
Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.
Workaround:
None.
755005-4 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
Component: Application Security Manager
Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.
Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.
Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.
Workaround:
None.
Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.
754944-4 : AVR reporting UI does not follow best practices
Solution Article: K00432398
754460 : No failover on HA Dual Chassis setup using HA score
Component: TMOS
Symptoms:
On a high availability (HA) set up of two chassis, an HA failover does not occur, despite HA score on Standby being greater than Active.
Conditions:
-- Multiple blades disabled.
-- Both active and standby chassis have same HA score.
-- Enabling blades on standby chassis.
Impact:
Although enabling blades on the standby chassis causes a higher HA score on the standby (which should cause a failover to occur), HA state remains the same on both chassis. HA failover is not occurring using HA score calculation.
Workaround:
None.
754365-2 : Updated flags for countries that changed their flags since 2010
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
Fix:
The three flags are now updated in ASM.
754345-4 : WebUI does not follow best security practices
Solution Article: K79902360
754257 : URL lookup queries not working
Component: Traffic Classification Engine
Symptoms:
Occasionally, there is no response to a url-categorization query.
Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.
Impact:
URL does not get classified. Cannot take any actions against those URLs.
Workaround:
None.
Fix:
URL lookup queries now work as expected.
754103-3 : iRulesLX NodeJS daemon does not follow best security practices
Solution Article: K75532331
753912-1 : UDP flows may not be swept
Solution Article: K44385170
Component: Local Traffic Manager
Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.
Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.
Impact:
Increased memory utilization of TMM.
Workaround:
None.
Fix:
The system now correctly manages all expired flows.
753805-2 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
Component: Local Traffic Manager
Symptoms:
After failover, a longer time than expected for the virtual server to become available.
Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.
Impact:
Virtual server takes longer than expected to become available.
Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.
753796-3 : SNMP does not follow best security practices
Solution Article: K40443301
753776-3 : TMM may consume excessive resources when processing UDP traffic
Solution Article: K07127032
753014-2 : PEM iRule action with RULE_INIT event fails to attach to PEM policy
Component: Policy Enforcement Manager
Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.
Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.
Impact:
PEM fails to update the new iRule action.
Workaround:
Force mcpd to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.
752930 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
Component: Local Traffic Manager
Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.
Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.
Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop or mcpd process restarting loop.
Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.
2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:
# ssh slot2 bigstart stop
# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109
# save sys config
# clsh rm -f /var/db/mcpdb.bin
# ssh slot2 bigstart start
Note: This recovery method might have to be executed multiple times to restore a working setup.
752835-1 : Mitigate mcpd out of memory error with auto-sync enabled.
Solution Article: K46971044
Component: TMOS
Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.
Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.
Impact:
Mcpd crashes.
Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.
Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.
751586-1 : Http2 virtual does not honour translate-address disabled
Component: Local Traffic Manager
Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.
Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.
Impact:
The traffic is still translated to the destination address to the pool member.
Workaround:
None.
Fix:
Translate-address disabled is working correctly now.
751036-4 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
Solution Article: K52035247
750586-3 : HSL may incorrectly handle pending TCP connections with elongated handshake time.
Component: TMOS
Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.
Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.
Impact:
-- Service interruption while TMM restarts.
-- Failover event.
Workaround:
None.
Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.
750488 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.
Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.
Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
Corrected EDNS OPT record handling in DNS Cache.
Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:
example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa
These types of responses are expected when running the validation tool against DNS Cache.
750484 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.
Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.
Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:
example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa
These types of responses are expected when running the validation tool against DNS Cache.
750473-2 : VA status change while 'disabled' are not taken into account after being 'enabled' again
Component: Local Traffic Manager
Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.
Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.
Impact:
No route-advertisement of the virtual-address.
Workaround:
Toggle the route-advertisement for virtual-address.
Fix:
The virtual-address now operations as expected when disabled.
750472 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.
Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.
Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:
example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok
750460-4 : Subscriber management configuration GUI
Solution Article: K61002104
750457 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.
Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.
Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
Corrected EDNS OPT record handling in DNS Express.
Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:
example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok
750292-3 : TMM may crash when processing TLS traffic
Solution Article: K54167061
750213-1 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
Solution Article: K25351434
Component: Global Traffic Manager (DNS)
Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.
Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.
Note: If the response is not in the hardware cache, then the query should be properly handled.
Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.
This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.
Workaround:
None.
750187-4 : ASM REST may consume excessive resources
Solution Article: K29149494
749879 : Possible interruption while processing VPN traffic
Solution Article: K47527163
749785-3 : nsm can become unresponsive when processing recursive routes
Component: TMOS
Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.
Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.
Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.
Workaround:
None.
Fix:
nsm now processes recursive route without issues.
749774-2 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749675-2 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
749508-4 : LDNS and DNSSEC: Various OOM conditions need to be handled properly
Component: Global Traffic Manager (DNS)
Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.
Conditions:
LDNS and DNSSEC OOM conditions.
Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.
Workaround:
None.
Fix:
The system contains improvements for handling OOM conditions properly.
749414-1 : Invalid monitor rule instance identifier error
Component: Local Traffic Manager
Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.
Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.
Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.
-- Pool members are incorrectly marked down.
Workaround:
You can use either of the following:
-- Failover or failback traffic to the affected device.
-- Run the following command: tmsh load sys config.
749388-4 : 'table delete' iRule command can cause TMM to crash
Component: TMOS
Symptoms:
TMM SegFaults and restarts.
Conditions:
'table delete' gets called after another iRule command.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.
Fix:
Fixed code to prevent invalid use of internal data structure.
749324-4 : jQuery Vulnerability: CVE-2012-6708
Solution Article: K62532311
749294-1 : TMM cores when query session index is out of boundary
Component: Local Traffic Manager
Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.
Conditions:
When session index equals the size of session caches.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.
749153 : Cannot create LTM policy from GUI using iControl
Component: TMOS
Symptoms:
LTM policy cannot be created from GUI using iControl REST.
Conditions:
Using iControl to create an LTM policy.
Impact:
LTM policy cannot be created from the GUI
Workaround:
Create LTM policy using TMSH.
Fix:
Can now create LTM policy from GUI using iControl.
749007-4 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list
Component: TMOS
Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.
Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.
Impact:
Cannot select South Sudan county from GTM country list.
Workaround:
None
Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.
748902-8 : Incorrect handling of memory allocations while processing DNSSEC queries
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes.
Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.
748502-4 : TMM may crash when processing iSession traffic
Solution Article: K72335002
748205-2 : SSD bay identification incorrect for RAID drive replacement★
Component: TMOS
Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.
Conditions:
iSeries platform with dual SSDs.
Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot
Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.
The following steps will help to avoid inadvertently removing the wrong drive:
As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.
Here are some steps to follow to prevent this issue from occurring.
1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
• tmsh show sys raid
• tmsh show sys raid array
• array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.
Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.
748187-1 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.
748177-4 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wildcards not matched to the most specific WideIP.
Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.
Impact:
DNS request gets wrong answer.
Workaround:
There is no workaround at this time.
Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.
747968-4 : DNS64 stats not increasing when requests go through DNS cache resolver
Component: Local Traffic Manager
Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.
Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.
Impact:
DNS64 stats are not correct.
Workaround:
There is no workaround at this time.
747909-2 : GTPv2 MEI and Serving-Network fields decoded incorrectly
Component: Service Provider
Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.
Conditions:
Processing GTP traffic with iRules.
Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.
Workaround:
No workaround.
Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.
747725-1 : Kerberos Auth agent may override settings that manually made to krb5.conf
Component: Access Policy Manager
Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent
Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm
Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly
Workaround:
None
Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings
747617-4 : TMM core when processing invalid timer
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.
Conditions:
SSLO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
SSL filter will no longer be enabled after connection close.
747592-4 : PHP vulnerability CVE-2018-17082
Component: TMOS
Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.
Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.
Workaround:
No known workaround.
Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.
747585-1 : TCP Analytics supports ANY protocol number
Component: Local Traffic Manager
Symptoms:
No TCP analytics data is collected for an ANY virtual server.
Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.
Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.
Workaround:
There is no workaround this time.
Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.
747560-2 : ASM REST: Unable to download Whitehat vulnerabilities
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.
747192-3 : Small memory leak while creating Access Policy items
Component: Access Policy Manager
Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.
Conditions:
The leak occurs while creating new policy items in Access.
Impact:
After a long uptime interval, mcpd may crash due to lack of memory.
Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.
Fix:
Leak was fixed by clearing the leaked objects.
747187-4 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.
747104-4 : LibSSH: CVE-2018-10933
Solution Article: K52868493
Component: Advanced Firewall Manager
Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493
Conditions:
For more information see: https://support.f5.com/csp/article/K52868493
Impact:
For more information see: https://support.f5.com/csp/article/K52868493
Fix:
For more information see: https://support.f5.com/csp/article/K52868493
746922-3 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.
Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.
Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.
Workaround:
Use either of these workaround after a new route in child domain is added.
-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.
-- Recreate a routing object.
- If a pool member is affected, recreate the pool member.
- If a SNAT pool list is affected, recreate it.
- And so on.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.
746877-4 : Omitted check for success of memory allocation for DNSSEC resource record
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.
Conditions:
During memory stress while handling DNSSEC traffic.
Impact:
TMM panic and subsequent interruption of network traffic.
Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.
Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.
746868 : memory leakage when "apply to base domain" is enabled
Component: Fraud Protection Services
Symptoms:
Memory leakage when "apply to base domain" is enabled. this can result in a crash or aggressive sweeper mode.
Conditions:
"apply to base domain" is enabled in the anti-fraud profile
Impact:
Aggressive connections sweeper mode, and traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
746768-2 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
Fix:
Memory growth has been addressed.
746348-3 : On rare occasions, gtmd fails to process probe responses originating from the same system.
Component: Global Traffic Manager (DNS)
Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.
Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.
Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.
Workaround:
Restart gtmd on the affected BIG-IP system.
746266-4 : A vCMP guest VLAN MAC mismatch across blades.
Component: TMOS
Symptoms:
The vCMP guests running on blades in a single chassis report different MAC addresses on a single VLAN upon host reboot for the vCMP guest.
Conditions:
This issue may be seen when all of the following conditions are met:
-- One or more blades are turned off completely via AOM.
-- There are two VLANs.
-- You deploy a multi-slot guest with the higher lexicographic VLAN, and assign the lower VLAN to the guest.
-- Reboot the host.
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
None.
Fix:
There is no longer a vCMP guest VLAN MAC mismatch across blades under these conditions.
746091-4 : TMSH Vulnerability: CVE-2019-19151
Solution Article: K21711352
746077-2 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
Component: Local Traffic Manager
Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.
Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,
Impact:
RFC 1542 violation
Workaround:
None.
Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.
745713-2 : TMM may crash when processing HTTP/2 traffic
Solution Article: K94563344
745654-1 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.
745574-4 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
745405 : Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover
Component: TMOS
Symptoms:
Under heavy SSL traffic, it is observed that sw crypto codec queue is stuck and taken out of service, but no failover happened
Conditions:
Heavy SSL traffic
Impact:
Traffic is impacted and a large number of SSL handshakes to the BIG-IP are failing.
Workaround:
Increase crypto.queue.timeout to a much larger number(from 100 to 500 for example). Restart tmms for the change to take effect.
745404-3 : MRF SIP ALG does not reparse SDP payload if replaced
Component: Service Provider
Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.
Conditions:
This occurs internally while processing SDP in a SIP message.
Impact:
Changes to the SDP are ignored when creating media pinhole flows
Workaround:
None.
Fix:
The SDP payload is now reparsed if modified or replaced.
745387-4 : Resource-admin user roles can no longer get bash access
Solution Article: K07702240
745371-3 : AFM GUI does not follow best security practices
Solution Article: K68151373
745358-4 : ASM GUI does not follow best practices
Solution Article: K14812883
745261-3 : The TMM process may crash in some tunnel cases
Component: TMOS
Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.
Conditions:
There are two scenarios that may lead to this issue:
Scenario 1: DSR
- DSR is deployed.
Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.
Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM process no longer crashes.
745257-4 : Linux kernel vulnerability: CVE-2018-14634
Solution Article: K20934447
745165-4 : Users without Advanced Shell Access are not allowed SFTP access
Solution Article: K38941195
744959-2 : SNMP OID for sysLsnPoolStatTotal not incremented in stats
Component: Carrier-Grade NAT
Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.
Conditions:
This affects all of the global port block allocation (PBA) counters.
Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.
Workaround:
None.
Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.
744937-4 : BIG-IP DNS and GTM DNSSEC security exposure
Solution Article: K00724442
Component: Global Traffic Manager (DNS)
Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442
Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442
Impact:
For more information please see: https://support.f5.com/csp/article/K00724442
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K00724442
Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:
-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.
These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.
When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.
When using these variables:
-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.
744707-1 : Crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.
Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.
744536 : HTTP/2 may garble large headers
Component: Local Traffic Manager
Symptoms:
The HTTP/2 filter may incorrectly encode large headers.
Conditions:
A header that encodes to larger than 2048 bytes.
Impact:
Application functionality may be disrupted because large header values, such as for cookies, may be truncated when passed to the endpoint.
Workaround:
None.
Fix:
The HTTP/2 filter now correctly encodes large HTTP headers.
744516-2 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
Fix:
TMM no longer panics regardless of the number of remote picks.
744347-1 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744331-1 : OpenSSH hardening
Component: TMOS
Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.
Conditions:
Administrative SSH access enabled.
Impact:
OpenSSH does not follow best practices.
Fix:
The default OpenSSH configuration includes best practices for security hardening.
744269-3 : dynconfd restarts if FQDN template node deleted while IP address change in progress
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.
Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).
Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.
Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.
744117-6 : The HTTP URI is not always parsed correctly
Solution Article: K18263026
Component: Local Traffic Manager
Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.
Conditions:
-- HTTP profile is configured.
-- The URI is inspected.
Impact:
If the URI is used for security checks, then those checks might be bypassed.
Workaround:
None.
Fix:
The HTTP URI is parsed in a more robust manner.
744035-3 : APM Client Vulnerability: CVE-2018-15332
Solution Article: K12130880
743950-3 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
Component: Local Traffic Manager
Symptoms:
TMM raises a segmentation violation and restarts.
Conditions:
-- Set up client-side and server-side SSL with:
+ Client Certificate Constrained Delegation (C3D) enabled.
+ OCSP enabled.
-- Supply SSL traffic.
Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.
Workaround:
Disable C3D.
Fix:
Memory no longer leaks when C3D and OCSP are both enabled with client SSL and server SSL set up.
743815-4 : vCMP guest observes connflow reset when a CMP state change occurs.
Component: TMOS
Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.
Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.
Impact:
This might interrupt a long-lived flow and eventually cause an outage.
Workaround:
None.
Fix:
The system now drops the connflow instead of resetting it.
743803-5 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
743790-4 : BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.
Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.
Impact:
No failover to standby unit after this error condition, causing site outage.
Workaround:
None.
Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.
743105-5 : BIG-IP SNAT vulnerability CVE-2021-22998
Solution Article: K31934524
743082-3 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★
Component: TMOS
Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.
Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.
Impact:
Configuration fails to load.
Workaround:
Remove stray colon-character from bigip_gtm.conf.
Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.
742628-6 : Tmsh session initiation adds increased control plane pressure
Solution Article: K53843889
Component: TMOS
Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.
Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.
Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.
Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:
tmsh modify /auth user ADMINUSERNAME shell bash
742237-1 : CPU spikes appear wider than actual in graphs
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Perform the following procedure:
1. Run the following command to record the 5-second average rather than the 1-second average:
sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf
2. Restart statsd to load the new configuration:
bigstart restart statsd
Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.
742226-3 : TMSH platform_check utility does not follow best security practices
Solution Article: K11330536
742078-1 : Incoming SYNs are dropped and the connection does not time out.
Component: Local Traffic Manager
Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.
Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.
Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.
Workaround:
There is no workaround.
Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable
741994 : Cleanup Webroot database files when database fail to download
Component: Traffic Classification Engine
Symptoms:
/var partition gets full when the temporary files are not deleted.
Conditions:
When the update process of the wr_urldb encounters errors, the temporary (downloaded/created) files do not appear to be deleted, and /var directory fills with them.
Impact:
/var partition may get full.
Workaround:
Empty /var/wr_urldb/bcdatabase, and restart wr_urldbd to re-download the new database file.
Fix:
With this release, the temp files downloaded during the database download process get deleted when the download fails.
741951-3 : Multiple extensions in SIP NOTIFY request cause message to be dropped.
Component: Service Provider
Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.
Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.
Impact:
NOTIFY message is not forwarded.
Workaround:
None.
Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.
741919-1 : HTTP response may be dropped following a 100 continue message.
Component: Local Traffic Manager
Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.
Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).
Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.
Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.
Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.
-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
741902-4 : sod does not validate message length vs. received packet length
Component: TMOS
Symptoms:
sod may crash or produce unexpected behavior.
Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.
Impact:
sod may crash, causing a failover.
Workaround:
None.
Fix:
sod validates the received packet length and does not reference invalid memory.
741423-1 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
Component: TMOS
Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.
The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.
Conditions:
-- Cluster devices are joined in the trust for high availability (HA) or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.
Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.
Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):
1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.
For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:
tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }
2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.
Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established high availability (HA) or config-sync configurations.
741108 : tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses
Component: Application Security Manager
Symptoms:
tmm memory leak can lead to tmm out-of-memory state.
Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has device ID enabled.
-- HTTP profile accept_xff enabled.
Impact:
Unexpected tmm out-of-memory state can be reached, causing sweeper activity and disrupting traffic.
Workaround:
Disable accept_xff in HTTP profile that is assigned to a virtual server along with ASM policy.
Fix:
The leak is now fixed.
740963-3 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
Component: Local Traffic Manager
Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.
Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.
Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TCP retransmit bursts are now handled gracefully.
740959-1 : User with manager rights cannot delete FQDN node on non-Common partition
Component: Local Traffic Manager
Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.
This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.
Conditions:
-- A user is created with manager rights for a non-Common partition.
-- That user does not have manager rights for the /Common partition;
-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.
-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.
Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.
Workaround:
You can use either of the following workarounds:
-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.
-- Create the FQDN template node on the /Common partition.
Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.
740777-2 : Secondary blades mcp daemon restart when subroutine properties are configured
Component: Access Policy Manager
Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.
Conditions:
When a subroutine is configured in the access policy.
Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.
Workaround:
There is no workaround other than to not use subroutine in the access policy.
Fix:
You can now use subroutines in the access policy.
740490-2 : Configuration changes involving HTTP2 or SPDY may leak memory
Component: Local Traffic Manager
Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.
Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.
Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.
Workaround:
None.
Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.
740228-3 : TMM crash while sending a DHCP Lease Query to a DHCP server
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes while sending a DHCP Lease Query to a DHCP server.
739971-3 : Linux kernel vulnerability: CVE-2018-5391
Solution Article: K74374841
739970-3 : Linux kernel vulnerability: CVE-2018-5390
Solution Article: K95343321
739963-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739947-3 : TMM may crash while processing APM traffic
Solution Article: K42465020
739945-1 : JavaScript challenge on POST with 307 breaks application
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.
739927-1 : Bigd crashes after a specific combination of logging operations
Component: Local Traffic Manager
Symptoms:
Bigd crashes. Bigd core will be generated.
Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.
Impact:
Bigd crashes.
Workaround:
None.
Fix:
Bigd no longer crashes under these conditions.
739872-3 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
Component: TMOS
Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.
Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.
Impact:
Unintended failover.
Workaround:
None.
Fix:
HA Group scores are no longer updated when running 'load sys config verify' commands.
739846-4 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
Component: Global Traffic Manager (DNS)
Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.
Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.
Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.
Workaround:
None.
Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.
739798 : Massive number of log messages being generated and written to the bd.log.
Component: Application Security Manager
Symptoms:
Log messages regarding parameters might fill the bd.log file. The system logs messages appear similar to the following:
deleting job-> converterd key
deleting p_node
Conditions:
No special conditions are required to cause this to occur.
Impact:
Lots of I/O processing. Potentially large bd.log file.
Workaround:
None.
Fix:
Fixed a scenario that resulted in a massive number of log messages being generated and written to the bd.log.
739744-2 : Import of Policy using Pool with members is failing
Component: Access Policy Manager
Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)
Conditions:
Policy has pool attached to it with resource assign or chained objects
Impact:
Policy is not being imported on the same box
Workaround:
There is no workaround at this time.
Fix:
ng-import is now importing policy correctly.
739638-1 : BGP failed to connect with neighbor when pool route is used
Component: Local Traffic Manager
Symptoms:
BGP peering fails to be established.
Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.
Impact:
BGP dynamic route paths are not created.
Workaround:
Use a gateway route.
Fix:
BGP peering can be properly established through a pool route.
739570-1 : Unable to install EPSEC package★
Component: Access Policy Manager
Symptoms:
Installation of EPSEC package via tmsh fails with error:
Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).
Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso
Impact:
First-time installation of EPSEC package through tmsh fails.
Workaround:
You can do a first-time installation of EPSEC with the following commands:
tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso
Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.
739144-1 : Domain logoff scripts runs after VPN connection is closed
Component: Access Policy Manager
Symptoms:
APM Network Access option: 'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.
Conditions:
Following options configured for Microsoft Windows clients:
* Synchronize with Active Directory policies on connection establishment.
and
* Execute logoff scripts on connection termination.
-- Windows client is part of a domain.
-- Domain logoff script is not available without VPN connection.
Impact:
'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.
Workaround:
None.
Fix:
Changes in APM client allow it to wait until domain logoff script execution completes before closing VPN connection, so this issue no longer occurs.
739094-4 : APM Client Vulnerability: CVE-2018-5546
Solution Article: K54431371
738945-1 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738943-1 : imish command hangs when ospfd is enabled
Component: TMOS
Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs
Conditions:
- running imish command
Impact:
ability to show dynamic routing state using imish
Workaround:
restart ospfd daemon
738887-2 : BIG-IP SNMPD vulnerability CVE-2019-6608
Component: TMOS
Symptoms:
https://support.f5.com/csp/article/K12139752
Conditions:
https://support.f5.com/csp/article/K12139752
Impact:
https://support.f5.com/csp/article/K12139752
Workaround:
https://support.f5.com/csp/article/K12139752
Fix:
https://support.f5.com/csp/article/K12139752
738789-3 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
Component: Application Security Manager
Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii".
Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- ASM handles XML traffic with encoding="us-ascii" (use of the value encoding="us-ascii" is very uncommon, the typical value is encoding="utf-8").
Impact:
Blocked XML requests.
Workaround:
You can use either of the following workarounds:
-- Remove XML profile from a URL in the ASM policy.
-- Disable XML malformed document detection via ASM policy blocking settings.
Fix:
XML parser now supports encoding="us-ascii".
738669-3 : Login validation may fail for a large request with early server response
Component: Fraud Protection Services
Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.
Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.
Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.
738647-1 : Add the login detection criteria of 'status code is not X'
Component: Application Security Manager
Symptoms:
There is a criterion needed to detect successful login.
Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).
Impact:
Cannot configure login criteria.
Workaround:
None.
Fix:
This release adds a new criterion to the login criteria.
738523-3 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
Component: Local Traffic Manager
Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:
09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.
Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.
Impact:
The pool member is marked down even though it is actually up.
Workaround:
None.
Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.
738521-2 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
Component: Local Traffic Manager
Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.
Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.
Impact:
Trunks are brought down by upstream switch.
Workaround:
There are two workarounds:
-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.
Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.
738445-1 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
Component: TMOS
Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:
-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.
-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.
Either alone prevents finding the SA to delete.
Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.
Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.
Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>
Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.
738397-2 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
Component: Access Policy Manager
Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.
The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.
Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.
Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.
Workaround:
None.
Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.
738236-3 : UCS does not follow current best practices
Solution Article: K25607522
738119-3 : SIP routing UI does not follow best practices
Solution Article: K23566124
738046-3 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
Component: Local Traffic Manager
Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.
Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.
Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.
Workaround:
None.
Fix:
SERVER_CONNECTED now fires when expected on the standby device.
737998 : Brute Force end attack condition isn't satisfied for successful logins only
Component: Application Security Manager
Symptoms:
When brute force attack is detected and prevented by asm, asm continue to prevent login attempts even the attacking traffic has stopped 5 minutes ago.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM Brute Force protection enabled in the asm policy
- There is an ongoing brute force attack on the backend server.
Impact:
ASM doesn't report that brute force attack is finished and logins mitigation continues to occur.
Workaround:
While ongoing endless brute force attack, change an arbitrary field in brute force configuration and apply policy. Brute force attack end event will be triggered and the system will stop brute force prevention, if the attacking traffic still being sent, new brute force attack event will be raised and the mitigation will reoccur.
Fix:
Fix brute force end condition check for a case when only successful logins are sent.
737910-1 : Security hardening on the following platforms
Solution Article: K18535734
737758-1 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.
Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.
Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.
737731-3 : iControl REST input sanitization
Solution Article: K44885536
737597 : AVR DoS Attack report misses virtual server name in a specific config
Component: Application Visibility and Reporting
Symptoms:
In Security :: Reporting : DoS : Network, the report shows the attack, but categorizes the attack under 'Aggregated' in the Virtual Server name value, rather than the actual name of the Virtual Server on which the attack is happening.
Conditions:
-- A Virtual Server is configured with a IP/Subnet range.
For example,
-- Virtual Server with Destination Address: 10.10.10.0/27 (meaning the destination range is 10.10.10.32 - 10.10.10.63).
-- Destination Address of the Client Traffic and Attack: 10.10.10.63
View AVR Reporting, which does not resolve the to any specific Virtual Server, but instead categorizes the attack as 'Aggregate'.
Impact:
AVR report missing the Virtual Server information.
Workaround:
None.
737574-3 : iControl REST input sanitization★
Solution Article: K20541896
737565-3 : iControl REST input sanitization
Solution Article: K20445457
737442-1 : Error in APM Hosted Content when set to public access
Solution Article: K32840424
737441-1 : Disallow hard links to svpn log files
Solution Article: K54431371
737437-1 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
Component: TMOS
Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.
Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.
Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.
Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.
Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.
737389 : Kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed
Component: TMOS
Symptoms:
There may be a large number of messages in /var/log/kern.log similar to the following:
Tracklist initialized
Tracklist destroyed
Conditions:
This can happen when vCMP is provisioned, which enables SR-IOV mode.
Impact:
It causes messages to show up in /var/log/kern.log, but does not affect traffic. This is a cosmetic issue and does not indicate a functionality issue.
Workaround:
None.
Fix:
Tracklist is now disabled, so this issue no longer occurs.
737332-2 : It is possible for DNSX to serve partial zone information for a short period of time
Component: Global Traffic Manager (DNS)
Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.
Conditions:
-- Two zones being transferred during the same time period
+ zone1.example.net
+ zone2.example.net
-- Transfer of zone1 has started, but not finished.
-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.
Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.
Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.
Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.
737322-1 : tmm may crash at startup if the configuration load fails
Component: TMOS
Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.
Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes at startup if the configuration load fails.
737055-3 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.
735832-2 : RAM Cache traffic fails on B2150
Component: Performance
Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.
Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.
Impact:
B2150 does not pass any RAM Cache traffic.
Workaround:
None.
Fix:
RAM Cache traffic now succeeds on B2150.
735565-3 : BGP neighbor peer-group config element not persisting
Component: TMOS
Symptoms:
neighbor peer-group configuration element not persisting after restart
Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart
Impact:
BGP peer-group configuration elements don't persist
Workaround:
Reconfigure BGP neighbor peer-group after restart
Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart
734622 : Policy change with newly enforced signatures causes sig collection failure in other policies
Solution Article: K83093212
Component: Application Security Manager
Symptoms:
An ASM policy change with newly enforced signatures causes a signature collection failure in all other policies.
Conditions:
An ASM policy is changed by adding newly enforced signatures.
Impact:
Signature collection failures are logged for all other policies.
Workaround:
For each other policy on the device, make a spurious change (such as modifying policy description and saving) and apply the policy. Alternatively, a new user-defined signature which would be included in enforcement can be spuriously added and then immediately removed.
734539-2 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
Component: TMOS
Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.
Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.
Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.
Workaround:
There is no workaround at this time.
Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.
734527-4 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured
Component: TMOS
Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.
Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.
Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.
Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.
Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.
Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.
734446-3 : TMM crash after changing LSN pool mode from PBA to NAPT
Component: Carrier-Grade NAT
Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.
Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.
The PBA pool can be deleted after the virtual servers are no longer using it.
Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.
734177 : CVE-2019-12190 : RHEL6 Kernel Vulnerability
Solution Article: K42142782
727292-2 : SSL in proxy shutdown case does not deliver server TCP FIN
Component: Local Traffic Manager
Symptoms:
Connection is not torn down.
Conditions:
HTTPS server disconnects connection when in handshake.
Impact:
Potential resource exhaustion.
Workaround:
You can mitigate this condition in either of the following ways:
-- Wait for system to clean up lingering connections.
-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)
-- If this happens on the config-sync channel, use a different self-ip for config-sync on the affected device.
Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.
727206-4 : Memory corruption when using SSL Forward Proxy on certain platforms
Component: Local Traffic Manager
Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.
Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.
-- Using the following platforms:
- vCMP host
- 2000s / 2200s
- 5000s / 5200v
- 5050s / 5250v / 5250v-F
- 10350V-F
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
727107-1 : Request Logs are not stored locally due to shmem pipe blockage
Component: Application Security Manager
Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:
----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.
Messages similar to the following appear in pabnagd.log:
Conditions:
Request Logs are not stored locally due to shmem pipe blockage.
Impact:
Event logs stop logging locally.
Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd
Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.
727044-1 : TMM may crash while processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing compressed data.
Conditions:
Compression enabled
Hardware compression disabled
Impact:
TMM crash leading to a failover event.
Workaround:
No workaround.
Fix:
TMM now correctly processes compressed traffic
727031-2 : TMM disruption from disaggregation in vCMP systems
Component: Access Policy Manager
Symptoms:
On B2250 blades the Traffic Management Microkernel (TMM) may experience a series of panics and restarts.
The system reports a related message in /var/log/tmm:
vdag failed to attach
On other types of BIG-IP systems some ICMP monitors may fail, indicating a node that is known to be up is down.
Conditions:
-- Guest BIG-IP instance in a vCMP configuration.
-- Guest is running BIG-IP v13.1.3.5.
-- Host is running a software version other than BIG-IP v13.1.3.5.
-- For tmm panic issue, host is B2250 blade
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Note: If installing 13.1.3.5 on a vCMP host or guest, please contact F5 Support and ask for an engineering hotfix with the fix for this issue. Install it on the vCMP host and all guests on that host running 13.1.3.5.
Fix:
TMM disruption no longer occurs from disaggregation in vCMP systems.
726983-5 : Inserting multi-line HTTP header not handled correctly
Component: Local Traffic Manager
Symptoms:
Using an iRule to insert an HTTP header that contains an embedded newline followed by whitespace is not parsed properly. It can result in the new header being incorrectly split into multiple headers.
Conditions:
iRule which adds a header containing embedded newline followed by whitespace:
HTTP::header insert X-Multi "This is a\n multi-line header"
Impact:
New header does not get parsed properly, and its values are treated like new header values. In some cases the tmm may be restarted.
Workaround:
Ensure that the trailing whitespace text is not present (if not legitimately there). For manipulation of HTTP Cookie headers, use the HTTP::cookie API rather than directly via HTTP::header.
Fix:
Inserting multi-line HTTP header parsed correctly
726895-1 : VPE cannot modify subroutine settings
Solution Article: K02205915
Component: Access Policy Manager
Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.
Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors such as one of these:
- Unable to execute transaction because of:
- Unable to execute transaction because of: 01020036:3: The requested user role partition (admin Common) was not found.
Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.
Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE
Workaround:
Use tmsh to modify these values, for example:
tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }
Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.
726647-1 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726592-2 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
Component: Access Policy Manager
Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.
Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.
Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.
Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.
Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.
726487-1 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Or:
err mcpd[12620]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Invalid static route modification. A destination change from 172.25.0.1%500 to 172.25.0.1 is not supported... failed validation with error 17237812.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Either:
+ Creating a pool member in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
+ Modifying a route in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
Impact:
If the system is Active, traffic is disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members or modify routes from one client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
Fix:
MCPD on secondary blades no longer restarts if a pool member is created or a route is modified in a partition that uses a non-default route domain at the same as the configuration is being saved.
726412-1 : Virtual server drop down missing objects on pool creation
Component: Global Traffic Manager (DNS)
Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.
Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.
Impact:
Unable to add available virtual servers to pools.
Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.
Fix:
Fixed the drop down for virtual servers. Now virtual servers get loaded in the drop-down list during pool creation.
726409-3 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
Component: TMOS
Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439
Impact:
denial of service
Workaround:
don't allow login
Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439
726393-5 : DHCPRELAY6 can lead to a tmm crash
Solution Article: K36228121
726317-3 : Improved debugging output for mcpd
Component: TMOS
Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.
Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.
Impact:
None. Has no effect without log.mcpd.level set to debug.
Workaround:
None.
Fix:
New output helps F5 engineers diagnose mcpd problems more easily.
726303 : Unlock 10 million custom db entry limit
Component: Traffic Classification Engine
Symptoms:
Cannot add more than 10 million custom db entries.
Conditions:
This happens when you try to add more than 10 million custom db entries.
Impact:
Not able to add more than 10 million entries.
Workaround:
There is no workaround at this time.
Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.
726255-3 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
Fix:
dns_path memory will be released after ttl.
726239-3 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
726232-1 : iRule drop/discard may crash tmm
Component: Local Traffic Manager
Symptoms:
TMM crash after an iRule attempts to drop packet.
Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
TMM correctly handles 'drop' command in 'LB_SELECTED' event.
726154-1 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
Component: Advanced Firewall Manager
Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.
Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.
Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.
Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.
Fix:
TMM no longer crashes under the conditions described. Firewall and NAT configurations are applied correctly on virtual servers with the same names as route-domains.
726089-3 : Modifications to AVR metrics page
Solution Article: K44462254
725879 : Internet Explorer running on Windows phone 8.1 gets CAPTCHA during legitimate browsing
Component: Application Security Manager
Symptoms:
Internet Explorer (IE) running on Microsoft Windows phone v8.1 gets CAPTCHA during legitimate browsing.
Conditions:
-- Proactive Bot Defense is enabled on a DoS profile attached to a virtual server.
-- A client connects using IE on Windows phone v8.1.
Impact:
CAPTCHA occurs during legitimate browsing.
Workaround:
None.
Fix:
A CAPTCHA event is no longer inadvertently enabled for Internet Explorer browsers on Windows Phone 8.1.
725791-3 : Potential HW/HSB issue detected
Solution Article: K44895409
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.
725551-5 : ASM may consume excessive resources
Solution Article: K40452417
724868-2 : dynconfd memory usage increases over time
Component: Local Traffic Manager
Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.
Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.
Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.
Fix:
dynconfd no longer leaks memory when processing messages.
724824-5 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
Component: Local Traffic Manager
Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.
Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.
Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.
Impact:
Monitor status on the peer devices is reported incorrectly.
Workaround:
Any of the following three options will correct reporting status on the peer devices:
-- Restart bigd
-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.
-- Disable and then re-enable the FQDN node
Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.
724680-3 : OpenSSL Vulnerability: CVE-2018-0732
Solution Article: K21665601
724556-1 : icrd_child spawns more than maximum allowed times (zombie processes)
Component: TMOS
Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.
Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.
Impact:
There are zombie icrd_child processes consuming memory.
Workaround:
Restart the system.
Fix:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
Behavior Change:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
724532-1 : SIG SEGV during IP intelligence category match in TMM
Component: Advanced Firewall Manager
Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.
Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.
724339-2 : Unexpected TMUI output in AFM
Solution Article: K04524282
724335-2 : Unexpected TMUI output in AFM
Solution Article: K21042153
724214-2 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
724109-5 : Manual config-sync fails after pool with FQDN pool members is deleted
Component: TMOS
Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.
Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually
Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP
Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.
Workaround:
The workaround for this issue is to use auto-sync.
723794-4 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms
Component: TMOS
Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.
You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.
Conditions:
-- AMD-based platforms:
+ BIG-IP B4100 blades
+ BIG-IP B4200 blades
+ BIG-IP 6900 and NEBS appliances
+ BIG-IP 89x0 appliances
+ BIG-IP 6400 FIPS and NEBS platforms
+ BIG-IP 110x0 appliances
-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).
Impact:
System locks up and is rebooted by the watchdog timer.
Workaround:
Set the database variable kernel.pti to disable by running the following command:
tmsh modify sys db kernel.pti value disable
According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.
Fix:
PTI (Page Table Isolation) mitigation is no longer enabled on AMD-based platforms.
723792-3 : GTM regex handling of some escape characters renders it invalid
Component: Global Traffic Manager (DNS)
Symptoms:
The memory footprint of big3d increases.
Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.
723790-4 : Idle asm_config_server handlers consumes a lot of memory
Component: Application Security Manager
Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.
Impact:
Unnecessary memory consumption.
Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------
2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.
723722-3 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.
723298-3 : BIND upgrade to version 9.11.4
Component: TMOS
Symptoms:
The BIG-IP system is running BIND version 9.9.9.
Conditions:
BIND on BIG-IP system.
Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.
Workaround:
None.
Fix:
BIND version has been upgraded to 9.11.4.
723288-3 : DNS cache replication between TMMs does not always work for net dns-resolver
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
723130-3 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
Solution Article: K13996
Component: TMOS
Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.
Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).
Note: Existing BIG-IP VE instances are not subject to this issue.
Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.
Workaround:
None.
Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.
722969-1 : Access Policy import with 'reuse' enabled instead rewrites shared objects
Component: Access Policy Manager
Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.
Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.
Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.
Workaround:
None.
Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects
722707-1 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
Component: Local Traffic Manager
Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.
Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.
Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).
Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).
722682-1 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
Component: TMOS
Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.
Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
+ 12.1.3.x
+ Any 13.0.x
+ All 13.1.x earlier than 13.1.1.2
+ 14.0.x earlier than 14.0.0.3
Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.
Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.
1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:
for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done
4. Run the following command: load sys config gtm-only
Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.
722677-3 : BIG-IP HSB vulnerability CVE-2019-6604
Solution Article: K26455071
722387-2 : TMM may crash when processing APM DTLS traffic
Solution Article: K97241515
722380-3 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
Component: TMOS
Symptoms:
On platforms with HSB, if an HSB lockup occurs, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. In certain cases, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
-- Any platform with HSB.
-- An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Reboot is delayed until TMM core file is completed.
722363-1 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
722230-6 : Cannot delete FQDN template node if another FQDN node resolves to same IP address
Component: TMOS
Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.
Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.
Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.
Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.
722091-2 : TMM may crash while processing HTTP traffic
Solution Article: K64208870
722013-3 : MCPD restarts on all secondary blades post config-sync involving APM customization group
Component: Access Policy Manager
Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.
Each affected blade will log an error message similar to the following example:
-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1
Conditions:
This issue occurs when all of the following conditions are met:
- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).
- Systems are provisioned for APM.
- The device-group is configured for incremental manual synchronizations.
- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.
- You synchronize the configuration from the source_system to the device-group.
- On the source_system, you create a new configuration object of any kind (for example, an LTM node).
- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).
- The MCPD daemon restarts on all secondary blades of the source_system.
Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.
-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.
-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.
Workaround:
None.
Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.
721924-3 : BIG-IP ARM BGP vulnerability CVE-2018-17539
Solution Article: K17264695
721895-1 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
Component: Global Traffic Manager (DNS)
Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.
Conditions:
Running a vulnerability scanner or other SSL test tool.
Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.
Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.
In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.
Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).
After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.
721752-1 : Null char returned in REST for Suggestion with more than MAX_INT occurrences
Component: Application Security Manager
Symptoms:
Unable to view ASM event log details for a majority of violations.
Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.
Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.
Workaround:
Use the following sql command:
UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;
Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.
721741-2 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
Component: Application Security Manager
Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------
Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.
Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives
Workaround:
There is no workaround at this time.
Fix:
System no longer generates these false positive/negative log entries.
721621-2 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
Component: Local Traffic Manager
Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.
When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.
Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.
Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.
Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.
Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).
If no other members are defined in the pool, traffic will be interrupted.
Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.
Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.
Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.
721526-1 : tcpdump fails to write verbose packet data to file
Component: TMOS
Symptoms:
On some BIG-IP platforms, tcpdump is unable to write verbose packet data to a file (e.g., 'tcpdump -nni 2.1:nn -e -vvv -s 0 -w /tmp/dump.pcap').
Conditions:
Use tcpdump with -w and -v options on a front panel interface that is actively sending/receiving traffic.
This occurs on the following hardware:
-- BIG-IP 5000,7000, 10000, i5000, i7000, i10000, i11000, and i15000 platforms.
-- VIPRION B4400, B4300, B2200, and B2100 blades.
Impact:
Cannot use tcpdump to write verbose packet data to file.
Workaround:
There is no workaround at this time.
Fix:
The tcpdump operation is now able to write verbose packet data to file.
721399-3 : Signature Set cannot be modified to Accuracy = 'All' after another value
Component: Application Security Manager
Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.
Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.
Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.
Workaround:
You can use either of the following workarounds:
-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').
Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.
721375 : Export then import of config with RSA server in it might fail
Component: Access Policy Manager
Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.
Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.
Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.
Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.
Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.
720880 : Attempts to license/re-license the BIG-IP system fail.
Component: TMOS
Symptoms:
Attempts to activate or reactivate the license on the BIG-IP system results in failure messages.
Conditions:
No specific configurations are associated with this issue, but license activation/reactivation requests that include add-ons are more likely to fail.
This occurs under random conditions.
Impact:
The system is either unusable or very difficult to activate.
Workaround:
Because the conditions under which this issue occurs are random, additional licensing attempts might succeed.
Fix:
The source of the underlying problem has been corrected. No additional logs, error message, or user-interaction is involved.
720819-1 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups
Component: TMOS
Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.
For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.
Instead, the recovery mechanism should trigger almost instantaneously.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.
-- The HSB locks-up due to a different issue.
Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.
Workaround:
None.
Fix:
The HSB lock-up is now promptly detected and remedied.
720799-3 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
Component: Local Traffic Manager
Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.
This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.
Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).
Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.
Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.
Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not p