Supplemental Document : BIG-IP 12.1.6 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6

BIG-IP Analytics

  • 12.1.6

BIG-IP Link Controller

  • 12.1.6

BIG-IP LTM

  • 12.1.6

BIG-IP AFM

  • 12.1.6

BIG-IP PEM

  • 12.1.6

BIG-IP FPS

  • 12.1.6

BIG-IP DNS

  • 12.1.6

BIG-IP ASM

  • 12.1.6
Updated Date: 04/06/2021

BIG-IP Release Information

Version: 12.1.6
Build: 9.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v12.1.5.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.5.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
912221-4 CVE-2020-12662
CVE-2020-12663
K37661551 CVE-2020-12662 & CVE-2020-12663
917005-2 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619
889557-4 CVE-2019-11358 K20455158 jQuery Vulnerability CVE-2019-11358
652848-2 CVE-2018-5501 K44200194 TCP DNS profile may impact performance
1002561-3 CVE-2021-23007 K37451543 TMM vulnerability CVE-2021-23007


Functional Change Fixes

ID Number Severity Solution Article(s) Description
912289-5 2-Critical   Cannot roll back after upgrading on certain platforms


TMOS Fixes

ID Number Severity Solution Article(s) Description
812237-4 2-Critical   i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD
945109-6 4-Minor   Freetype Parser Skip Token Vulnerability CVE-2015-9382


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
938233-5 2-Critical   An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
922317 2-Critical   Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections
718189-4 2-Critical   Unspecified IP traffic can cause low-memory conditions
953845-6 3-Major   After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
825689-6 3-Major   Enhance FIPS crypto-user storage
643860-4 3-Major K41573401 Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
522241-3 3-Major   Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete
693901-3 4-Minor   Active FTP data connection may change source port on client-side


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
960437-5 2-Critical   The BIG-IP system may initially fail to resolve some DNS queries
758772-5 3-Major   DNS Cache RRSET Evictions Stat not increasing
757464-4 3-Major   DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
700118-2 3-Major   rrset statistics unavailable
677526-2 3-Major   Memory leak may occur during connflow failures.
529896-2 3-Major   DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared
523198-1 3-Major   DNS resolver multiplexing might cause unexpected behaviors
853585-4 4-Minor   REST Wide IP object presents an inconsistent lastResortPool value
650038-1 4-Minor   tcp connect: errno and comm_point_tmm_recv_from messages
643455-2 4-Minor   Update TTL for equally trusted records only


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
980809-5 2-Critical   ASM REST Signature Rule Keywords Tool Hardening
968421-6 2-Critical   ASM attack signature doesn't matched
940249-5 2-Critical   Sensitive data is not masked after "Maximum Array/Object Elements" is reached
940897-6 3-Major   Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
929001-6 3-Major   ASM form handling improvements
781605-2 3-Major   Fix RFC issue with the multipart parser
606614-1 3-Major   False-positive header related violation
824093-2 4-Minor   Parameters payload parser issue


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
882633-6 3-Major   Active Directory authentication does not follow current best practices


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
974205-6 3-Major   Unconstrained wr_urldbd size causing box to OOM
947057-5 3-Major   Traffic intelligence feeds to do not follow best practices



Cumulative fixes from BIG-IP v12.1.5.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
975233-5 CVE-2021-22992 K52510511 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
973333-1 CVE-2021-22991 K56715231 TMM buffer-overflow vulnerability CVE-2021-22991
955145-5 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
954381-5 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
953677-5 CVE-2021-22987, CVE-2021-22988 K18132488 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
950077-5 CVE-2021-22987, CVE-2021-22988 K18132488 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
981169-5 CVE-2021-22994 K66851119 F5 TMUI XSS vulnerability CVE-2021-22994
953729-5 CVE-2021-22989, CVE-2021-22990 K56142644 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
941449-6 CVE-2021-22993 K55237223 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
935721-2 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
933741-6 CVE-2021-22979 K63497634 BIG-IP FPS XSS vulnerability CVE-2021-22979
932065-5 CVE-2021-22978 K87502622 iControl REST vulnerability CVE-2021-22978
921337-4 CVE-2021-22976 K88230177 BIG-IP ASM WebSocket vulnerability CVE-2021-22976
917509-6 CVE-2020-27718 K58102101 BIG-IP ASM vulnerability CVE-2020-27718
911761-6 CVE-2020-5948 K42696541 F5 TMUI XSS vulnerability CVE-2020-5948
908673-1 CVE-2020-27717 K43850230 TMM may crash while processing DNS traffic
879745-7 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic
846917-6 CVE-2019-10744 K47105354 lodash Vulnerability: CVE-2019-10744
837773-5 CVE-2020-5912 K12936322 Restjavad Storage and Configuration Hardening
750292-3 CVE-2019-6592 K54167061 TMM may crash when processing TLS traffic
939845-5 CVE-2021-23004 K31025212 BIG-IP MPTCP vulnerability CVE-2021-23004
939841-5 CVE-2021-23003 K43470422 BIG-IP MPTCP vulnerability CVE-2021-23003
935401-6 CVE-2021-23001 K06440657 BIG-IP ASM iControl REST vulnerability CVE-2021-23001
932697 CVE-2021-23000 K34441555 BIG-IP TMM vulnerability CVE-2021-23000
904937-6 CVE-2020-27725 K25595031 Excessive resource consumption in zxfrd
898949-5 CVE-2020-27724 K04518313 APM may consume excessive resources while processing VPN traffic
880361-5 CVE-2021-22973 K13323323 iRules LX vulnerability CVE-2021-22973
859089-2 CVE-2020-5907 K00091341 TMSH allows SFTP utility access
842717-2 CVE-2020-5855 K55102004 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
832757-2 CVE-2017-18551 K48073202 Linux kernel vulnerability CVE-2017-18551
811789-5 CVE-2020-5915 K57214921 Device trust UI hardening
751036-4 CVE-2020-27721 K52035247 Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
743105-5 CVE-2021-22998 K31934524 BIG-IP SNAT vulnerability CVE-2021-22998
734177 CVE-2012-6701
CVE-2015-8830
CVE-2016-8650
CVE-2017-2671
CVE-2017-6001
CVE-2017-7308
CVE-2017-7616
CVE-2017-7889
CVE-2017-8890
CVE-2017-9075
CVE-2017-9076
CVE-2017-9077
CVE-2017-12190
CVE-2017-15121
CVE-2017-18203
CVE-2018-1130
CVE-2018-3639
CVE-2018-5803
K42142782 CVE-2019-12190 : RHEL6 Kernel Vulnerability
693360-6 CVE-2020-27721 K52035247 A virtual server status changes to yellow while still available
681535 CVE-2017-2628 K35453761 CVE-2015-3148 in curl was incomplete.
818177-7 CVE-2019-12295 K06725231 CVE-2019-12295 Wireshark Vulnerability
746091-4 CVE-2019-19151 K21711352 TMSH Vulnerability: CVE-2019-19151
717276-3 CVE-2020-5930 K20622530 TMM Route Metrics Hardening


Functional Change Fixes

ID Number Severity Solution Article(s) Description
724556-1 2-Critical   icrd_child spawns more than maximum allowed times (zombie processes)
657912-1 3-Major   PIM can be configured to use a floating self IP address
760234-3 4-Minor   Configuring Advanced shell for Resource Administrator User has no effect


TMOS Fixes

ID Number Severity Solution Article(s) Description
860517-5 2-Critical   MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
841953-2 2-Critical   A tunnel can be expired when going offline, causing tmm crash
841333-2 2-Critical   TMM may crash when tunnel used after returning from offline
817085-1 2-Critical   Multicast Flood Can Cause the Host TMM to Restart
780817-3 2-Critical   TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
769817-5 2-Critical   BFD fails to propagate sessions state change during blade restart
737322-1 2-Critical   tmm may crash at startup if the configuration load fails
706521-6 2-Critical K21404407 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
648270-4 2-Critical   mcpd can crash if viewing a fast-growing log file through the GUI
948769-2 3-Major   TMM panic with SCTP traffic
888497-6 3-Major   Cacheable HTTP Response
887089-6 3-Major   Upgrade can fail when filenames contain spaces
871657-4 3-Major   Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
842189-1 3-Major   Tunnels removed when going offline are not restored when going back online
814585-6 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
810957-6 3-Major   Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
807005-6 3-Major   Save-on-auto-sync is not working as expected with large configuration objects
800185-1 3-Major   Saving a large encrypted UCS archive may fail and might trigger failover
794501-5 3-Major   Duplicate if_indexes and OIDs between interfaces and tunnels
783113-2 3-Major   BGP sessions remain down upon new primary slot election
760950-1 3-Major   Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
760439-1 3-Major   After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
759596-4 3-Major   Tcl errors in iRules 'table' command
757520 3-Major   After a software upgrade, the BIG-IP system does not use the correct hostname for logging.
749785-3 3-Major   nsm can become unresponsive when processing recursive routes
749007-4 3-Major   South Sudan, Sint Maarten, and Curacao country missing in GTM region list
745261-3 3-Major   The TMM process may crash in some tunnel cases
742628-6 3-Major   A tmsh session initiation adds increased control plane pressure
739872-3 3-Major   The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
738943-1 3-Major   imish command hangs when ospfd is enabled
724109-5 3-Major   Manual config-sync fails after pool with FQDN pool members is deleted
720569-2 3-Major   Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition
699091-1 3-Major   SELinux denies console access for remote users.
698429-3 3-Major   Misleading log error message: Store Read invalid store addr 0x3800, len 10
688399-5 3-Major   HSB failure results in continuous TMM restarts
687115-1 3-Major   SNMP performance can be impacted by a long list of allowed-addresses
680917-2 3-Major   Invalid monitor rule instance identifier
678456-2 3-Major   ZebOS BGP peer-group configuration not fixed up on upgrade
672063-1 3-Major K38335326 Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.
626589-6 3-Major K73230273 iControl-SOAP prints beyond log buffer
620311-1 3-Major   GUI Failover Unicast Address information incorrect
605675-1 3-Major   Sync requests can be generated faster than they can be handled
600732-2 3-Major   IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description
489572-2 3-Major K60934489 Sync fails if file object is created and deleted before sync to peer BIG-IP
933461-1 4-Minor   BGP multi-path candidate selection does not work properly in all cases.
931837-4 4-Minor   NTP has predictable timestamps
902417-1 4-Minor   Configuration error caused by Drafts folder in a deleted custom partition
831293-1 4-Minor   SNMP address-related GET requests slow to respond.
801637-2 4-Minor   Cmp_dest on C2200 platform may give incorrect results
721526-1 4-Minor   tcpdump fails to write verbose packet data to file
685582-5 4-Minor   Incorrect output of b64 unit key hash by command f5mku -f
664524 4-Minor   CVE-2017-2636: A race condition was found in the N_HLDC Linux kernel driver that can lead to double free CVE-2016-7910:A flaw was found in the Linux kernel's implementation of seq_file which can lead to memory corruption


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
715032-6 1-Blocking K73302459 iRulesLX Hardening
941089-5 2-Critical   TMM core when using Multipath TCP
842937-1 2-Critical   TMM crash due to failed assertion 'valid node'
743950-3 2-Critical   TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
740228-3 2-Critical   TMM crash while sending a DHCP Lease Query to a DHCP server
949145-2 3-Major   Improve TCP's response to partial ACKs during loss recovery
915281-7 3-Major   Do not rearm TCP Keep Alive timer under certain conditions
879413-5 3-Major   Statsd fails to start if one or more of its *.info files becomes corrupted
851789-1 3-Major   SSL monitors flap with client certs with private key stored in FIPS
851045-5 3-Major   LTM database monitor may hang when monitored DB server goes down
814761-4 3-Major   PostgreSQL monitor fails on second ping with count != 1
807821-1 3-Major   ICMP echo requests occasionally go unanswered
805017-4 3-Major   DB monitor marks pool member down if no send/recv strings are configured
796993-2 3-Major   Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
790205-1 3-Major   Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
785481-5 3-Major   A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
770477-4 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
755997-3 3-Major   Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
753805-2 3-Major   BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
750473-2 3-Major   VA status change while 'disabled' are not taken into account after being 'enabled' again
724824-5 3-Major   Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
722707-1 3-Major   mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
687887-4 3-Major   Unexpected result from multiple changes to a monitor-related object in a single transaction
686059-1 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
608952-5 3-Major   MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
604811-3 3-Major   Under certain conditions TMM may crash while processing OneConnect traffic
516307-2 3-Major K35152864 Multiple Relay in DHCP relay is not working.
409340-1 3-Major K63086108 https/ssl monitor closes immediately (rather than awaiting remote close-notify)
822025-5 4-Minor   HTTP response not forwarded to client during an early response
808409-2 4-Minor   Unable to specify if giaddr will be modified in DHCP relay chain
781225-4 4-Minor   HTTP profile Response Size stats incorrect for keep-alive connections
769309-4 4-Minor   DB monitor reconnects to server on every probe when count = 0
746077-2 4-Minor   If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
726983-5 4-Minor   Inserting multi-line HTTP header not handled correctly


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
702457-3 3-Major   DNS Cache connections remain open indefinitely


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
927617-5 2-Critical   "Illegal Base64 value" violation is detected for cookie with valid base64 value
943125-5 3-Major   Web-Socket request with JSON payload causing core during the payload parsing
941853-4 3-Major   Logging Profiles do not disassociate from virtual server when multiple changes are made
918933-5 3-Major K88162221 The BIG-IP ASM system may not properly perform signature checks on cookies
848445-5 3-Major K86285055 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer
833685-2 3-Major   Idle async handlers can remain loaded for a long time doing nothing
712336-3 3-Major   bd daemon restart loop
686763-2 3-Major   asm_start is consuming too much memory
630355-3 3-Major K57041868 Local Logs Missing Or Recorded Found For Incorrect Policy


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
727031-2 1-Blocking   TMM restart in B2250 vCMP systems, and ping/monitor failures in non-B2250 vCMP systems.
760629-1 3-Major   Remove Obsolete APM keys in BigDB
739570-1 3-Major   Unable to install EPSEC package
766017-5 4-Minor   [APM][LocalDB] Local user database instance name length check inconsistencies


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
621284-5 3-Major   Incorrect TMSH help text for the 'max-response' RAMCACHE attribute


Service Provider Fixes

ID Number Severity Solution Article(s) Description
939529-5 3-Major   Branch parameter not parsed properly when topmost via header received with comma separated values
747909-2 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
726154-1 3-Major   TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
753014-2 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
940401-5 5-Cosmetic   Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
913441-1 2-Critical   Tmm cores while doing Hitless Upgrade while there are active flows
949861 3-Major   Wr_urldbd returns unknown results for customdb on some blades
741994 4-Minor   Cleanup Webroot database files when database fail to download
674795-1 4-Minor   tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.



Cumulative fixes from BIG-IP v12.1.5.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
895525-6 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
909237-2 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability
909233-2 CVE-2020-8616 K97810133 DNS Hardening
905905-5 CVE-2020-5904 K31301245 TMUI CSRF vulnerability CVE-2020-5904
895993-6 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895981-6 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895881-5 CVE-2020-5903 K43638305 BIG-IP TMUI XSS vulnerability CVE-2020-5903
883717-5 CVE-2020-5914 K37466356 BD crash on specific server cookie scenario
882185-3 CVE-2020-5897 K20346072 BIG-IP Edge Client Windows ActiveX
879025-7 CVE-2020-5913 K72752002 When processing TLS traffic, LTM may not enforce certificate chain restrictions
841577-7 CVE-2020-5922 K20606443 iControl REST hardening
839453-1 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
830401-6 CVE-2020-5877 K54200228 TMM may crash while processing TCP traffic with iRules
819197-7 CVE-2019-13135 K20336394 BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-6 CVE-2019-13136 K03512441 BIGIP: CVE-2019-13136 ImageMagick vulnerability
788057-6 CVE-2020-5921 K00103216 MCPD may crash while processing syncookies
626360 CVE-2017-6163 K22541983 TMM may crash when processing HTTP2 traffic
886085-7 CVE-2020-5925 K45421311 BIG-IP TMM vulnerability CVE-2020-5925
883097-3 CVE-2020-5924 K11400411 Radius authentication may consume excessive resources
881445-3 CVE-2020-5898 K69154630 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
872673-5 CVE-2020-5918 K26464312 TMM can crash when processing SCTP traffic
870273-1 CVE-2020-5936 K44020030 TMM may consume excessive resources when processing SSL traffic
860477-7 CVE-2020-5906 K82518062 SCP hardening
858025-6 CVE-2021-22984 K33440533 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984
848405-7 CVE-2020-5933 K26244025 TMM may consume excessive resources while processing compressed HTTP traffic
838881-6 CVE-2020-5853 K73183618 APM Portal Access Vulnerability: CVE-2020-5853
837837-6 CVE-2020-5917 K43404629 F5 SSH server key size vulnerability CVE-2020-5917
832885-6 CVE-2020-5923 K05975972 Self-IP hardening
829121-6 CVE-2020-5886 K65720640 State mirroring default does not require TLS
829117-6 CVE-2020-5885 K17663061 State mirroring default does not require TLS
888493-6 CVE-2020-5928 K40843345 ASM GUI Hardening
852929-4 CVE-2020-5920 K25160703 AFM WebUI Hardening
838909-2 CVE-2020-5893 K97733133 BIG-IP APM Edge Client vulnerability CVE-2020-5893
823893-5 CVE-2020-5890 K03318649 Qkview may fail to completely sanitize LDAP bind credentials
749324-4 CVE-2012-6708 K62532311 jQuery Vulnerability: CVE-2012-6708
760723-4 CVE-2015-4037 K64765350 Qemu Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
858229-1 3-Major K22493037 XML with sensitive data gets to the ICAP server
858189-6 3-Major   Make restnoded/restjavad/icrd timeout configurable with sys db variables.
643459-3 3-Major K81809012 Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy


TMOS Fixes

ID Number Severity Solution Article(s) Description
767013-5 2-Critical   Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
749388-4 2-Critical   'table delete' iRule command can cause TMM to crash
743082-3 2-Critical   Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members
737055-3 2-Critical   Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
795649-1 3-Major   Loading UCS from one iSeries model to another causes FPGA to fail to load
788577-2 3-Major   BFD sessions may be reset after CMP state change
762073-3 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
754460 3-Major   No failover on HA Dual Chassis setup using HA score
741902-4 3-Major   sod does not validate message length vs. received packet length
725791-3 3-Major K44895409 Potential HW/HSB issue detected
722380-3 3-Major   The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
648621-1 3-Major   SCTP: Multihome connections may not expire
619873-2 3-Major   Secure Vault: Key cleanup for 5000-, 7000-series, and i-Series platforms
559001-1 3-Major   Unable to clear LCD messages and Alarm LED state on non-iSeries platforms
743815-4 4-Minor   vCMP guest observes connflow reset when a CMP state change occurs.
722230-6 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address
660760-1 4-Minor K75105750 DNS graphs fail to display in the GUI


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
831325-4 2-Critical K10701310 HTTP PSM detects more issues with Transfer-Encoding headers
757578-5 2-Critical   RAM cache is not compatible with verify-accept
747617-4 2-Critical   TMM core when processing invalid timer
705768-4 2-Critical   The dynconfd process may core and restart with multiple DNS name servers configured
860005-5 3-Major   Ephemeral nodes/pool members may be created for wrong FQDN name
858301-5 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
858297-5 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
803233-5 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
784565-5 3-Major   VLAN groups are incompatible with fast-forwarded flows
766169-1 3-Major   Replacing all VLAN interfaces resets VLAN MTU to a default value
755727-4 3-Major   Ephemeral pool members not created after DNS flap and address record changes
720440 3-Major   Radius monitor marks pool members down after 6 seconds
704450-2 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
689361-3 3-Major   Configsync can change the status of a monitored pool member
655724-3 3-Major K15695 MSRDP persistence does not work across route domains.
640809-1 3-Major K79892782 Merged constantly restarts
582207-7 3-Major   MSS may exceed MTU when using HW syncookies
575642-1 3-Major   rst_cause of "Internal error"
594064-2 4-Minor K57004151 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
760471-5 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.
746348-3 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
708421-1 3-Major K52142743 DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
704198-1 3-Major K29403988 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
681010-1 3-Major K33572148 'Referer' is not masked when 'Query String' contains sensitive parameter


Service Provider Fixes

ID Number Severity Solution Article(s) Description
866021-5 3-Major   Diameter Mirror connection lost on the standby due to "process ingress error"
815877-5 3-Major   Information Elements with zero-length value are rejected by the GTP parser
747187-4 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
745404-3 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
741951-3 3-Major   Multiple extensions in SIP NOTIFY request cause message to be dropped.
651886-1 3-Major   Certain FIX messages are dropped
836357-2 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
788513-5 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
816529 3-Major   If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.



Cumulative fixes from BIG-IP v12.1.5.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
852445-6 CVE-2019-6477 K15840535 Big-IP : CVE-2019-6477 BIND Vulnerability
818709-5 CVE-2020-5858 K36814487 TMSH does not follow current best practices
818429-1 CVE-2020-5857 K70275209 TMM may crash while processing HTTP traffic
805837-5 CVE-2019-6657 K22441651 REST does not follow current design best practices
795437-1 CVE-2019-6677 K06747393 Improve handling of TCP traffic for iRules
795197-4 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
781377-3 CVE-2019-6681 K93417064 tmrouted may crash while processing Multicast Forwarding Cache messages
780601-5 CVE-2020-5873 K03585731 SCP file transfer hardening
778077-2 CVE-2019-6680 K53183580 Virtual to virtual chain can cause TMM to crash
767373-4 CVE-2019-8331 K24383845 CVE-2019-8331: Bootstrap Vulnerability
759343-3 CVE-2019-6668 K49827114 MacOS Edge Client installer does not follow best security practices
737731-3 CVE-2019-6622 K44885536 iControl REST input sanitization
809165-5 CVE-2020-5854 K50046200 TMM may crash will processing connector traffic
805557-5 CVE-2020-5882 K43815022 TMM may crash while processing crypto data
795797-5 CVE-2019-6658 K21121741 AFM WebUI Hardening
788773-5 CVE-2019-9515 K50233772 HTTP/2 Vulnerability: CVE-2019-9515
788769-5 CVE-2019-9514 K01988340 HTTP/2 Vulnerability: CVE-2019-9514
782529-5 CVE-2019-6685 K30215839 iRules does not follow current design best practices
773673-5 CVE-2019-9512 K98053339 HTTP/2 Vulnerability: CVE-2019-9512
768981-5 CVE-2019-6670 K05765031 VCMP Hypervisor Hardening
761144-2 CVE-2019-6684 K95117754 Broadcast frames may be dropped
761112-6 CVE-2019-6683 K76328112 TMM may consume excessive resources when processing FastL4 traffic
761014-5 CVE-2019-6669 K11447758 TMM may crash while processing local traffic
725551-5 CVE-2019-6682 K40452417 ASM may consume excessive resources
857669 CVE-2020-5908 K33023560 BIG-IP Edge Client may log sensitive data on Linux client
811109 CVE-2020-5861 K22113131 TMM RAM Cache Vulnerability: CVE-2020-5861
789893-5 CVE-2019-6679 K54336216 SCP file transfer hardening
779177-5 CVE-2019-19150 K37890841 Apmd logs "client-session-id" when access-policy debug log level is enabled
773653-3 CVE-2019-6656 K23876153 APM Client Logging
773649-3 CVE-2019-6656 K23876153 APM Client Logging
773641-3 CVE-2019-6656 K23876153 APM Client Logging
773637-3 CVE-2019-6656 K23876153 APM Client Logging
773633-3 CVE-2019-6656 K23876153 APM Client Logging
773621-3 CVE-2019-6656 K23876153 APM Client Logging
738236-3 CVE-2019-6688 K25607522 UCS does not follow current best practices
712876-4 CVE-2017-8824 K15526101 CVE-2017-8824: Kernel Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
819397-4 1-Blocking K50375550 TMM does not enforce RFC compliance when processing HTTP traffic
769193-3 3-Major   Added support for faster congestion window increase in slow-start for stretch ACKs
557322-1 3-Major   Sensitive monitor parameters recorded in bigd and monitor logs


TMOS Fixes

ID Number Severity Solution Article(s) Description
765533-5 2-Critical K58243048 Sensitive information logged when DEBUG logging enabled
621260-5 2-Critical   mcpd core on iControl REST reference to non-existing pool
812981-1 3-Major   MCPD: memory leak on standby BIG-IP device
809205-2 3-Major   CVE-2019-3855: libssh2 Vulnerability
641450 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
625901-1 3-Major   SNAT pools allow members in different partitions to be assigned, but this causes a load failure
620954-3 3-Major   Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
618137-1 3-Major   Native IXLV: New tagged VLAN does not work after several restarts of tmm
614808-1 3-Major   Running qkview with option -c (--complete) fails if there is an encrypted key
600944-1 3-Major   tmsh does not reset route domain to 0 after cd /Common and loading bash
596815-1 3-Major   System DNS nameserver and search order configuration does not always sync to peers
595317-4 3-Major   Forwarding address for Type 7 in ospfv3 is not updated in the database
584041 3-Major   forward slash '/' is used in the description field, admin user will be demoted to guest.
516167-2 3-Major K21382264 TMSH listing with wildcards prevents the child object from being displayed
503482-2 3-Major   BGP cannot redistribute IPv4 routes learned from OSPFv3.
638960-2 4-Minor   A subset of the BIG-IP default profiles can be incorrectly deleted
638893-1 4-Minor   Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command
625428-1 4-Minor   SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
624909-2 4-Minor   Static route create validation is less stringent than static route delete validation
623536-2 4-Minor   SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
620522-1 4-Minor   Some expected command output are missing in qkview
591732-2 4-Minor   Local password policy not enforced when auth source is set to a remote type.
590415-1 4-Minor   Partition can be removed when remote role info entries refer to it
589862-6 4-Minor   HA Grioup percent-up display value is truncated, not rounded
590399-1 5-Cosmetic K11304001 Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
571634-1 5-Cosmetic   tmstat CPU values can be incorrect


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
826601-2 2-Critical   Prevent receive window shrinkage for looped flows that use a SYN cookie
787825-4 2-Critical K58243048 Database monitors debug logs have plaintext password printed in the log file
639764-2 2-Critical   Crash when searching external data-groups with records that do not have values
616298-1 2-Critical   Loading the configuration fails when a virtual server uses HTTP Strict Transport Security (HSTS).
615303-2 2-Critical K47381511 bigd crash with Tcl monitors
788325-5 3-Major K39794285 Header continuation rule is applied to request/response line
773421-5 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
761185-5 3-Major K50375550 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
663730-1 3-Major   Bigd prematurely kills child/external monitor process if WIFCONTINUED signal received
643041-4 3-Major K64451315 Less than optimal interaction between OneConnect and proxy MSS
636842-1 3-Major K51472519 A FastL4 virtual server may drop a FIN packet when mirroring is enabled
601189-2 3-Major   The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
594751-3 3-Major K90535529 LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
567330-1 5-Cosmetic   tmsh show sys memory on secondaries will generate innocuous error


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
662308-1 2-Critical   BD core
636669-3 2-Critical K37300224 bd log are full of 'Can't run patterns' messages
635977-1 2-Critical   Bd core on specific out of memory scenario
620301-4 2-Critical   Policy import fails due to missing signature System in associated Signature Set
854177-1 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
850673-5 3-Major   BD sends bad ACKs to the bd_agent for configuration
832205-2 3-Major   ASU cannot be completed after Signature Systems database corruption following binary Policy import
831661-5 3-Major   ASMConfig Handler undergoes frequent restarts
809125-4 3-Major   CSRF false positive
793149-1 3-Major   Adding the Strict-transport-Policy header to internal responses
785009-1 3-Major   Binary policy import fails with a user-defined Signature Set containing only non-existent signatures
783505-1 3-Major   ASU is very slow on device with hundreds of policies due to table checksums
765809 3-Major   Memory increases for the bd daemon on cluster environment primary blade
725879 3-Major   Internet Explorer running on Windows phone 8.1 gets CAPTCHA during legitimate browsing
755005-4 4-Minor   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
747560-2 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
825049-2 1-Blocking   Windows code signing certificate update 2019
685862-2 3-Major   BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message


Service Provider Fixes

ID Number Severity Solution Article(s) Description
642211-2 3-Major   Warning logged when GENERICMESSAGE::message drop iRule command used


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
602098-1 3-Major   Translation object created in non-Common partition is visible in the policy created for Common partition


Device Management Fixes

ID Number Severity Solution Article(s) Description
627341-1 3-Major   TMUI loginProviderName is invalid when requesting a REST token



Cumulative fixes from BIG-IP v12.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
807477-4 CVE-2019-6650 K04280042 ConfigSync Hardening
797885-5 CVE-2019-6649 K05123525 ConfigSync Hardening
796469-1 CVE-2019-6649 K05123525 ConfigSync Hardening
810557-5 CVE-2019-6649 K05123525 ASM ConfigSync Hardening
799617-5 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-5 CVE-2019-6649 K05123525 ConfigSync Hardening
794389-5 CVE-2019-6651 K89509323 iControl REST endpoint response inconsistency
771873-2 CVE-2019-6642 K40378764 TMSH Hardening
762453-4 CVE-2020-5872 K63558580 Hardware cryptography acceleration may fail
758065-3 CVE-2019-6667 K82781208 TMM may consume excessive resources while processing FIX traffic
757023-5 CVE-2018-5743 K74009656 BIND vulnerability CVE-2018-5743
756538-2 CVE-2019-6645 K15759349 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
739971-3 CVE-2018-5391 K74374841 Linux kernel vulnerability: CVE-2018-5391
737574-3 CVE-2019-6621 K20541896 iControl REST input sanitization
737565-3 CVE-2019-6620 K20445457 iControl REST input sanitization
726393-5 CVE-2019-6643 K36228121 DHCPRELAY6 can lead to a tmm crash
715923-3 CVE-2018-15317 K43625118 When processing TLS traffic TMM may terminate connections unexpectedly
794413-5 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471
758018-2 CVE-2019-6661 K61705126 APD/APMD may consume excessive resources
757455-4 CVE-2019-6647 K87920510 Excessive resource consumption when processing REST requests
745257-4 CVE-2018-14634 K20934447 Linux kernel vulnerability: CVE-2018-14634
702469-4 CVE-2019-6633 K73522927 Appliance mode hardening in scp
679861-2 CVE-2019-6655 K31152411 Weak Access Restrictions on the AVR Reporting Interface


Functional Change Fixes

ID Number Severity Solution Article(s) Description
744937-4 3-Major K00724442 BIG-IP DNS and GTM DNSSEC security exposure


TMOS Fixes

ID Number Severity Solution Article(s) Description
707509-3 1-Blocking   Initial vCMP guest creations can fail if certain hotfixes are used
769809-1 2-Critical   The vCMP guests 'INOPERATIVE' after upgrade
750586-3 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
748205-2 2-Critical   SSD bay identification incorrect for RAID drive replacement
744331-1 2-Critical   OpenSSH hardening
743790-4 2-Critical   BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus
734539-2 2-Critical   The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
726487-1 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
710277-2 2-Critical   IKEv2 further child_sa validity checks
693996-3 2-Critical K42285625 MCPD sync errors and restart after multiple modifications to file object in chassis
685458-5 2-Critical K44738140 merged fails merging a table when a table row has incomplete keys defined.
671741-4 2-Critical   LCD on iSeries devices can lock at red 'loading' screen.
653152-1 2-Critical   Support RSASSA-PSS-SIGN in F5 crypto APIs.
788301-2 3-Major K58243048 SNMPv3 Hardening
777261-1 3-Major   When SNMP cannot locate a file it logs messages repeatedly
758527-5 3-Major K39604784 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
758119-3 3-Major K58243048 qkview may contain sensitive information
747592-4 3-Major   PHP vulnerability CVE-2018-17082
746266-4 3-Major   A vCMP guest VLAN MAC mismatch across blades.
745405 3-Major   Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover
743803-5 3-Major   IKEv2 potential double free of object when async request queueing fails
738445-1 3-Major   IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
737437-1 3-Major   IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
663924-2 3-Major   Qkview archives includes Kerberos keytab files
641753-2 3-Major   Syncookies activated on a genuine connection gets reset almost 30-50% of the time
599543-3 3-Major   Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
575919-3 3-Major   Running concurrent TMSH instances can result in error in access to history file
523797-2 3-Major   Upgrade: file path failure for process name attribute in snmp.
726317-3 4-Minor   Improved debugging output for mcpd
692165-2 4-Minor   A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
662372-1 4-Minor K41250179 Uploading a new device certificate file via the GUI might not update the device certificate
631334-4 4-Minor K69038629 TMSH does not preserve \? for config save/load operations
520877-1 4-Minor   Alerts sent by the lcdwarn utility are not shown in tmsh
479471-1 4-Minor K00342205 CPU statistics reported by the tmstat command may spike or go negative


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
759968-1 1-Blocking   Distinct vCMP guests are able to cluster with each other.
757391-1 2-Critical   Datagroup iRule command class can lead to memory corruption
756450-3 2-Critical   Traffic using route entry that's more specific than existing blackhole route can cause core
752930 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
740963-3 2-Critical   VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
738046-3 2-Critical   SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
724214-2 2-Critical   TMM core when using Multipath TCP
671714-2 2-Critical   Empty persistence cookie name inserted from policy can cause TMM to crash
667779-2 2-Critical   iRule commands may cause the TMM to crash in very rare situations.
474797-7 2-Critical   Nitrox crypto hardware may attempt soft reset while currently resetting
760550-2 3-Major   Retransmitted TCP packet has FIN bit set
759480-1 3-Major   HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
758872-1 3-Major   TMM memory leak
758631-1 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
756270-1 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
749414-1 3-Major   Invalid monitor rule instance identifier error
749294-1 3-Major   TMM cores when query session index is out of boundary
742237-1 3-Major   CPU spikes appear wider than actual in graphs
740959-1 3-Major   User with manager rights cannot delete FQDN node on non-Common partition
739963-1 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
727292-2 3-Major   SSL in proxy shutdown case does not deliver server TCP FIN
726232-1 3-Major   iRule drop/discard may crash tmm
720219-1 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
715467-3 3-Major   Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
702450-4 3-Major   The validation error message generated by deleting certain object types referenced by a policy action is incorrect
699598-4 3-Major   HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
688629-3 3-Major K52334096 Deleting data-group in use by iRule does not trigger validation error
617382-1 3-Major   Csyncd memory leak on multi-bladed systems
599567 3-Major   APM assumes SNAT automap, does not use SNAT pool
576311-1 3-Major K41335027 HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present
511324-12 3-Major K23159242 HTTP::disable does not work after the first request/response.
504522-2 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
747585-1 4-Minor   TCP Analytics supports ANY protocol number
624168-2 4-Minor   DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission


Performance Fixes

ID Number Severity Solution Article(s) Description
735832-2 2-Critical   RAM Cache traffic fails on B2150


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
750213-1 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
723790-4 2-Critical   Idle asm_config_server handlers consumes a lot of memory
773553-5 3-Major   ASM JSON parser false positive.
761231-5 3-Major K79240502 Bot Defense Search Engines getting blocked after configuring DNS correctly
760878-1 3-Major   Incorrect enforcement of explicit global parameters
727107-1 3-Major   Request Logs are not stored locally due to shmem pipe blockage
721399-3 3-Major   Signature Set cannot be modified to Accuracy = 'All' after another value
695878-5 3-Major   Signature enforcement issue on specific requests
685164-3 3-Major K34646484 In partitions with default route domain != 0 request log is not showing requests
660327-2 3-Major   Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
653017-2 3-Major   Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
605649-3 3-Major K28782793 The cbrd daemon runs at 100% CPU utilization
758336-2 4-Minor   Incorrect recommendation in Online Help of Proactive Bot Defense


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
774301-1 3-Major   Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
766577-5 3-Major   APMD fails to send response to client and it already closed connection.
755507-1 3-Major   [App Tunnel] 'URI sanitization' error


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
709670-5 3-Major   iRule triggered from RADIUS occasionally fails to create subscribers.


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
757088 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
754257 3-Major   URL lookup queries not working


Device Management Fixes

ID Number Severity Solution Article(s) Description
658417-1 2-Critical   REST: Failure to authenticate/renew user who is using expired password



Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-4 CVE-2018-5744 K00040234 BIND Update
756774-3 CVE-2019-6612 K24401914 Aborted DNS queries to a cache may cause a TMM crash
754944-4 CVE-2019-6626 K00432398 AVR reporting UI does not follow best practices
754345-4 CVE-2019-6625 K79902360 WebUI does not follow best security practices
754103-3 CVE-2019-6644 K75532331 iRulesLX NodeJS daemon does not follow best security practices
753776-3 CVE-2019-6624 K07127032 TMM may consume excessive resources when processing UDP traffic
749879 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
748502-4 CVE-2019-6623 K72335002 TMM may crash when processing iSession traffic
744035-3 CVE-2018-15332 K12130880 APM Client Vulnerability: CVE-2018-15332
739970-3 CVE-2018-5390 K95343321 Linux kernel vulnerability: CVE-2018-5390
739947-3 CVE-2019-6610 K42465020 TMM may crash while processing APM traffic
757027-4 CVE-2019-6465 K01713115 BIND Update
757026-4 CVE-2018-5745 K25244852 BIND Update
753796-3 CVE-2019-6640 K40443301 SNMP does not follow best security practices
750460-4 CVE-2019-6639 K61002104 Subscriber management configuration GUI
750187-4 CVE-2019-6637 K29149494 ASM REST may consume excessive resources
745713-2 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic
745387-4 CVE-2019-6618 K07702240 Resource-admin user roles can no longer get bash access
745371-3 CVE-2019-6636 K68151373 AFM GUI does not follow best security practices
745165-4 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
742226-3 CVE-2019-6635 K11330536 TMSH platform_check utility does not follow best security practices
737910-1 CVE-2019-6609 K18535734 Security hardening on the following platforms
710857-4 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage
703835-4 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-4 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
698376-4 CVE-2019-6614 K46524395 Non-admin users have limited bash commands and can only write to certain directories
673842-3 CVE-2019-6632 K01413496 VCMP does not follow best security practices


Functional Change Fixes

ID Number Severity Solution Article(s) Description
666505-2 2-Critical   Gossip between VIPRION blades
667257-2 3-Major   CPU Usage Reaches 100% With High FastL4 Traffic
607410-1 3-Major K81239824 In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible
600811-2 3-Major   CATEGORY::lookup command change in behavior


TMOS Fixes

ID Number Severity Solution Article(s) Description
752835-1 2-Critical K46971044 Mitigate mcpd out of memory error with auto-sync enabled.
756153-1 3-Major   Add diskmonitor support for MySQL /var/lib/mysql
749153 3-Major   Cannot create LTM policy from GUI using iControl
735565-3 3-Major   BGP neighbor peer-group config element not persisting
726409-3 3-Major   Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
723794-4 3-Major   PTI (Meltdown) mitigation should be disabled on AMD-based platforms
722682-1 3-Major   Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load
720819-1 3-Major   Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720269-3 3-Major   TACACS audit logging may append garbage characters to the end of log strings
720110-4 3-Major   0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
716166-3 3-Major   Dynamic routing not added when conflicting self IPs exist
714986-1 3-Major   Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714903-1 3-Major   Errors in chmand
714654-3 3-Major   Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
709544-4 3-Major   VCMP guests in HA configuration become Active/Active during upgrade
707740-3 3-Major   Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
693388-1 3-Major   Log additional HSB registers when device becomes unresponsive
678488-3 3-Major K59332320 BGP default-originate not announced to peers if several are peering over different VLANs
639619-3 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
582792-7 3-Major   iRules are not updated in transactions through TMSH or iControl
581921-2 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
508302-2 3-Major   Auto-sync groups may revert to full sync
671044-3 4-Minor K78612407 FIPS certificate creation can cause failover to standby system
668964-2 4-Minor K81873940 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
619706-1 4-Minor   tmsh appears to allow password change for internal lcd admin user
436116-1 4-Minor   The tcpdump utility may fail to capture packets


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
753912-1 2-Critical K44385170 UDP flows may not be swept
747968-4 2-Critical   DNS64 stats not increasing when requests go through DNS cache resolver
744269-3 2-Critical   dynconfd restarts if FQDN template node deleted while IP address change in progress
741919-1 2-Critical   HTTP response may be dropped following a 100 continue message.
738945-1 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
727206-4 2-Critical   Memory corruption when using SSL Forward Proxy on certain platforms
718210-3 2-Critical   Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
746922-3 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
744536 3-Major   HTTP/2 may garble large headers
742078-1 3-Major   Incoming SYNs are dropped and the connection does not time out.
739638-1 3-Major   BGP failed to connect with neighbor when pool route is used
738523-3 3-Major   SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
721621-2 3-Major   Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
720799-3 3-Major   Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
717896-1 3-Major   Monitor instances deleted in peer unit after sync
717100-4 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716716-3 3-Major   Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
710564-3 3-Major   DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
710355-1 3-Major   High CPU when using HTTP::collect for large chunked payloads
705112-1 3-Major   DHCP server flows are not re-established after expiration
685519-3 3-Major   Mirrored connections ignore the handshake timeout
651889-2 3-Major   persist record may be inconsistent after a virtual hit rate limit
625166-1 3-Major   Suspended iRules cannot complete on aborted flows
588720-1 3-Major K44907534 Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
273104-2 3-Major   Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps
751586-1 4-Minor   Http2 virtual does not honour translate-address disabled
684319-2 4-Minor   iRule execution logging
664618-3 4-Minor   Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
658382-1 5-Cosmetic   Large numbers of ERR_UNKNOWN appearing in the logs


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756094-1 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log
739846-4 2-Critical   Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
749508-4 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
748902-8 3-Major   Incorrect handling of memory allocations while processing DNSSEC queries
746877-4 3-Major   Omitted check for success of memory allocation for DNSSEC resource record
744707-1 3-Major   Crash related to DNSSEC key rollover
723288-3 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
721895-1 3-Major   Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
748177-4 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
726412-1 4-Minor   Virtual server drop down missing objects on pool creation


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
691945-2 3-Major   Security Policy Configuration Changes When Disabling Learning
690215-1 3-Major   Missing requests in request log
641307-2 3-Major   Response Page contents are corrupted by XML policy import for non-UTF-8 policies
641083-2 3-Major   Policy Builder Persistence is not saved while config events are received
754365-2 4-Minor   Updated flags for countries that changed their flags since 2010
583402-1 4-Minor   ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
747192-3 2-Critical   Small memory leak while creating Access Policy items
714716-3 2-Critical K10248311 Apmd logs password for acp messages when in debug mode
660913-1 2-Critical   For ActiveSync client type, browscap info provided is incorrect.
597674-1 2-Critical   TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels.
758764-5 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
747725-1 3-Major   Kerberos Auth agent may override settings that manually made to krb5.conf
746768-2 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
745654-1 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
722969-1 3-Major   Access Policy import with 'reuse' enabled instead rewrites shared objects
672818-2 3-Major   When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
656784-2 3-Major K98510679 Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
674367-1 3-Major K20983428 SDD v3 symmetric deduplication may stop working indefinitely


Service Provider Fixes

ID Number Severity Solution Article(s) Description
701680-1 3-Major   MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-4 1-Blocking K52868493 LibSSH: CVE-2018-10933
686376-1 3-Major   Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
624314-1 3-Major   AVR reports incorrect 'actions' in ACL reports


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-1 3-Major   PEM content insertion in a compressed response may truncate some data


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744959-2 3-Major   SNMP OID for sysLsnPoolStatTotal not incremented in stats
708830-1 3-Major   Inbound or hairpin connections may get stuck consuming memory.



Cumulative fixes from BIG-IP v12.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
738119-3 CVE-2019-6589 K23566124 SIP routing UI does not follow best practices
714181-3 CVE-2019-6603 K14632915 TMM may crash while processing TCP traffic
671498-3 CVE-2017-3143 K02230327 BIND zone contents may be manipulated
745358-4 CVE-2019-6607 K14812883 ASM GUI does not follow best practices
737442-1 CVE-2019-6591 K32840424 Error in APM Hosted Content when set to public access
724680-3 CVE-2018-0732 K21665601 OpenSSL Vulnerability: CVE-2018-0732
716900-1 CVE-2019-6594 K91026261 TMM core when using MPTCP
699452-3 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices
658557-2 CVE-2019-6606 K35209601 The snmpd daemon may leak memory when processing requests.
643554-12 CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 K37526132 K44512851 K43570545 OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
603658-1 CVE-2019-6601 K25359902 AAM security hardening
530775-4 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output
701785-3 CVE-2017-18017 K18352029 Linux kernel vulnerability: CVE-2017-18017


Functional Change Fixes

ID Number Severity Solution Article(s) Description
734527-4 3-Major   BGP 'capability graceful-restart' for peer-group not properly advertised when configured
700827-2 3-Major   B2250 blades may lose efficiency when source ports form an arithmetic sequence.
600385-1 3-Major K43295141 BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout
597899-1 3-Major   Disabling all pool members may not be reflected in Virtual Server status


TMOS Fixes

ID Number Severity Solution Article(s) Description
741423-1 2-Critical   Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
738887-2 2-Critical   BIG-IP SNMPD vulnerability CVE-2019-6608
723722-3 2-Critical   MCPD crashes if several thousand files are created between config syncs.
723298-3 2-Critical   BIND upgrade to version 9.11.4
700386-1 2-Critical   mcpd may dump core on startup
697424 2-Critical   iControl-REST crashes on /example for firewall address-lists
691589 2-Critical   When using LDAP client auth, tamd may become stuck
689437-2 2-Critical K49554067 icrd_child cores due to infinite recursion caused by incorrect group name handling
638091-4 2-Critical   Config sync after changing named pool members can cause mcpd on secondary blades to restart
594366-1 2-Critical K21271097 Occasional crash of icrd_child when BIG-IP restarts
748187-1 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
720713-3 3-Major   TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
720651-3 3-Major   Running Guest Changed to Provisioned Never Stops
720461-3 3-Major   qkview prompts for password on chassis
711249-2 3-Major   NAS-IP-Address added to RADIUS packet unexpectedly
707391-4 3-Major   BGP may keep announcing routes after disabling route health injection
706354-1 3-Major   OPT-0045 optic unable to link
706104-2 3-Major   Dynamically advertised route may flap
705037-3 3-Major K32332000 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704449-4 3-Major   Orphaned tmsh processes might eventually lead to an out-of-memory condition
700757-2 3-Major   vcmpd may crash when it is exiting
698619-1 3-Major   Disable port bridging on HSB ports for non-vCMP systems
693884-3 3-Major   ospfd core on secondary blade during network unstability
692189-3 3-Major   errdefsd fails to generate a core file on request.
689002-1 3-Major   Stackoverflow when JSON is deeply nested
676705-2 3-Major   Agetty should not run on VE that lack serial port
673974-1 3-Major K63225596 agetty auto detects parity on console port incorrectly
671447-2 3-Major   ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
666884-2 3-Major K27056204 Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform
653888-2 3-Major   BGP advertisement-interval attribute ignored in peer group configuration
652877-3 3-Major   Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
642923-2 3-Major   MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
639575-5 3-Major   Using libtar with files larger than 2 GB will create an unusable tarball
628402-4 3-Major   Operator users receive 'can't get object count from mcpd' error in response to certain commands
613509-1 3-Major K49101035 Platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
610449-2 3-Major   restarting mcpd on guest makes block-device-images disappear
602566-5 3-Major   sod daemon may crash during start-up
598289-4 3-Major   TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
598085-2 3-Major   Expected telemetry is not transmitted by sFlow on the standby-mode unit.
563905-2 3-Major   Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
491560-1 3-Major   Using proxy for IP intelligence updates
737389 4-Minor   Kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed
674145-3 4-Minor   chmand error log message missing data
608348-4 4-Minor   Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
744117-6 2-Critical K18263026 The HTTP URI is not always parsed correctly
740490-2 2-Critical   Configuration changes involving HTTP2 or SPDY may leak memory
739927-1 2-Critical   Bigd crashes after a specific combination of logging operations
737758-1 2-Critical   MPTCP Passthrough and VIP-on-VIP can lead to TMM core
727044-1 2-Critical   TMM may crash while processing compressed data
726239-3 2-Critical   interruption of traffic handling as sod daemon restarts TMM
724868-2 2-Critical   dynconfd memory usage increases over time
663178-1 2-Critical   tmm may crash sometimes usng VPN
606035-1 2-Critical   csyncd crash
738521-2 3-Major   i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
714559-1 3-Major   Removal of HTTP hash persistence cookie when a pool member goes down.
710028-4 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
708068-3 3-Major   Tcl commands like "HTTP::path -normalize" do not return normalized path.
706102-3 3-Major   SMTP monitor does not handle all multi-line banner use cases
701678-1 3-Major   Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
695925-3 3-Major   Tmm crash when showing connections for a CMP disabled virtual server
693910-2 3-Major   Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693582-3 3-Major   Monitor node log not rotated for certain monitor types
680264 3-Major   HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
674591-2 3-Major K37975308 Packets with payload smaller than MSS are being marked to be TSOed
672312-2 3-Major   IP ToS may not be forwarded to serverside with syncookie activated
666595-2 3-Major   Monitor node log fd leak by bigd instances not actively monitoring node
662816-2 3-Major K61902543 Monitor node log fd leak for certain monitor types
653930-2 3-Major K69713140 Monitor with description containing backslash may fail to load.
613618-1 3-Major   The TMM crashes in the websso plugin.
611482-4 3-Major K71450348 Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
610138-2 3-Major K23284054 STARTTLS in SMTPS filter does not properly restrict I/O buffering
605147-1 3-Major   No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.
598707-4 3-Major   Path MTU does not work in self-IP flows
586621-7 3-Major K36008344 SQL monitors 'count' config value does not work as expected.
628016-2 4-Minor   MP_JOIN always fails if MPTCP never receives payload data
618884-1 4-Minor   Behavior when using VLAN-Group and STP


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
750488 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750484 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750472 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750457 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
749774-2 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-2 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records
737332-2 3-Major   It is possible for DNSX to serve partial zone information for a short period of time
723792-3 3-Major   GTM regex handling of some escape characters renders it invalid


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
741108 2-Critical   tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses
744347-1 3-Major   Protocol Security logging profiles cause slow ASM upgrade and apply policy
739945-1 3-Major   JavaScript challenge on POST with 307 breaks application
738789-3 3-Major   ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
738647-1 3-Major   Add the login detection criteria of 'status code is not X'
737998 3-Major   Brute Force end attack condition isn't satisfied for successful logins only
698757-1 3-Major K58143082 Standby system saves config and changes status after sync from peer
664714-1 3-Major   Client-side challenge is changing POST parameter value under some circumstances
642185-1 3-Major   Add support for IBM AppScan scanner schema changes
613728-1 3-Major   Import/Activate Security policy with 'Replace policy associated with virtual server' option fails
569195-1 3-Major K41874435 A Set-Cookie for an existing ASM cookie without value change
542817-1 3-Major K11619228 Specific numbers that are not credit card numbers are being masked as such
653895 4-Minor   Admin user cannot edit policy


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
616161-1 2-Critical   BD process crash and restarts
737597 3-Major   AVR DoS Attack report misses virtual server name in a specific config


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
740777-2 2-Critical   Secondary blades mcp daemon restart when subroutine properties are configured
672221 2-Critical   TMM cores if the certificate configured to validate message signature does not exist.
631060-1 2-Critical   BIG-IP may incorrectly reject serverside connection when REQLOG is configured.
745574-4 3-Major   URL is not removed from custom category when deleted
739744-2 3-Major   Import of Policy using Pool with members is failing
726592-2 3-Major   Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
628712-1 3-Major K53129098 Advanced customization doesn't work for Profiles in non-common partition with . (period) with name


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
706642-3 2-Critical   wamd may leak memory during configuration changes and cluster events
603746-1 4-Minor   DCDB security hardening


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
724532-1 2-Critical   SIG SEGV during IP intelligence category match in TMM
710755-2 2-Critical   TMM crash when route information becomes stale and the system accesses stale information.
699454-3 4-Minor   Web UI does not follow current best coding practices
627454 4-Minor   Trimming leading whitespaces at logging profile creation


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744516-2 2-Critical   TMM panics after a large number of LSN remote picks
734446-3 2-Critical   TMM crash after changing LSN pool mode from PBA to NAPT
669645-1 2-Critical   tmm crashes after LSN pool member change
663531-1 2-Critical   TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
746868 2-Critical   memory leakage when "apply to base domain" is enabled



Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
739094-4 CVE-2018-5546 K54431371 APM Client Vulnerability: CVE-2018-5546
737441-1 CVE-2018-5546 K54431371 Disallow hard links to svpn log files
726089-3 CVE-2018-15312 K44462254 Modifications to AVR metrics page
724339-2 CVE-2018-15314 K04524282 Unexpected TMUI output in AFM
724335-2 CVE-2018-15313 K21042153 Unexpected TMUI output in AFM
722677-3 CVE-2019-6604 K26455071 BIG-IP HSB vulnerability CVE-2019-6604
722387-2 CVE-2019-6596 K97241515 TMM may crash when processing APM DTLS traffic
722091-2 CVE-2018-15319 K64208870 TMM may crash while processing HTTP traffic
717742-3 CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 K44923228 Oracle Java SE vulnerability CVE-2018-2783
707990-3 CVE-2018-15315 K41704442 Unexpected TMUI output in SSL Certificate Instance page
704184-3 CVE-2018-5529 K52171282 APM MAC Client create files with owner only read write permissions
701253-3 CVE-2018-15318 K16248201 TMM core when using MPTCP
721924-3 CVE-2018-17539 K17264695 BIG-IP ARM BGP vulnerability CVE-2018-17539
719554-3 CVE-2018-8897 K17403481 Linux Kernel Vulnerability: CVE-2018-8897
674486-5 CVE-2017-9233 K03244804 Expat Vulnerability: CVE-2017-9233
661828-1 CVE-2019-6590 K55101404 TMM may consume excessive resources when processing SSL traffic


Functional Change Fixes

ID Number Severity Solution Article(s) Description
715750-3 3-Major K41515225 The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
652671-4 3-Major K31326690 Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.


TMOS Fixes

ID Number Severity Solution Article(s) Description
716391-3 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
690793-2 2-Critical K25263287 TMM may crash and dump core due to improper connflow tracking
688148-1 2-Critical   IKEv1 racoon daemon SEGV during phase-two SA list iteration
613476-2 2-Critical   IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion
704247-3 3-Major   BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
686124-3 3-Major K83576240 IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
678380-3 3-Major K26023811 Deleting an IKEv1 peer in current use could SEGV on race conditions.
671712 3-Major   The values returned for the ltmUserStatProfileStat table are incorrect.
670528-1 3-Major K20251354 Warnings during vCMP host upgrade.
620746-1 3-Major   MCPD crash
580602-1 3-Major   Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
551925-3 3-Major   Misdirected UDP traffic with hardware acceleration
464650-4 3-Major   Failure of mcpd with invalid authentication context.
689211-2 4-Minor   IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
678254-2 4-Minor   Error logged when restarting Tomcat
550526 4-Minor K84370515 Some time zones prevent configuring trust with a peer device using the GUI.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
716213-3 2-Critical   BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
697259-1 2-Critical K14023450 Different versioned vCMP guests on the same chassis may crash.
694656-3 2-Critical K05186205 Routing changes may cause TMM to restart
666401-2 2-Critical K03294104 Memory might become corrupted when a Standby device transitions to Active during failover
659709-1 2-Critical   Mirroring persistence records may cause a TMM memory leak
641869-1 2-Critical K62744980 Assertion "vmem_hashlist_remove not found" failed.
635191-1 2-Critical   Under rare circumstances TMM may crash
618106-1 2-Critical K74714343 bigd core due to memory leak, especially with FQDN nodes
615097-1 2-Critical   Incorrect use of HTTP::collect leads to TMM core.
513310-1 2-Critical   TMM might core when a profile is changed.
722363-1 3-Major   Client fails to connect to server when using PVA offload at Established
720293-1 3-Major   HTTP2 IPv4 to IPv6 fails
713690-1 3-Major   IPv6 cache route metrics are locked
712664-4 3-Major   IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
711981-3 3-Major   BIG-IP system accepts larger-than-egress MTU, PMTU update
700696-2 3-Major   SSID does not cache fragmented Client Certificates correctly via iRule
694697-3 3-Major K62065305 clusterd logs heartbeat check messages at log level info
693308-3 3-Major   SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
691224-1 3-Major K59327001 Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
671725-1 3-Major K19920320 Connection leak on standby unit
632968-2 3-Major   supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails
600812-1 3-Major   IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.
578971-3 3-Major   When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
572234-2 3-Major   When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
716922-4 4-Minor   Reduction in PUSH flags when Nagle Enabled
622148-5 4-Minor   flow generated icmp error message need to consider which side of the proxy they are
602708-2 4-Minor K84837413 Traffic may not passthrough CoS by default


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
718885-1 2-Critical K25348242 Under certain conditions, monitor probes may not be sent at the configured interval
726255-3 3-Major   dns_path lingering in memory with last_access 0 causing high memory usage
719644-1 3-Major   If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions
715448-1 3-Major   Providing LB::status with a GTM Pool name in a variable caused validation issues
710246-3 3-Major   DNS-Express was not sending out NOTIFY messages on VE
636790-3 3-Major   Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
739798 2-Critical   Massive number of log messages being generated and written to the bd.log.
734622 2-Critical K83093212 Policy change with newly enforced signatures causes sig collection failure in other policies
721741-2 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
716788-3 2-Critical   TMM may crash while response modifications are being performed within DoSL7 filter
685230-1 2-Critical   memory leak on a specific server scenario
666221-2 2-Critical K47152503 tmm may crash from DoSL7
617391-1 2-Critical K53345828 Custom ASM Search Engines causing sync, offline, and upgrade issues
721752-1 3-Major   Null char returned in REST for Suggestion with more than MAX_INT occurrences
713282-3 3-Major   Remote logger violation_details field does not appear when virtual server has more than one remote logger
701856-2 3-Major   Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
701039 3-Major   Requests do not appear in local logging due to rare file descriptor exhaustion
676223-2 3-Major   Internal parameter in order not to sign allowed cookies
650070-2 3-Major K23041827 iRule that uses ASM violation details may cause the system to reset the request
648639-3 3-Major K92201230 TS cookie name contains NULL or other raw byte
646800-2 3-Major   A part of the request is not sent to ICAP server in a specific case
644725-4 3-Major K01914292 Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
614730-1 3-Major   Session opening log shows incorrect number of challenged responses.
564324-2 3-Major   ASM scripts can break applications
463314-2 4-Minor   Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
685741 3-Major   DoS Overview is very slow to load data, to the point of timeout
649177-2 3-Major K54018808 Testing for connection to SMTP Server always returns "OK"


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
722013-3 2-Critical   MCPD restarts on all secondary blades post config-sync involving APM customization group
631286-1 2-Critical   TMM Memory leak caused by APM URI cache entries
546489-1 2-Critical   VMware View USB redirection stops working after client reconnect
739144-1 3-Major   Domain logoff scripts runs after VPN connection is closed
738397-2 3-Major   SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
726895-1 3-Major K02205915 VPE cannot modify subroutine settings
713655-3 3-Major   RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
703793-1 3-Major   tmm restarts when using ACCESS::perflow get' in certain events
702873-3 3-Major   Windows Logon Integration feature may cause Windows logon screen freeze
631626 3-Major   Unable to delete an access profile which contains a route domain agent
631048-1 3-Major   Portal Access [PeopleSoft] 'My Preferences' page does not have content
596166-1 3-Major   Cannot create email using Address Book
565347-2 3-Major   Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction
721375 4-Minor   Export then import of config with RSA server in it might fail


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
603755-1 2-Critical   dwbld core dump when Auto Blacklisting is configured, in a rare scenario
698806-2 3-Major   Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
738669-3 3-Major   Login validation may fail for a large request with early server response
716318-4 3-Major   Engine/Signatures automatic update check may fail to find/download the latest update


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
726303 3-Major   Unlock 10 million custom db entry limit



Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
716992-3 CVE-2018-5539 K75432956 The ASM bd process may crash
710244-1 CVE-2018-5536 K27391542 Memory Leak of access policy execution objects
709972-4 CVE-2017-12613 K52319810 CVE-2017-12613: APR Vulnerability
709688-5 CVE-2017-3144
CVE-2018-5732
CVE-2018-5733
K08306700 dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
693744-3 CVE-2018-5531 K64721111 CVE-2018-5531: vCMP vulnerability
710827-4 CVE-2019-6598 K44603900 TMUI dashboard daemon stability issue
710705-3 CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 K34035645 Multiple Wireshark vulnerabilities
710314-2 CVE-2018-5537 K94105051 TMM may crash while processing HTML traffic
710148-4 CVE-2017-1000111
CVE-2017-1000112
K60250153 CVE-2017-1000111 & CVE-2017-1000112
705476-4 CVE-2018-15322 K28003839 Appliance Mode does not follow design best practices
703940-3 CVE-2018-5530 K45611803 Malformed HTTP/2 frame consumes excessive system resources
698813-3 CVE-2018-5538 K45435121 When processing DNSX transfers ZoneRunner does not enforce best practices
677088-4 CVE-2018-15321 K01067037 BIG-IP tmsh vulnerability CVE-2018-15321
672124-3 CVE-2018-5541 K12403422 Excessive resource usage when BD is processing requests
714879-1 CVE-2018-15326 K34652116 APM CRLDP Auth passes all certs
708653-3 CVE-2018-15311 K07550539 TMM may crash while processing TCP traffic
673165 CVE-2017-7895 K15004519 CVE-2017-7895: Linux Kernel Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
671999-2 3-Major   Re-extract the the thales software everytime the installation script is run
643034-1 3-Major K52510343 Turn off TCP Proxy ICMP forwarding by default
620445-4 3-Major   New SIP::persist keyword to set the timeout without changing key
613023-4 3-Major   Update SIP::Persist to support resetting timeout value.
441079-2 3-Major K55242686 BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
693007-3 4-Minor   Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC


TMOS Fixes

ID Number Severity Solution Article(s) Description
700315-3 1-Blocking K26130444 Ctrl+C does not terminate TShark
636774-1 1-Blocking   Potential TMM crash credits to BWC token distribution logic
723130-3 2-Critical K13996 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
707003-2 2-Critical   Unexpected syntax error in TMSH AVR
706423-2 2-Critical   tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
696113-1 2-Critical   Extra IPsec reference added per crypto operation overflows connflow refcount
692158-2 2-Critical   iCall and CLI script memory leak when saving configuration
690819-3 2-Critical   Using an iRule module after a 'session lookup' may result in crash
671314-4 2-Critical K37093335 BIG-IP system cores when sending SIP SCTP traffic
665362-4 2-Critical   MCPD might crash if the AOM restarts
663197-3 2-Critical   Security hardening of files to prevent sensitive configuration from being stored in qkview.
626861-2 2-Critical K31220138 Ensure unique IKEv2 sequence numbers
599223-1 2-Critical   Prevent static destructors in tmipsecd daemon
581851-2 2-Critical K16234725 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
559980-1 2-Critical   Change console baud rate requires reboot to take effect
508113-3 2-Critical   tmsh load sys config base merge file <filename> fails
720880 3-Major   Attempts to license/re-license the BIG-IP system fail.
720756 3-Major   SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720104 3-Major   BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
714848 3-Major   OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled
710602 3-Major   iCRD commands requiring 'root' user access fixed
707445 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
704336-3 3-Major   Updating 3rd party device cert not copied correctly to trusted certificate store
704282-3 3-Major   TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
701900 3-Major K55938217 DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.
698947-1 3-Major   BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
694740-1 3-Major   BIG-IP reboot during a TMM core results in an incomplete core dump
693106-2 3-Major   IKEv1 newest established phase-one SAs should be found first in a search
692179-3 3-Major   Potential high memory usage from errdefsd.
687905 3-Major K72040312 OneConnect profile causes CMP redirected connections on the HA standby
687534-3 3-Major   If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
686926-3 3-Major   IPsec: responder N(cookie) in SA_INIT response handled incorrectly
684391-1 3-Major   Existing IPsec tunnels reload. tmipsecd creates a core file.
680838-3 3-Major   IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
679347-3 3-Major K44117473 ECP does not work for PFS in IKEv2 child SAs
678925-4 3-Major   Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
677928-2 3-Major   A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
676897-1 3-Major K25082113 IPsec keeps failing to reconnect
676092-1 3-Major   IPsec keeps failing to reconnect
675718-1 3-Major   IPsec keeps failing to reconnect
669268 3-Major   Failover in the same availability zone of AWS may fail when AWS services are intermittently available.
667223 3-Major   The merge option for the tmsh load sys config command removes existing nested objects
666035-1 3-Major   Obscuring secrets in files collected by qkview
621314-6 3-Major K55358710 SCTP virtual server with mirroring may cause excessive memory use on standby device
617865-1 3-Major   Missing health monitor information for FQDN members
605270-5 3-Major   On some platforms the SYN-Cookie status report is not accurate
588929-2 3-Major   SCTP emits 'address conflict detected' log messages during failover
588794-2 3-Major   Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
588771-2 3-Major   SCTP needs traffic-group validation for server-side client alternate addresses
586938-1 3-Major K57360106 Standby device will respond to the ARP of the SCTP multihoming alternate address
586031-1 3-Major K40453207 Configuration with LTM policy may fail to load
525580-1 3-Major K51013874 tmsh load sys config merge file filename.scf base command does not work as expected
685475-3 4-Minor K93145012 Unexpected error when applying hotfix
680856-3 4-Minor   IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
679135-3 4-Minor   IKEv1 and IKEv2 cannot share common local address in tunnels
678388-3 4-Minor K00050055 IKEv1 racoon daemon is not restarted when killed multiple times
658298-3 4-Minor   SMB monitor marks node down when file not specified
624484-2 4-Minor K09023677 Timestamps not available in bash history on non-login interactive shells
573031-1 4-Minor   qkview may not collect certain configuration files in their entirety
720391-1 5-Cosmetic   BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
713491-1 5-Cosmetic   IKEv1 logging shows spi of deleted SA with opposite endianess
651826-2 5-Cosmetic   SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
718071-3 2-Critical   HTTP2 with ASM policy not passing traffic
709334-2 2-Critical   Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-3 2-Critical K33319853 TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-2 2-Critical   Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707207-2 2-Critical   iRuleLx returning undefined value may cause TMM restart
703914-1 2-Critical   TMM SIGSEGV crash in poolmbr_conn_dec.
686685-1 2-Critical   LTM Policy internal compilation error
683631-1 2-Critical   TMM crashes during stress test
678722-2 2-Critical   In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources
676721-2 2-Critical K33325265 Missing check for NULL condition causes tmm crash.
674004-1 2-Critical K34448924 tmm may crash when after deleting pool member in traffic
670804-2 2-Critical K03163260 Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
656898-2 2-Critical   'oops' 'bad transition' messages occur
613524-3 2-Critical   TMM crash when call HTTP::respond twice in LB_FAILED
598110-1 2-Critical   pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.
586587-1 2-Critical   RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
571651-3 2-Critical   Reset Nitrox3 crypto accelerator queue if it becomes stuck.
440620-2 2-Critical   New connections may be reset when a client reuses the same port as it used for a recently closed connection
713951-3 3-Major   tmm core files produced by nitrox_diag may be missing data
713934-4 3-Major   Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
712475-1 3-Major K56479945 DNS zones without servers will prevent DNS Express reading zone data
712464-1 3-Major   Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
712437-1 3-Major K20355559 Records containing hyphens (-) will prevent child zone from loading correctly
711281-3 3-Major   nitrox_diag may run out of space on /shared
707951 3-Major   Stalled mirrored flows on HA next-active when OneConnect is used.
704381-3 3-Major   SSL/TLS handshake failures and terminations are logged at too low a level
703580 3-Major   TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
702151-2 3-Major   HTTP/2 can garble large headers
700889-2 3-Major K07330445 Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-3 3-Major   Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
700057-3 3-Major   LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
698916-3 3-Major   TMM crash with HTTP/2 under specific condition
698379-3 3-Major K61238215 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
693838 3-Major   Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors
691806-3 3-Major K61815412 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
688553-1 3-Major   SASP GWM monitor may not mark member UP as expected
685615-5 3-Major K24447043 Incorrect source mac for TCP Reset with vlangroup for host traffic
681757-1 3-Major K32521651 Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
678872-2 3-Major   Inconsistent behavior for virtual-address and selfip on the same ip-address
677525-3 3-Major   Translucent VLAN group may use unexpected source MAC address
676914-1 3-Major   The SSL Session Cache can grow indefinitely if the traffic group is changed.
676828-2 3-Major K09012436 Host IPv6 traffic is generated even when ipv6.enabled is false
676355-2 3-Major   DTLS retransmission does not comply with RFC in certain resumed SSL session
675212-3 3-Major   The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication
673052-2 3-Major   On i-Series platforms, HTTP/2 is limited to 10 streams
671337-1 3-Major   NetHSM DNSSEC key creation can attempt to change the SELinux label on a file
668196-2 3-Major   Connection limit continues to be enforced with least-connections and pool member flap, member remains down
668006-1 3-Major K12015701 Suspended 'after' command leads to assertion if there are multiple pending events
667707-2 3-Major   LTM policy associations with virtual servers are not ConfigSynced correctly
659519-1 3-Major K42400554 Non-default header-table-size setting on HTTP2 profiles may cause issues
657883-2 3-Major K34442339 tmm cache resolver should not cache response with TTL=0
657626-2 3-Major   User with role 'Manager' cannot delete/publish LTM policy.
651541-2 3-Major K83955631 Changes to the HTTP profile do not trigger validation for virtual servers using that profile
636289-2 3-Major   Fixed a memory issue while handling TCP::congestion iRule
633691-4 3-Major   HTTP transaction may not finish gracefully due to TCP connection is closed by RST
624846-1 3-Major   TCP Fast Open does not work for Responses < 1 MSS
604838-1 3-Major   TCP Analytics reports incorrectly reports entities as "Aggregated"
595281-1 3-Major   TCP Analytics reports huge goodput numbers
570277-1 3-Major K16044231 SafeNet client not able to establish session to all HSMs on all blades.
367226-4 3-Major   Outgoing RIP advertisements may have incorrect source port
251162-3 3-Major K11564 The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
248914-4 3-Major K00612197 ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
713533-3 4-Minor   list self-ip with queries does not work
708249-4 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
700433-2 4-Minor K10870739 Memory leak when attaching an LTM policy to a virtual server
685467-2 4-Minor K12933087 Certain header manipulations in HTTP profile may result in losing connection.
678801-2 4-Minor   WS::enabled returned empty string
677958-2 4-Minor   WS::frame prepend and WS::frame append do not insert string in the right place.
645729-1 4-Minor   SSL connection is not mirrored if ssl session cache is cleared and resume attempted
639970-3 4-Minor   GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error
627764-2 4-Minor   Prevent sending a 2nd RST for a TCP connection
627695-2 4-Minor   [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
621379-2 4-Minor   TCP Lossfilter not enforced after iRule changes TCP settings
618024-2 4-Minor   software switched platforms accept traffic on lacp trunks even when the trunk is down
604272-1 4-Minor   SMTPS profile connections_current stat does not reflect actual connection count.
523814-3 4-Minor   When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
522302-2 4-Minor   TCP Receive Window error messages are inconsistent on UI
495242-3 4-Minor   mcpd log messages: Failed to unpublish LOIPC object


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
713066-3 2-Critical K10620131 Connection failure during DNS lookup to disabled nameserver can crash TMM
707310-1 2-Critical   DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
706128-1 3-Major   DNSSEC Signed Zone Transfers Can Leak Memory
705503-1 3-Major   Context leaked from iRule DNS lookup
680069-3 3-Major K81834254 zxfrd core during transfer while network failure and DNS server removed from DNS zone config
675539-1 3-Major   Inter-system communications targeted at a Management IP address might not work in some cases.
672491-2 3-Major K10990182 net resolver uses internal IP as source if matching wildcard forwarding virtual server
660263-4 3-Major   DNS transparent cache message and RR set activity counters not incrementing
653775-3 3-Major K05397641 Ampersand (&) in GTM synchronization group name causes synchronization failure.
643813-2 3-Major   ZoneRunner does not properly process $ORIGIN directives
637227-4 3-Major K60414305 DNS Validating Resolver produces inconsistent results with DNS64 configurations.
629421-1 3-Major   Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
609527-2 3-Major   DNS cache local zone not properly copying recursion desired (RD) flag in response
602300-1 3-Major   Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
669262-2 4-Minor   [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
638170-1 4-Minor K36455356 Pagination broken or missing while viewing pool statistics for GTM wideip
605537-5 4-Minor K03997964 Error when resetting statistics on GSLB Pool Members


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
639767-2 2-Critical   Policy with Session Awareness Statuses may fail to export
606983-3 2-Critical   ASM errors during policy import
580862-1 2-Critical   Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes
712362-1 3-Major   ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
710327-3 3-Major   Remote logger message is truncated at NULL character.
707888 3-Major   Some ASM operations delayed due to scheduled ASU update
707147-2 3-Major   High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-1 3-Major   False positive illegal multipart violation
704143-2 3-Major   BD memory leak
700726-1 3-Major   Search engine list was updated, and fixing case of multiple entries
691897-1 3-Major   Names of the modified cookies do not appear in the event log
687759-2 3-Major   bd crash
686765-1 3-Major   Database cleaning failure may allow MySQL space to fill the disk entirely
683241-3 3-Major K70517410 Improve CSRF token handling
674527-1 3-Major   TCL error in ltm log when server closes connection while ASM irules are running
666112-1 3-Major K53708490 TMM 'DoS Layer 7' memory leak during config load
663396-1 3-Major   URL Method override is enforced incorrectly after upgrade
654996-1 3-Major K50345236 Closed connections remains in memory
665470-1 4-Minor   Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
700812-2 5-Cosmetic   asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
716747-4 2-Critical   TMM my crash while processing APM or SWG traffic
715250-2 2-Critical   TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
681850-1 2-Critical   APMD process may fail to initialize on start either after upgrade or after adding certain configurations
671373-2 2-Critical   urldb core seen
632798-2 2-Critical K30710317 Double-free may occur if Access initialization fails
720695-2 3-Major   Export then import of APM access Profile/Policy with advanced customization is failing
720030-3 3-Major   Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
718208-1 3-Major   Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO
715207-2 3-Major   coapi errors while modifying per-request policy in VPE
714542-1 3-Major   'Always Connected Mode' text is missing in EdgeClient tray
712924 3-Major   In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
712857-1 3-Major   SWG-Explicit rejects large POST bodies during policy evaluation
706374-2 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
704524-2 3-Major   [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
684937-6 3-Major K26451305 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-6 3-Major K22904904 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
658664-3 3-Major K21390304 VPN connection drops when 'prohibit routing table change' is enabled
609793-1 3-Major   HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.
602429-1 3-Major   DNS suffix is not restored after disconnecting Network Access
543344-3 3-Major   ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
516736-1 3-Major   URLs with backslashes in the path may not be handled correctly in Portal Access


Service Provider Fixes

ID Number Severity Solution Article(s) Description
703515-5 2-Critical K44933323 MRF SIP LB - Message corruption when using custom persistence key
698338-2 2-Critical   Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
685708-3 2-Critical   Routing via iRule to a host without providing a transport from a transport-config created connection cores
669739-1 2-Critical K71963740 Potential core when using MRF SIP with SCTP
659173-1 2-Critical K76352741 Diameter Message Length Limit Changed from 1024 to 4096 Bytes
700571-2 3-Major   SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-3 3-Major   High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
688942-3 3-Major   ICAP: Chunk parser performs poorly with very large chunk
679114-2 3-Major   Persistence record expires early if an error is returned for a BYE command
674747-2 3-Major K30837366 sipdb cannot delete custom bidirectional persistence entries.
673814-4 3-Major K37822302 Custom bidirectional persistence entries are not updated to the session timeout
642298-3 3-Major   Unable to create a bidirectional custom persistence record in MRF SIP
640384-3 3-Major   New iRule options for MR::message route command
620759-4 3-Major   Persist timeout value gets truncated when added to the branch parameter.
632658-4 4-Minor   Enable SIP::persist command to operate during SIP_RESPONSE event
617690-4 4-Minor   enable SIP::respond iRule command to operate during MR_FAILED event


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
677473-1 2-Critical   MCPD core is generated on multiple add/remove of Mgmt-Rules
663770-2 3-Major K04025134 AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
699531-3 2-Critical   Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-3 2-Critical   TMM core may be seen when using Application reporting with flow filter in PEM
715090 3-Major   PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers
711570-1 3-Major   PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
711093-2 3-Major   PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-1 3-Major   Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-3 3-Major   Increase PEM HSL reporting buffer size to 4K.
648802-3 3-Major   Required custom AVPs are not included in an RAA when reporting an error.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
667662-1 3-Major K06579313 Autolasthop does not work for PPTP-GRE traffic.


Device Management Fixes

ID Number Severity Solution Article(s) Description
625114-2 2-Critical K08062851 Internal sync-change conflict after update to local users table



Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
708956 1-Blocking K51206433 During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
696732 2-Critical K54431534 tmm may crash in a compression provider
697616 3-Major   Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
692239-1 3-Major K31554905 AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds
689730-2 3-Major   Software installations from v13.1.0 might fail
674455-7 3-Major   Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
680388-2 4-Minor   f5optics should not show function name in non-debug log messages
653759-2 4-Minor   Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
701538-1 2-Critical   SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
662078-1 2-Critical   Occasionally connections are dropped in response to timing errors
694778-2 3-Major   Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
686631-1 3-Major   Deselect a compression provider at the end of a job and reselect a provider for a new job
679494-2 3-Major   Change the default compression strategy to speed
632824-1 3-Major K00722715 SSL TPS limit can be reached if the system clock is adjusted
495443-10 3-Major K16621 ECDH negotiation failures logged as critical errors.
679496-1 4-Minor   Add 'comp_req' to the output of 'tmctl compress'



Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
695901-2 CVE-2018-5513 K46940010 TMM may crash when processing ProxySSL data
693312-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
688516-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
704580-3 CVE-2018-5549 K05018525 apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
701359-2 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145
688009-5 CVE-2018-5519 K46121888 Appliance Mode TMSH hardening
671497-4 CVE-2017-3142 K59448931 TSIG authentication bypass in AXFR requests
615269-1 CVE-2016-2183 K13167034 CVE-2016-2183: AFM SSH Proxy Vulnerability
603758-1 CVE-2018-5540 K82038789 Big3D security hardening


Functional Change Fixes

ID Number Severity Solution Article(s) Description
680850-1 3-Major K48342409 Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
570570-5 3-Major   Default crypto failure action is now 'go-offline-downlinks'.


TMOS Fixes

ID Number Severity Solution Article(s) Description
711547 1-Blocking   Update cipher support for Common Criteria compliance
708054-3 2-Critical   Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-2 2-Critical   bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
703761-1 2-Critical   Disable DSA keys for public-key and host-based authentication in Common Criteria mode
677937-1 2-Critical K41517253 APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
673484-1 2-Critical K85405312 IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
664549-2 2-Critical K55105132 TMM restart while processing rewrite filter
599423-1 2-Critical K24584925 merged cores and restarts
583111-1 2-Critical   BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured
701626-1 3-Major K16465222 GUI resets custom Certificate Key Chain in child client SSL profile
686029-1 3-Major   A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
664737-2 3-Major   Do not reboot on ctrl-alt-del
655005-1 3-Major K23355841 "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
646890-1 3-Major K12068427 IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
635703-1 3-Major K14508857 Interface description may cause some interface level commands to be removed
614486-1 3-Major   BGP community lower bytes of zero is not allowed to be set in route-map
612721-4 3-Major   FIPS: .exp keys cannot be imported when the local source directory contains .key file
609967-2 3-Major K55424912 qkview missing some HugePage memory data
586412-2 3-Major   BGP peer-group members address-family configuration not saved to configuration
583108-1 3-Major   Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
581101-1 3-Major   non-admin user running list cmd: can't get object count
557155-8 3-Major K33044393 BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
421797-3 3-Major   ePVA continues to accelerate hardware offloaded traffic in Standby.
651413-2 4-Minor K34042229 tmsh list ltm node does not return an error when node does not exist
598437-1 4-Minor   SNMP process monitoring is incorrect for tmm and bigd


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
706631 2-Critical   A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-1 2-Critical   The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-2 2-Critical   memory corruption can occur when using certain certificates
701202-1 2-Critical K35023432 SSL memory corruption
700862-2 2-Critical K15130240 tmm SIGFPE 'valid node'
700393-2 2-Critical K53464344 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
685254-1 2-Critical K14013100 RAM Cache Exceeding Watchdog Timeout in Header Field Search
678416-2 2-Critical   Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
676028-2 2-Critical K09689143 SSL forward proxy bypass may fail to release memory used for ssl_hs instances
673951-4 2-Critical K56466330 Memory leak when using HTTP2 profile
670814-2 2-Critical   Wrong SE Linux label breaks nethsm DNSSEC keys
665185-1 2-Critical K20994524 SSL handshake reference is not dropped if forward proxy certificate lookup failed
657463-2 2-Critical   SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
648320-3 2-Critical K38159538 Downloading via APM tunnels could experience performance downgrade.
647757-2 2-Critical K96395052 RATE-SHAPER:Fred not properly initialized may halt traffic
613088-3 2-Critical   pkcs11d thread has session initialization problem.
452283-2 2-Critical   An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
705794-1 3-Major   Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
690042-3 3-Major K43412307 Potential Tcl leak during iRule suspend operation
689449-3 3-Major   Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
687205-3 3-Major   Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
686972-1 3-Major   The change of APM log settings will reset the SSL session cache.
686395 3-Major   With DTLS version1, when client hello uses version1.2, handshake shall proceed
683697-3 3-Major K00647240 SASP monitor may use the same UID for multiple HA device group members
677962-3 3-Major   Invalid use of SETTINGS_MAX_FRAME_SIZE
677457 3-Major K13036194 HTTP/2 Gateway appends semicolon when a request has one or more cookies
677400-3 3-Major K82502883 pimd daemon may exit on failover
673399-1 3-Major   HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
665652-2 3-Major K41193475 Multicast traffic not forwarded to members of VLAN group
664528-1 3-Major K53282793 SSL record can be larger than maximum fragment size (16384 bytes)
663551-1 3-Major K14942957 SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event
662911-2 3-Major K93119070 SASP monitor uses same UID for all vCMP guests in a chassis or appliance
654368-7 3-Major K15732489 ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
654086-3 3-Major   Incorrect handling of HTTP2 data frames larger than minimal frame size
653976-2 3-Major K00610259 SSL handshake fails if server certificate contains multiple CommonNames
651901-2 3-Major   Removed unnecessary ASSERTs in MPTCP code
640369-2 3-Major   TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
633333-3 3-Major   During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
619844-2 3-Major   Packet leak if reject command is used in FLOW_INIT rule
611691-5 3-Major   Packet payload ignored when DSS option contains DATA_FIN
608991-7 3-Major   BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed
605480-4 3-Major   BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection
604880-4 3-Major   tmm assert "valid pcb" in tcp.c
604549-7 3-Major   MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data
592731-1 3-Major K34220124 Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
653746-2 4-Minor K83324551 Unable to display detailed CPU graphs if the number of CPU is too large
569814-2 4-Minor K30240351 iRule "nexthop IP_ADDR" rejected by validator


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
710424-3 2-Critical   Possible SIGSEGV in GTMD when GTM persistence is enabled.
699135-2 2-Critical   tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
691287-3 2-Critical   tmm crashes on iRule with GTM pool command
682335-3 2-Critical   TMM can establish multiple connections to the same gtmd
699339-1 3-Major K24634702 Geolocation upgrade files fail to replicate to secondary blades
696808-3 3-Major   Disabling a single pool member removes all GTM persistence records
687128-3 3-Major   gtm::host iRule validation for ipv4 and ipv6 addresses
679149-2 3-Major   TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
663310-3 3-Major   named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files
619158-1 3-Major   iRule DNS request with trailing dot times out with empty response
595293-4 3-Major   Deleting GTM links could cause gtm_add to fail on new devices.


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
679221-1 1-Blocking   APMD may generate core file or appears locked up after APM configuration changed
702278-3 2-Critical   Potential XSS security exposure on APM logon page.
678715-1 2-Critical   Large volume of query result update to SessionDB fails and locks down ApmD
712315-1 3-Major   LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
710211 3-Major   Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.
702490-4 3-Major   Windows Credential Reuse feature may not work
702487-1 3-Major   AD/LDAP admins with spaces in names are not supported
700780-4 3-Major   F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses
699267-1 3-Major   LDAP Query may fail to resolve nested groups
681415-1 3-Major   Copying of profile with advanced customization or images might fail
675775-2 3-Major   TMM crashes inside dynamic ACL building session db callback
672250-1 3-Major   SessionDB update from ApmD with large volume fails
671149-3 3-Major   Captive portal login page is not rendered until it is refreshed
669459-2 3-Major   Efect of bad connection handle between APMD and memcachd
639283-4 3-Major   Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
569542-1 3-Major   After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade
667237-3 4-Minor   Edge Client logs the routing and IP tables repeatedly


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
673463-2 2-Critical K68275280 SDD v3 symmetric deduplication may start performing poorly after a failover event
685693 3-Major   APM AppTunnels memory leak


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
702738 3-Major K32181540 Tmm might crash activating new blob when changing firewall rules
528499-3 4-Minor   AFM address lists are not sorted while trying to create a new rule.



Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
706086-1 CVE-2018-5515 K62750376 PAM RADIUS authentication subsystem hardening
704490 CVE-2017-5754 K91229003 CVE-2017-5754 (Meltdown)
704483 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003 CVE-2017-5753 (Spectre Variant 1)


Functional Change Fixes

ID Number Severity Solution Article(s) Description
467709-1 4-Minor   FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN


TMOS Fixes

ID Number Severity Solution Article(s) Description
707226-2 1-Blocking   DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
704804-2 3-Major   The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-2 3-Major   NAS-IP-Address is sent with the bytes in reverse order
703869-1 3-Major   Waagent updated to 2.2.21
701249-2 3-Major   RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
699147 3-Major   Hourly billed cloud images are now pre-licensed
687098 3-Major   IPv6 RADIUS servers not supported for remote authentication
674288-2 3-Major K62223225 FQDN nodes - monitor attribute doesn't reliably show in GUI
649465-1 3-Major   SELinux warning messages regarding nsm daemon


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
695117 2-Critical K30081842 bigd cores and sends corrupted MCP messages with many FQDN nodes
668883 2-Critical   FQDN pool member status may become out-of-sync when enabled/disabled through GUI
707675 3-Major   FQDN nodes or pool members flap when DNS response received
701609 3-Major   Static member of pool with FQDN members may revert to user-disabled after being re-enabled
685344-2 3-Major   Monitor 'min 1 of' not working as expected with FQDN nodes/members
673075-1 3-Major   Reduced Issues for Monitors configured with FQDN
671228-1 3-Major   Multiple FQDN ephemeral nodes may be created with autopopulate disabled
667560-3 3-Major K69205908 FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
573602-1 3-Major   FQDN pool members not shown by tmsh show ltm monitor
573302-1 3-Major   FQDN pool member remains in disabled state after removing monitor
571095-1 3-Major   Monitor probing to pool member stops after FQDN pool member with same IP address is deleted
699262-2 5-Cosmetic   FQDN pool member status remains in 'checking' state after full config sync



Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
700556-2 CVE-2018-5504 K11718033 TMM may crash when processing WebSockets data
698080-1 CVE-2018-5503 K54562183 TMM may consume excessive resources when processing with PEM
691504-3 CVE-2018-5503 K54562183 PEM content insertion in a compressed response may cause a crash.
686305-2 CVE-2018-5534 K64552448 TMM may crash while processing SSL forward proxy traffic
677193-2 CVE-2017-6154 K38243073 ASM BD Daemon Crash.
674189 CVE-2016-0718 K52320548 iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
673078-1 CVE-2017-6150 K62712037 TMM may crash when processing FastL4 traffic
670822-3 CVE-2017-6148 K55225440 TMM may crash when processing SOCKS data
668501-2 CVE-2017-6151 K07369970 HTTP2 does not handle some URIs correctly
630446-1 CVE-2016-0718 K52320548 Expat vulnerability CVE-2016-0718
621233-1 CVE-2018-5509 K49440608 FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm
699455-3 CVE-2018-5523 K50254952 SAML export does not follow best practices
699346-2 CVE-2018-5524 K53931245 NetHSM capacity reduces when handling errors
694274-2 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 K23565223 [RHSA-2017:3195-01] Important: httpd security update - EL6.7
688625-2 CVE-2017-11628 K75543432 PHP Vulnerability CVE-2017-11628
688011-5 CVE-2018-5520 K02043709 Dig utility does not apply best practices
676457-3 CVE-2017-6153 K52167636 TMM may consume excessive resource when processing compressed data
671638-4 CVE-2018-5500 K33211839 TMM crash when load-balancing mptcp traffic
670405-4 CVE-2017-1000366 K20486351 K20486351: glibc vulnerability CVE-2017-1000366:
662850-2 CVE-2015-2716 K50459349 Expat XML library vulnerability CVE-2015-2716
662663-6 CVE-2018-5507 K52521791 Decryption failure Nitrox platforms in vCMP mode
643375-1 CVE-2018-5508 K10329515 TMM may crash when processing compressed data
631204-1 CVE-2018-5521 K23124150 GeoIP lookups incorrectly parse IP addresses
617273-7 CVE-2016-5300 K70938105 Expat XML library vulnerability CVE-2016-5300
593139-9 CVE-2014-9761 K31211252 glibc vulnerability CVE-2014-9761
572272-5 CVE-2018-5506 K65355492 BIG-IP - Anonymous Certificate ID Enumeration
673607-2 CVE-2017-3169 K83043359 Apache CVE-2017-3169
672667-4 CVE-2017-7679 K75429050 CVE-2017-7679: Apache vulnerability
605579-8 CVE-2012-6702 K65460334 iControl-SOAP expat client library is subjected to entropy attack
578983-4 CVE-2015-8778 K51079478 glibc: Integer overflow in hcreate and hcreate_r
684033-1 CVE-2017-9798 K70084351 CVE-2017-9798 : Apache Vulnerability (OptionsBleed)


Functional Change Fixes

ID Number Severity Solution Article(s) Description
686389-3 3-Major   APM does not honor per-farm HTML5 client disabling at the View Connection Server
685020-1 3-Major   Enhancement to SessionDB provides timeout
653772-2 3-Major   fastL4 fails to evict flows from the ePVA
639505-3 3-Major   BGP may not send all configured aggregate routes
587107-3 3-Major   Allow iQuery to negotiate up to version TLS1.2


TMOS Fixes

ID Number Severity Solution Article(s) Description
667148-1 1-Blocking K02500042 Config load or upgrade can fail when loading GTM objects from a non-/Common partition
689577-1 2-Critical K45800333 ospf6d may crash when processing specific LSAs
678833 2-Critical   IPv6 prefix SPDAG causes packet drop
676203-1 2-Critical   Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
667405-2 2-Critical K61251939 Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
667404-2 2-Critical K77576404 Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
651362 2-Critical   eventd crashes during boot
631700-1 2-Critical K72453283 sod may kill bcm56xxd under heavy load
617733-1 2-Critical   Error message: subscriber id response; Subscription not found
580753-1 2-Critical K82583534 eventd might core on transition to secondary.
563661-2 2-Critical   Datastor may crash
694696-3 3-Major   On multiblade Viprion, creating a new traffic-group causes the device to go Offline
687658-2 3-Major   Monitor operations in transaction will cause it to stay unchecked
687353-3 3-Major K35595105 Qkview truncates tmstat snapshot files
682213-3 3-Major K31623549 TLS v1.2 support in IP reputation daemon
679480-1 3-Major   User able to create node when an ephemeral with the same IP already exists
674320-2 3-Major K11357182 Syncing a large number of folders can prevent the configuration getting saved on the peer systems
672815-2 3-Major   Incorrect disaggregation on VIPRION B4200 blades
671082-1 3-Major K85168072 snmpd constantly restarting
669888-2 3-Major   No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
669462-1 3-Major   Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
669415-1 3-Major   Flow eviction for hardware-accelerated flow might fail
664894-1 3-Major K11070206 PEM sessions lost when new blade is inserted in chassis
664057-2 3-Major   Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
664017-3 3-Major   OCSP may reject valid responses
652968-2 3-Major K88825548 IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
645723-2 3-Major K74371937 Dynamic routing update can delete admin ip route from the kernel
632366-1 3-Major   Prevent a spurious Broadcom switch driver failure.
631316 3-Major K62532020 Unable to load config with client-SSL profile error
626990-1 3-Major K64915164 restjavad logs flooded with messages from ChildWrapper
624362-1 3-Major   VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file
623803-2 3-Major K12921801 General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'
610122-1 3-Major   Hotfix installation fails: can't create /service/snmpd/run
598724-1 3-Major   Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
586887-2 3-Major K25883308 SCTP tmm crash with virtual server destination.
579760-3 3-Major K55703840 HSL::send may fail to resume after log server pool member goes down/up
471237-2 3-Major K12155235 BIG-IP VE instances do not work with an encrypted disk in AWS.
699281 4-Minor   Version format of hypervisor bundle matches Version format of ISO
669255-2 4-Minor K20100613 An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
660239-3 4-Minor   When accessing the dashboard, invalid HTTP headers may be present
655085-2 4-Minor   While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
613275-2 4-Minor K62581339 SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
601168-1 4-Minor   Incorrect virtual server CPU utilization may be observed.
509980-1 4-Minor   Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
692970-3 2-Critical   Using UDP port 67 for purposes other than DHCP might cause TMM to crash
687603-1 2-Critical K36243347 tmsh query for dns records may cause tmm to crash
686228-3 2-Critical K23243525 TMM may crash in some circumstances with VLAN failsafe
682682-3 2-Critical   tmm asserts on a virtual server-to-virtual server connection
681175-1 2-Critical K32153360 TMM may crash during routing updates
676982-2 2-Critical K21958352 Active connection count increases over time, long after connections expire
674576-4 2-Critical   Outage may occur with VIP-VIP configurations
665924-1 2-Critical K24847056 The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
665732-2 2-Critical K45001711 FastHTTP may crash when receiving a fragmented IP packet
664461-3 2-Critical K16804728 Replacing HTTP payload can cause tmm restart
658989-2 2-Critical   Memory leak when connection terminates in iRule process
639039-4 2-Critical K33754014 Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
614702-1 2-Critical K24172560 Race condition when using SSL Orchestrator can cause TMM to core
704073-3 3-Major K24233427 Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
698000-1 3-Major K04473510 Connections may stop passing traffic after a route update
689089-3 3-Major   VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
686307-1 3-Major K10665315 Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065-1 3-Major   RESOLV::lookup iRule command can trigger crash with slow resolver
685955 3-Major   TMM hud_message_ctx leak
685110-3 3-Major K05430133 With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683683-1 3-Major   ASN1::encode returns wrong binary data
682104-1 3-Major   HTTP PSM leaks memory when looking up evasion descriptions
680755-1 3-Major K27015502 max-request enforcement no longer works outside of OneConnect
673621-2 3-Major   Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
670816-2 3-Major K44519487 HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
669974-1 3-Major K90395411 Encoding binary data using ASN1::encode may truncate result
668522-1 3-Major   bigd might try to read from a file descriptor that is not ready for read
668419-1 3-Major K53322151 ClientHello sent in multiple packets results in TCP connection close
666315 3-Major   Global SNAT sets TTL to 255 instead of decrementing
666160-1 3-Major K63132146 L7 Policy reconfiguration causes a slow memory leak
665022-1 3-Major   Rateshaper stalls when TSO packet length exceeds max ceiling.
664769-1 3-Major   TMM may restart when using SOCKS profile and an iRule
663821-3 3-Major K41344010 SNAT Stats may not include port FTP traffic
661881-2 3-Major K00030614 Memory and performance issues when using certain ASN.1 decoding formats in iRules
659648-2 3-Major   LTM Policy rule name migration doesn't properly handle whitespace
657795-1 3-Major K51498984 Possible performance impact on some SSL connections
655432-7 3-Major K85522235 SSL renegotiation failed intermittently with AES-GCM cipher
651681-4 3-Major   Orphaned bigd instances may exist (within multi-process bigd)
651135-4 3-Major K41685444 LTM Policy error when rule names contain slash (/) character
645220-2 3-Major   bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
645197-3 3-Major   Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change
640565-1 3-Major K11564859 Incorrect packet size sent to clone pool member
636149-3 3-Major   Multiple monitor response codes to single monitor probe failure
628721-1 3-Major   In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
627926-1 3-Major K21211001 Retrieving a server-side SSL session ID in iRules does not work
584865-1 3-Major   Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
582487-2 3-Major K22210514 'merged.method' set to 'slow_merge,' does not update system stats
574526-1 3-Major K55542554 HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
573366-4 3-Major   parking command used in the nesting script of clientside and serverside command can cause tmm core
692095-3 4-Minor K65311501 bigd logs monitor status unknown for FQDN Node/Pool Member
625892-2 4-Minor   Nagle Algorithm Not Fully Enforced with TSO
530877-7 4-Minor K13887095 TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
692941-3 2-Critical   GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
678861-3 2-Critical   DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other
580537-1 2-Critical   The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-4 2-Critical   Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
700527-1 3-Major   cmp-hash change can cause repeated iRule DNS-lookup hang
691498-1 3-Major   Connection failure during iRule DNS lookup can crash TMM
690166-3 3-Major   ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
671326-2 3-Major K81052338 DNS Cache debug logging might cause tmm to crash.
667469-1 3-Major K35324588 Higher than expected CPU usage when using DNS Cache
665347-2 3-Major K17060443 GTM listener object cannot be created via tmsh while in non-Common partition
636853-2 3-Major K19401488 Under some conditions, a change in the order of GTM topology records does not take effect.
621374-1 3-Major   "abbrev" argument in "whereis" iRule returns nothing
487144-2 3-Major   tmm intermittently reports that it cannot find FIPS key


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
701327-1 2-Critical   failed configuration deletion may cause unwanted bd exit
699720-3 2-Critical   ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-3 2-Critical   Rare BD crash in a specific scenario
684312-2 2-Critical K54140729 During Apply Policy action, bd agent crashes, causing the machine to go Offline
681109-2 2-Critical K46212485 BD crash in a specific scenario
679603-2 2-Critical K15460886 bd core upon request, when profile has sensitive element configured.
678462-2 2-Critical   after chassis failover: asmlogd CPU 100% on secondary
678228-1 2-Critical K27568142 Repeated Errors in ASM Sync
672301-2 2-Critical   ASM crashes when using a logout object configuration in ASM policy
664708-2 2-Critical   TMM memory leak when DoS profile is attached to VS
662281-2 2-Critical   Inconsistencies in Automatic sync ASM Device Group
637252-1 2-Critical K73107660 Rest worker becomes unreliable after processing a call that generated an error
633070-1 2-Critical   Sync Inconsistencies when using Autosync ASM Group between Chassis devices
631609-1 2-Critical   ASM Centralized Management Infrastructure Sync issues
614441-4 2-Critical K04950182 False Positive for illegal method (GET)
611154-1 2-Critical   BD crash
599221-1 2-Critical   ASM Policy cannot be created in non-default partition via the Import Policy Task
576123-3 2-Critical K23221623 ASM policies are created as inactive policies on the peer device
702946-2 3-Major   Added option to reset staging period for signatures
701841-1 3-Major   Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
700564-2 3-Major   JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
700330 3-Major   AJAX blocking page isn't shown when a webpage uses jQuery framework.
700143-1 3-Major   ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
698919-1 3-Major   Anti virus false positive detection on long XML uploads
697303-3 3-Major   BD crash
696265-3 3-Major K60985582 BD crash
694922-4 3-Major   ASM Auto-Sync Device Group Does Not Sync
691477-1 3-Major   ASM standby unit showing future date and high version count for ASM Device Group
685743-3 3-Major   When changing internal parameter 'request_buffer_size' in large request violations might not be reported
685207-2 3-Major   DoS client side challenge does not encode the Referer header.
683508-3 3-Major K00152663 WebSockets: umu memory leak of binary frames when remote logger is configured
682612 3-Major   Event Correlation is disabled on vCMP even though all the prerequisites are met.
679384-1 3-Major K85153939 The policy builder is not getting updates about the newly added signatures.
678293-1 3-Major K25066531 Uncleaned policy history files cause /var disk exhaustion
676416-2 3-Major   BD restart when switching FTP profiles
675232-3 3-Major   Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
674494-1 3-Major K77993010 BD memory leak on specific configuration and specific traffic
671675-1 3-Major   Centralized Management Infrastructure: asm_config_server restart on device group change
668184-1 3-Major   Huge values are shown in the AVR statistics for ASM violations
668181-2 3-Major   Policy automatic learning mode changes to manual after failover
667922 3-Major K44692860 Alternative unicode encoding in JSON objects not being parsed correctly
666986-2 3-Major K50320144 Filter by Support ID is not working in Request Log
663535-1 3-Major   Sending ASM cookies with "secure" attribute even without client-ssl profile
654925-1 3-Major K25952033 Memory Leak in ASM Sync Listener Process
654873-2 3-Major   ASM Auto-Sync Device Group
619516-1 3-Major   Inconsistencies in Automatic sync ASM Device Group
605982-1 3-Major   Policy settings change during export/import
434821-1 3-Major   Remote logging of staged signatures and staged sets
694073-1 4-Minor   All signature update details are shown in 'View update history from previous BIG-IP versions' popup
655159-1 4-Minor K84550544 Wrong XML profile name Request Log details for XML violation
625602-3 4-Minor   ASM Auto-Sync Device Group Does Not Sync


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
658343-2 3-Major K33043439 AVR tcp-analytics: per-host RTT average may show incorrect values
648242 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports
582029-4 3-Major   AVR might report incorrect statistics when used together with other modules.
682105 4-Minor   Adding widget in Analytics Overview can cause measures list to empty out on Page change
649161-1 4-Minor K42340304 AVR caching mechanism not working properly


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
693739-3 2-Critical   VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
660711-1 2-Critical K05265457 MCPd might crash when user trying to import a access policy
649234-3 2-Critical K64131101 TMM crash from a possible memory corruption.
639929-2 2-Critical   Session variable replace with value containing these characters ' " & < > = may cause tmm crash
632178-1 2-Critical   LDAP Query agent creates only two session variables when required attributes list is empty
703984-2 3-Major   Machine Cert agent improperly matches hostname with CN and SAN
703429-1 3-Major   Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
700783-3 3-Major   Machine certificate check does not check against all FQDN hostnames
692307-1 3-Major   User with 'operator' role may not be able to view some session variables
689826-2 3-Major K95422068 Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
686282-1 3-Major   APMD intermittently crash when processing access policies
684325-3 3-Major   APMD Memory leak when applying a specific access profile
683389-1 3-Major   Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
682500-1 3-Major   VDI Profile and Storefront Portal Access resource do not work together
680112-1 3-Major K18131781 SWG-Explicit rejects large POST bodies during policy evaluation
678851-1 3-Major   Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
676690-3 3-Major   Windows Edge Client sometimes crashes when user signs out from Windows
675866-1 3-Major   WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
675399-3 3-Major K14304639 Network Access does not work when empty variables are assigned for WINS and DNS
674593-1 3-Major   APM configuration snapshot takes a long time to create
674410-3 3-Major K59281892 AD auth failures due to invalid Kerberos tickets
673748-1 3-Major K19534801 ng_export, ng_import might leave security.configpassword in invalid state
672868-1 3-Major   Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
672040-3 3-Major   Access Policy Causing Duplicate iRule Event Execution
671597-1 3-Major   Import, export, copy and delete is taking too long on 1000 entries policy
670910-2 3-Major   Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
669510-2 3-Major   When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
669154-1 3-Major K25342114 Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
668623-5 3-Major K85991425 macOS Edge client fails to detect correct system language for regions other than USA
668503-3 3-Major   Edge Client fails to reconnect to virtual server after disabling Network Adapter
668129-1 3-Major   BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
666689-1 3-Major   Occasional "profile not found" errors following activate access policy
666058-2 3-Major K86091857 XenApp 6.5 published icons are not displayed on APM Webtop
665416-3 3-Major K02016491 Old versions of APM configuration snapshots need to be reaped more aggressively if not used
665330-1 3-Major   MSIE 11 should avoid compatibility mode
664507-3 3-Major   When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
663127-1 3-Major   Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
655364-1 3-Major   Portal access rewriting window.opener causes JS exception
655146-2 3-Major   APM Profile access stats are not updated correctly
654508-2 3-Major   SharePoint MS-OFBA browser window displays Javascript errors
654046-1 3-Major K22121533 BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
653771-2 3-Major   tmm crash after per-request policy error
653324-3 3-Major K87979026 On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
651910-2 3-Major   Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later
649613-3 3-Major   Multiple UDP/TCP packets packed into one DTLS Record
632646-4 3-Major   APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629921-4 3-Major   [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
621682-1 3-Major   Portal Access: problem with specific JavaScript code
616104-2 3-Major   VMware View connections to pool hit matching BIG-IP virtuals
613373-2 3-Major   Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page
610582-2 3-Major   Device Guard prevents Edge Client connections
601420-3 3-Major   Possible SAML authentication loop with IE and multi-domain SSO.
596083-1 3-Major   Error running custom APM Reports with "session creation time" on Viprion Platform
590992-3 3-Major   If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working
578413-1 3-Major   Missing reference to customization-group from connectivity profile if created via portal access wizard
575444-1 3-Major   Wininfo agent incorrectly reports OS version on Windows 10 in some cases
563135-3 3-Major   SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
466068-1 3-Major   Allow setting of the AAA Radius server timeout value larger than 60 seconds
447565-5 3-Major K33692321 Renewing machine-account password does not update the serviceId for associated ntlm-auth.
691017-1 4-Minor   Preventing ng_export hangs
684414-1 4-Minor   Retrieving too many groups is causing out of memory errors in TMUI and VPE
673717-1 4-Minor   VPE loading times can be very long
671627-1 4-Minor K06424790 HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
667304-1 4-Minor K68108551 Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
561892-2 4-Minor K08121752 Kerberos cache is not cleared when Administrator password is changed in AAA AD Server


Service Provider Fixes

ID Number Severity Solution Article(s) Description
662844 2-Critical K87735013 TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
643785-3 2-Critical   diadb crashes if it cannot find pool name
699431 3-Major   Possible memory leak in MRF under low memory


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
456376-4 1-Blocking K53153545 BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
671052-3 2-Critical K50324413 AFM NAT security RST the traffic with (FW NAT) dst_trans failed
644822-2 2-Critical K19245372 FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
564058-1 2-Critical K91467162 AutoDoS daemon aborts intermittently after it's being up for several days
620543-1 3-Major   Security Address Lists and Port Lists can't change Description field


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
696383-2 2-Critical   PEM Diameter incomplete flow crashes when sweeped
694717-3 2-Critical   Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-3 2-Critical K23164003 TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-2 3-Major   PEM Diameter incomplete flow crashes when TCL resumed
695968-3 3-Major   Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-3 3-Major   CCA without a request type AVP cannot be tracked in PEM.
694318-3 3-Major   PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-3 3-Major   PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-2 3-Major   Potential memory leak if PEM Diameter sessions are not created successfully.
678714-3 3-Major   After HA failover, subscriber data has stale session ID information
660187-3 3-Major   TMM core after intra-chassis failover for some instances of subscriber creation
642068-1 3-Major   PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
638594-3 3-Major   TMM crash when handling unknown Gx messages.
627616-3 3-Major   CCR-U missing upon VALIDITY TIMER expiry when quota is zero
624231-5 3-Major   No flow control when using content-insertion with compression
680729-3 4-Minor K64307999 DHCP Trace log incorrectly marked as an Error log.
678822-3 4-Minor   Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
663333-1 2-Critical   TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
615432-1 2-Critical   Multiple TFTP data transfers cannot be initiated in a single session
663974-2 3-Major   TMM crash when using LSN inbound connections


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
692123-2 3-Major   GET parameter is grayed out if MobileSafe is not licensed
667892-2 3-Major   FPS: BLFN inheritance won't take effect until GUI refresh



Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
681710-4 CVE-2017-6155 K10930474 Malformed HTTP/2 requests may cause TMM to crash
673595-2 CVE-2017-3167 CVE-2017-3169 K34125394 Apache CVE-2017-3167
648786-5 CVE-2017-6169 K31404801 TMM crashes when categorizing long URLs


Functional Change Fixes

ID Number Severity Solution Article(s) Description
673129 3-Major K41458656 New feature: revoke license


TMOS Fixes

ID Number Severity Solution Article(s) Description
682837 1-Blocking   Compression watchdog period too brief.
675921 1-Blocking   Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
696468 2-Critical   Active compression requests can become starved from too many queued requests.
667173 2-Critical   13.1.0 cannot join a device group with 13.1.0.1
665656-1 2-Critical   BWC with iSession may memory leak
663366-3 2-Critical   SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
621386-1 2-Critical K91988084 restjavad spawns too many icrd_child instances
683114-1 3-Major   Need support for 4th element version in Update Check
679959-1 3-Major   Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
672988-2 3-Major K03433341 MCP memory leak when performing incremental ConfigSync
669288-3 3-Major K76152943 Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
668352-2 3-Major   High Speed Logging unbalance in log distribution for multiple pool destination.
668048-1 3-Major K02551403 TMM memory leak when manually enabling/disabling pool member used as HSL destination
663063-2 3-Major   Disabling pool member used in busy HSL TCP destination can result service disruption.
659057-1 3-Major   BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
658636-2 3-Major K51355172 When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
652691-1 3-Major   Installation fails if only .iso.384.sig (new format signature file) is present
652689-2 3-Major K14243280 Displaying 100G interfaces
642952 3-Major   platform_check doesn't run PCI check on i11800
640636-3 3-Major   F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
638881-1 3-Major   Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
628739-1 3-Major   BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
628735-1 3-Major   Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
604547-1 3-Major K21551422 Unix daemon configuration may lost or not be updated upon reboot
674515 4-Minor   New revoke license feature for VE only implemented
663580-1 4-Minor K31981624 logrotate does not automatically run when /var/log reaches 90% usage
644723-1 4-Minor   cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
507206-1 4-Minor   Multicast Out stats always zero for management interface.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
689080 2-Critical   Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value
463097-3 3-Major   Clock advanced messages with large amount of data maintained in DNS Express zones


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
672504-1 2-Critical K52325625 Deleting zones from large databases can take excessive amounts of time.
614788-1 2-Critical   zxfrd crash due to lack of disk space
655233-1 3-Major K93338593 DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-1 3-Major K57853542 DNS Express responses missing SOA record in NoData responses if CNAMEs present
645615-2 3-Major K70543226 zxfrd may fail and restart after multiple failovers between blades in a chassis.
433678-2 3-Major K32401561 A monitor removed from GTM link cannot be deleted: 'monitor is in use'
646615-1 4-Minor   Improved default storage size for DNS Express database


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
652796-1 1-Blocking   When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
652792-1 2-Critical   When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
678976-2 3-Major K24756214 Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
677058-3 3-Major K31757417 Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
679440-2 2-Critical K14120433 MCPD Cores with SIGABRT
591828-4 3-Major K52750813 For unmatched connection, TCP RST may not be sent for data packet


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
668252-2 2-Critical K22784428 TMM crash in PEM_DIAMETER component
628311-3 2-Critical K87863112 Potential TMM crash due to duplicate installed PEM policies by the PCRF
675928-2 3-Major   Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
674686-2 3-Major   Periodic content insertion of new flows fails, if an outstanding flow is a long flow
673683-2 3-Major   Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
673678-2 3-Major   Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
673472-2 3-Major   After classification rule is updated, first periodic Insert content action fails for existing subscriber
639486-4 3-Major   TMM crash due to PEM usage reporting after a CMP state change.
634015-3 3-Major K49315364 Potential TMM crash due to a PEM policy content triggered buffer overflow
572568-2 3-Major   Gy CCR-i requests are not being re-sent after initial configured re-transmits



Cumulative fixes from BIG-IP v12.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
687193-1 CVE-2018-5533 K45325728 TMM may leak memory when processing SSL Forward Proxy traffic
684879-2 CVE-2017-6164 K02714910 TMM may crash while processing TLS traffic
662022-5 CVE-2017-6138 K34514540 The URI normalization functionality within the TMM may mishandle some malformed URIs.
653993-3 CVE-2017-6132 K12044607 A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880 CVE-2017-6214 K81211720 Kernel Vulnerability: CVE-2017-6214
652539 CVE-2016-0634
CVE-2016-7543
CVE-2016-9401
K73705133 Multiple Bash Vulnerabilities
652516 CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 K31603170 Multiple Linux Kernel Vulnerabilities
651221-2 CVE-2017-6133 K25033460 Parsing certain URIs may cause the TMM to produce a core file.
650286-2 CVE-2017-6167 K24465120 REST asynchronous tasks permissions issues
650059-1 CVE-2017-6129 K20087443 TMM may crash when processing VPN traffic
649907-2 CVE-2017-3137 K30164784 BIND vulnerability CVE-2017-3137
649904-2 CVE-2017-3136 K23598445 BIND vulnerability CVE-2017-3136
644904-5 CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985
CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486
K55129614 tcpdump 4.9
644693-3 CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 K15518610 Fix for multiple CVE for openjdk-1.7.0
638556-2 CVE-2016-10045 K73926196 PHP Vulnerability: CVE-2016-10045
634779-1 CVE-2017-6147 K43945001 TMM may crash will processing SSL Forward Proxy traffic
625860-2 CVE-2017-6140 K55102452 Improved handling of crypto hardware decrypt failures on B4450 platform.
624903-6 CVE-2017-6140 K55102452 Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
600069-6 CVE-2017-0301 K54358225 Portal Access: Requests handled incorrectly
659791-2 CVE-2017-6136 K81137982 TFO and TLP could produce a core file under specific circumstances
655059-3 CVE-2017-6134 K37404773 TMM Crash
653224-1 CVE-2016-8610
CVE-2017-5335
CVE-2017-5336
CVE-2017-5337
K59836191 Multiple GnuTLS Vulnerabilities
653217-2 CVE-2016-2125
CVE-2016-2126
K03644631 Multiple Samba Vulnerabilities
645480-3 CVE-2017-6139 K45432295 Unexpected APM response
645101-2 CVE-2017-3731, CVE-2017-3732 K44512851 OpenSSL vulnerability CVE-2017-3732
642659-2 CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540 K34527393 Multiple LibTIFF Vulnerabilities
640768 CVE-2016-10088
CVE-2016-9576
K05513373 Kernel vulnerability: CVE-2016-10088
639729-2 CVE-2017-0304 K39428424 Request validation failure in AFM UI Policy Editor
637666-2 CVE-2016-10033 K74977440 PHP Vulnerability: CVE-2016-10033
635314-5 CVE-2016-1248 K22183127 vim Vulnerability: CVE-2016-1248
622178-1 CVE-2017-6158 K19361245 Improve flow handling when Autolasthop is disabled
597176-1 CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE K01837042 Multiple Wireshark (tshark) vulnerabilities
583678-1 CVE-2016-3115 K93532943 SSHD session.c vulnerability CVE-2016-3115
582773-5 CVE-2018-5532 K48224824 DNS server for child zone can continue to resolve domain names after revoked from parent
567233-1 CVE-2015-5252, CVE-2015-5296, CVE-2015-5299 K92616530 Multiple samba vulnerabilities
353229-2 CVE-2018-5522 K54130510 Buffer overflows in DIAMETER
656912-4 CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458 K32262483 Various NTP vulnerabilities
632875-3 CVE-2018-5516 K37442533 Non-Administrator TMSH users no longer allowed to run dig
615226-5 CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300 K13074505 Libarchive vulnerabilities: CVE-2016-8687 and others
590840-2 CVE-2015-8325 K20911042 OpenSSH vulnerability CVE-2015-8325
655021-2 CVE-2017-3138 K23598445 BIND vulnerability CVE-2017-3138
652638-2 CVE-2016-10167 K23731034 php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
627203-1 CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597 K63427774 Multiple Oracle Java SE vulnerabilities


Functional Change Fixes

ID Number Severity Solution Article(s) Description
654549-1 2-Critical   PVA support for uncommon protocols DoS vector
653729-2 2-Critical   Support IP Uncommon Protocol
653234 2-Critical   Many objects must be reconfigured before use when loading a UCS from another device.
652094-2 2-Critical K49190243 Improve traffic disaggregation for uncommon IP protocols
643210-2 2-Critical K45444280 Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
643054-2 2-Critical   ARP and NDP packets should be CoS marked by the swtich on ingress
663521-2 3-Major   Intermittent dropping of multicast packets on certain BIG-IP platforms
651772-3 3-Major   IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
643143-2 3-Major   ARP and NDP packets should be QoS/DSCP marked on egress
610710-2 3-Major   Pass IP TOS bits from incoming connection to outgoing connection
584545-2 3-Major   Failure to stabilize internal HiGig link will not trigger failover event
567177-1 4-Minor   Log all attempts of key export in ltm log
650074-1 5-Cosmetic   Changed Format of RAM Cache REST Status output.


TMOS Fixes

ID Number Severity Solution Article(s) Description
642703-2 1-Blocking   Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.
619097 1-Blocking   iControl REST slow performace on GET request for virtual servers
539093-1 1-Blocking K26104530 VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
697878 2-Critical   High crypto request completion time under some workload patterns
666790-2 2-Critical K06619044 Use HSB HiGig MAC reset to recover both FCS errors and link instability
665354-2 2-Critical K31190471 Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
658574-2 2-Critical K61847644 An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
655357-2 2-Critical K06245820 Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653376-5 2-Critical   bgpd may crash on receiving a BGP update with >= 32 extended communities
649866-1 2-Critical   fsck should not run during first boot on public clouds
638997-2 2-Critical   Reboot required after disk size modification in a running BIG-IP VE instance.
625456-5 2-Critical   Pending sector utility may write repaired sector incorrectly
624826-2 2-Critical K36404710 mgmt bridge takes HWADDR of guest vm's tap interface
613415-2 2-Critical K22750357 Memory leak in ospfd when distribute-list is used
609335-1 2-Critical   IPsec tmm devbuf memory leak.
604011-1 2-Critical   Sync fails when iRule or policy is in use
595783 2-Critical   Changing console baud rate for B2100, B2150 and B2250 blades does not work
593137-1 2-Critical   userDefined property for bot signatures is not shown in REST
579210-3 2-Critical K11418051 VIPRION B4400N blades might fail to go Active under rare conditions.
471860-10 2-Critical K16209 Disabling interface keeps DISABLED state even after enabling
412817-3 2-Critical   BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
671920-1 3-Major   Accessing SNMP over IPv6 on non-default route domains
669818-2 3-Major K64537114 Higher CPU usage for syslog-ng when a syslog server is down
667278-3 3-Major   DSC connections between BIG-IP units may fail to establish
667138-1 3-Major   LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"
664829-1 3-Major   BIG-IP sometimes performs unnecessary reboot on first boot
662331-1 3-Major K24331010 BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
661764-2 3-Major K53762147 It is possible to configure a number of CPUs that exceeds the licensed throughput
660532-2 3-Major K21050223 Cannot specify the event parameter for redirects on the policy rule screen.
655671-1 3-Major   Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
655649-2 3-Major K88627152 BGP last update timer incorrectly resets to 0
654011-2 3-Major K33210520 Pool member's health monitors set to Member Specific does not display the active monitors
651155-1 3-Major   HSB continually logs 'loopback ring 0 tx not active'
650349 3-Major K50168519 Creation or reconfiguration of iApps fails if high speed logging is configured
650002-1 3-Major   tzdata bug fix and enhancement update
649949-1 3-Major   Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM
647988-3 3-Major K15331432 HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944-2 3-Major   MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
645179-6 3-Major   Traffic group becomes active on more than one BIG-IP after a long uptime
644404-1 3-Major   Extracting SSD from system leads to Emergency LCD alert
644184-4 3-Major K36427438 ZebOS daemons hang while AgentX SNMP daemon is waiting.
643294 3-Major   IGMP and PIM not in self-allow default list when upgrading from 10.2.x
643121-1 3-Major   Failed installation volumes cannot be deleted in the GUI.
643013 3-Major   DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
642982-3 3-Major K23241518 tmrouted may continually restart after upgrade, adding or renaming an interface
642314-2 3-Major K24276198 CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x
638825-2 3-Major   SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
637561-1 3-Major   Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
636744-1 3-Major K16918340 IKEv1 phase 2 SAs not deleted
631866-2 3-Major K12402013 Cannot access LTM policy rules in the web UI when the name contains certain characters
631172-4 3-Major K54071336 GUI user logged off when idle for 30 minutes, even when longer timeout is set
624692-3 3-Major   Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
623391-5 3-Major   cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
622619-5 3-Major   BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622133-1 3-Major   VCMP guests may incorrectly obtain incorrect MAC addresses
621259-3 3-Major   Config save takes long time if there is a large number of data groups
619060 3-Major   Reduction in boot time in BIG-IP Virtual Edition platforms
612752-1 3-Major   UCS load or upgrade may fail under certain conditions.
610442-2 3-Major K75051412 vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso
607961-1 3-Major   Secondary blades restart when modifying a virtual server's route domain in a different partition.
605792-1 3-Major   Installing a new version changes the ownership of administrative users' files
601709-2 3-Major K02314881 I2C error recovery for BIG-IP 4340N/4300 blades
590938-3 3-Major   The CMI rsync daemon may fail to start
583475-1 3-Major   The BIG-IP may core while recompiling LTM policies
577474-3 3-Major K35208043 Users with auditor role are unable to use tmsh list sys crypto cert
569100-1 3-Major   Virtual server using NTLM profile results in benign Tcl error
544906-2 3-Major K07388310 Issues when using remote authentication when users have different partition access on different devices
507240-4 3-Major K13811263 ICMP traffic cannot be disaggregated based on IP addresses
480983-4 3-Major   tmrouted daemon may core due to daemon_heartbeat
471029-2 3-Major   If the configuration contains a filename with the $ character, then saving the UCS fails.
656900-1 4-Minor   Blade family migration may fail
655314 4-Minor   When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0
653225-1 4-Minor   coreutils security and bug fix update
645717 4-Minor   UCS load does not set directory owner
644975-4 4-Minor K09554025 /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644799-1 4-Minor K42882011 TMM may crash when the BIG-IP system processes CGNAT traffic.
642723-3 4-Minor   Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
634371-2 4-Minor   Cisco ethernet NIC driver
530927-8 4-Minor   Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-6 4-Minor K07298903 tmsh sys log filter is displayed in UTC time
527720-1 4-Minor   Rare 'No LopCmd reply match found' error in getLopReg
448409-1 4-Minor K15491 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
626596 5-Cosmetic   Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
670011-2 1-Blocking   SSL forward proxy does not create the server certchain when ignoring server certificates
621452-1 1-Blocking K58146172 Connections can stall with TCP::collect iRule
659899-1 2-Critical K10589537 Rare, intermittent system instability observed in dynamic load-balancing modes
657713-5 2-Critical K05052273 Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
655628-1 2-Critical   TCP analytics does not release resources under specific sequence of packets
655211-1 2-Critical   bigd crash (SIGSEGV) when running FQDN node monitors
650317-3 2-Critical   The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171-4 2-Critical   tmm core in iRule with unreachable remote address
648037-2 2-Critical   LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
646643-2 2-Critical K43005132 HA standby virtual server with non-default lasthop settings may crash.
646604-5 2-Critical K21005334 Client connection may hang when NTLM and OneConnect profiles used together
645663 2-Critical   Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
644112-2 2-Critical K56150996 Permanent connections may be expired when endpoint becomes unreachable
643631 2-Critical K70938130 Serverside connections on virtual servers using VDI may become zombies.
635274-1 2-Critical K21514205 SSL::sessionid command may return invalid values
634265-2 2-Critical K34688632 Using route pools whose members aren't directly connected may crash the TMM.
632552-2 2-Critical K08634156 tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
629178-1 2-Critical K42206046 Incorrect initial size of connection flow-control window
611704-5 2-Critical   tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605983-1 2-Critical   tmrouted may crash when being restarted in debug mode
604926-3 2-Critical K50041125 The TMM may become unresponsive when using SessionDB data larger than ~400K
604223-2 2-Critical   pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
583700-3 2-Critical K32784801 tmm core on out of memory
583355-1 2-Critical   The TMM may crash when changing profiles associated with plugins
566071-5 2-Critical   network-HSM may not be operational on secondary slots of a standby chassis.
559030-1 2-Critical K65244513 TMM may core during ILX RPC activity if a connflow closes before the RPC returns
677119 3-Major   HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
676471-1 3-Major   Insufficient space for core files on i11x00-series platforms
672008-1 3-Major K22122208 NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
671935-2 3-Major   Possible uneven ephemeral port reuse.
669025-1 3-Major K11425420 Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
668521-2 3-Major   Bigd might stall while waiting for an external monitor process to exit
666032-3 3-Major K05145506 Secure renegotiation is set while data is not available.
663326-2 3-Major   Thales HSM: "fipskey.nethsm --export" fails to make stub keys
662881-2 3-Major K10443875 L7 mirrored packets from standby to active might cause tmm core when it goes active.
662085-1 3-Major   iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
658214-2 3-Major K20228504 TCP connection fail intermittently for mirrored fastl4 virtual server
655793-1 3-Major K04178391 SSL persistence parsing issues due to SSL / TCP boundary mismatch
654109-2 3-Major K01102467 Configuration loading may fail when iRules calling procs in other iRules are deleted
653511-2 3-Major   Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
652535-1 3-Major K54443700 HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652445-2 3-Major K87541959 SAN with uppercase names result in case-sensitive match or will not match
651651-3 3-Major K54604320 bigd can crash when a DNS response does not match the expected value
650292-2 3-Major   DNS transparent cache can return non-recursive results for recursive queries
650152-1 3-Major   Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
648954-5 3-Major K01102467 Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647137 3-Major   bigd/tmm con vCMP guests
646443-1 3-Major K54432535 Ephemeral Node may be errantly created in bigd, causing crash
645058-3 3-Major   Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-3 3-Major K85772089 Removing pool from virtual server does not update its status
644873-2 3-Major K97237310 ssldump can fail to decrypt captures with certain TCP segmenting
644851-2 3-Major   Websockets closes connection on receiving a close frame from one of the peers
644418-2 3-Major   Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
643777-2 3-Major K27629542 LTM policies with more than one IP address in TCP address match may fail
643582-2 3-Major   Config load with large ssl profile configuration may cause tmm restart
641491-2 3-Major K37551222 TMM core while running iRule LB::status pool poolname member ip port
640376-3 3-Major K46452834 STPD leaks memory on 2000/4000/i2000/i4000 series
638715-3 3-Major K77010072 Multiple Diameter monitors to same server ip/port may race on PID file
632001-1 3-Major   For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
627574-1 3-Major   After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
626434-6 3-Major K65283203 tmm may be killed by sod when a hardware accelerator does not work
624805-1 3-Major   ILX node.js process may be restarted if a single operation takes more than 15 seconds
623940-3 3-Major   SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
622017-8 3-Major K54106058 Performance graph data may become permanently lost after corruption.
621736-6 3-Major K00323105 statsd does not handle SIGCHLD properly in all cases
620788-1 3-Major K05232247 FQDN pool created with existing FQDN node has RED status
618161-1 3-Major   SSL handshake fails when clientssl uses softcard-protected key-certs.
618121 3-Major   "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x
607246-10 3-Major   Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
603609-2 3-Major   Policy unable to match initial path segment when request-URI starts with "//"
602040-3 3-Major   Truncated support ID for HTTP protocol security logging profile
600614-5 3-Major   External crypto offload fails when SSL connection is renegotiated
596433-3 3-Major   Virtual with lasthop configured rejects request with no route to client.
596242-1 3-Major K17065223 [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record
595275-5 3-Major   Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
593390-4 3-Major   Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
589006-5 3-Major   SSL does not cancel pending sign request before the handshake times out or is canceled.
587705-5 3-Major K98547701 Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
578573-1 3-Major   SSL Forward Proxy Forged Certificate Signature Algorithm
563933-4 3-Major   [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
536563-7 3-Major   Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
484542-1 3-Major   QinQ tag-mode can be set on unsupported platforms
668802-3 4-Minor K83392557 GTM link graphs fail to display in the GUI
667318-3 4-Minor   BIG-IP DNS/GTM link graphs fail to display in the GUI.
584210-1 4-Minor   TMM may core when running two simultaneous WebSocket collect commands
578415-2 4-Minor   Support for hardware accelerated bulk crypto SHA256 missing
513288-7 4-Minor   Management traffic from nodes being health monitored might cause health monitors to fail.
462043-2 4-Minor   DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms


Performance Fixes

ID Number Severity Solution Article(s) Description
620903-1 2-Critical   Decreased performance of ICMP attack mitigation.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
636541-3 1-Blocking   DNS Rapid Response filters large datagrams
667028-1 2-Critical   DNS Express does not run on i11000 platforms with htsplit disabled.
649564-2 2-Critical   Crash related to GTM monitors with long RECV strings
663073-1 3-Major   GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
659912-1 3-Major K81210772 GSLB Pool Member Manage page display issues and error message
655807-5 3-Major K40341291 With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
655445-2 3-Major   Provide the ability to globally specifiy a DSCP value.
654599-1 3-Major K74132601 The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
648286-2 3-Major   GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
644447-2 3-Major   sync_zones script increasingly consumes memory when there is network connectivity failure
626141-3 3-Major   DNSX Performance Graphs are not displaying Requests/sec"
615222-1 3-Major K79580892 GTM configuration fails to load when it has GSLB pool with members containing more than one colon character
605260-1 3-Major   [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
659969-1 4-Minor   tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
644220-3 4-Minor   Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
604371-1 4-Minor   Pagination controls missing for GSLB pool members


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
653014-1 2-Critical   Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200-1 2-Critical K81349220 Failure to update ASM enforcer about account change.
651001-1 2-Critical   massive prints in tmm log: "could not find conf for profile crc"
638629-2 2-Critical   Bot can be classified as human
619110-1 2-Critical   Slow to delete URLs, CPU spikes with Automatic Policy Builder
672695-1 3-Major   Internal perl process listening on all interfaces when ASM enabled
665905 3-Major K83305000 Signature System corruption from specific ASU prevents ASU load after upgrade
664930-2 3-Major   Policy automatic learning mode changes to manual after failover
655617-1 3-Major K36442669 Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
650081-1 3-Major K53010710 Proactive Bot Defense JavaScript challenges may introduce high latencies and cause some browsers to display a blank page.
648617 3-Major K23432927 JavaScript challenge repeating in loop when URL has path parameters
644855-2 3-Major   irules with commands which may suspend processing cannot be used with proactive bot defense
631444-2 3-Major   Bot Name for ASM Search Engines is case sensitive
630356-1 3-Major   JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
628351-1 3-Major   Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
618656-2 3-Major   JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
606521-1 3-Major   Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
605616-1 3-Major   Creating 256 Fundamental Security policies will result in an out of memory error
602975-1 3-Major   Unable to update the HTTP URL's "Header-Based Content Profiles" values
596685-1 3-Major K76841626 Request Log failure on request with XML format violation
595900-4 3-Major K11833633 Cookie Signature overrides may be ignored after Signature Update
563727-1 3-Major   Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
534247-1 3-Major   Issue a Body in Get sub violation for GET request with content type header
519612-1 3-Major   JavaScript challenge fails when coming within iframe with different domain than main page


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
604191-1 2-Critical   AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports
629573-1 3-Major K66001885 No drill-down filter for virtual-servers is mentioned on exported reports when using partition
603875-2 3-Major   The statistic ASM memory Utilization - bd swap size: stats are wrong
601536-1 3-Major   Analytics load error stops load of configuration
639395-2 4-Minor K91614278 AVR does not display 'Max read latency' units.


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
647108-1 1-Blocking   Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
679235-5 2-Critical   Inspection Host NPAPI Plugin for Safari can not be installed
669341 2-Critical   Category Lookup by Subject.CN will result in a reset
666454-2 2-Critical K05520115 Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
663506-7 2-Critical K30533350 apmd crash during ldap cache initialization
652004-2 2-Critical K45320415 Show /apm access-info all-properties causes memory leaks in tmm
662639-2 3-Major   Policy Sync fails when policy object include FIPS key
659371-2 3-Major K54310201 apmd crashes executing iRule policy evaluate
658852-5 3-Major   Empty User-Agent in iSessions requests from APM client on Windows
654513-6 3-Major K11003951 APM daemon crashes when the LDAP query agent returns empty in its search results.
649929-1 3-Major   saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
648053-1 3-Major K94477320 Rewrite plugin may crash on some JavaScript files
646928-1 3-Major   Landing URI incorrect when changing URI
645684-2 3-Major   Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
618957-1 3-Major   Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
601919-2 3-Major   Custom categories and custom url filter assignment must be specific to partition instead of global lookup
583272-2 3-Major   "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
580567-1 3-Major   LDAP Query agent failed to resolve nested group membership
551795-1 3-Major   Portal Access: corrections to CORS support for XMLHttpRequest
550547-2 3-Major   URL including a "token" query fails results in a connection reset


Service Provider Fixes

ID Number Severity Solution Article(s) Description
664535-1 2-Critical   Diameter failure: load balancing fails when all pool members use same IP Address
640407-1 2-Critical   Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
568545-2 2-Critical K17124802 iRules commands that refer to a transport-config will fail validation
559953-1 2-Critical   tmm core on long DIAMETER::host value
662364-2 3-Major   MRF DIAMETER: IP ToS not passing through with DIAMETER
644946-2 3-Major K05053251 Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
644565-1 3-Major   MRF Message metadata lost when routing message to a connection on a different TMM
634078-2 3-Major   MRF: Routing using a virtual with SNAT set to none may select a source port of zero
624155-2 3-Major   MRF Per-Client mode connections unable to return responses if used by another client connection
620929-4 3-Major   New iRule command, MR::ignore_peer_port
651640-3 4-Minor   queue full dropped messages incorrectly counted as responses


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
670400-3 2-Critical   SSH Proxy public key authentication can be circumvented in some cases
655470 2-Critical K79924625 IP Intelligence logging publisher removal can cause tmm crash
618902-4 3-Major   PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
658261-2 2-Critical K12253471 TMM core after HA during GY reporting
658148-2 2-Critical K23150504 TMM core after intra-chassis failover for some instances of subscriber creation
657632-4 2-Critical   Rarely if a subscriber delete is performed following HA switchover, tmm may crash
653285-1 2-Critical   PEM rule deletion with HSL reporting may cause tmm coredump
652973-2 2-Critical   Coredump observed at system bootup time when many DHCP packets arrive
650422-2 2-Critical   TMM core after a switchover involving GY quota reporting
659567-1 3-Major K94685557 iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052-3 3-Major   PEM:sessions iRule made the order of parameters strict
635257-2 3-Major K41151808 Inconsistencies in Gx usage record creation.
623037-2 3-Major   delete of pem session attribute does not work after a update


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
676808-2 2-Critical   FPS: tmm may crash on response with large payload from server
669364-1 2-Critical   TMM core when server responds fast with server responses such as 404.
669359 2-Critical   WebSafe might cause connections to hang
674931 3-Major   FPS modified responses/injections might result in a corrupted response
674909-3 3-Major   Application CSS injection might not work as expected when connection is congested
667872-1 3-Major   Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
658321-2 3-Major   Websafe features might break in IE8
657502-2 3-Major   JS error when leaving page opened for several minutes
644694 3-Major   FPS security update check ends up with an empty page when error occurs.
618185-1 3-Major   Mismatch in URL CRC32 calculation
643602-2 4-Minor   'Select All' checkbox selects items on hidden pages


Device Management Fixes

ID Number Severity Solution Article(s) Description
605123-1 2-Critical   IAppLX objects fail to sync after establishing HA in auto-sync mode


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
606316-4 1-Blocking   HTTPS request to F5 licensing server fails
665778-1 2-Critical K34503519 Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
599424-2 2-Critical   iApps LX fails to sync
632060-1 4-Minor   restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header



Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
693211-3 CVE-2017-6168, CVE-2020-5929 K21905460 CVE-2017-6168


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
664063-1 2-Critical K03203976 Azure displays failure for deployment of BIG-IP from a Resource Manager template



Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
652151-1 CVE-2017-6131 K61757346 Azure VE: Initialization improvement
623885-4 CVE-2016-9251 K41107914 Internal authentication improvements
621371-2 CVE-2016-9257 K43523962 Output Errors in APM Event Log
648865-2 CVE-2017-6074 K82508682 Linux kernel vulnerability: CVE-2017-6074
643187-2 CVE-2017-3135 K80533167 BIND vulnerability CVE-2017-3135
641445-1 CVE-2017-6145 K22317030 iControl improvements
641360-2 CVE-2017-0303 K30201296 SOCKS proxy protocol error
641256-1 CVE-2016-9257 K43523962 APM access reports display error
636702-3 CVE-2016-9444 K40181790 BIND vulnerability CVE-2016-9444
636699-5 CVE-2016-9131 K86272821 BIND vulnerability CVE-2016-9131
631582 CVE-2016-9250 K55792317 Administrative interface enhancement
630475-5 CVE-2017-6162 K13421245 TMM Crash
628836-4 CVE-2016-9245 K22216037 TMM crash during request normalization
624570-1 CVE-2016-8864 K35322517 BIND vulnerability CVE-2016-8864
624526-3 CVE-2017-6159 K10002335 TMM core in mptcp
624457-5 CVE-2016-5195 K10558632 Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
623093-1 CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320 K38871451 TIFF vulnerability CVE-2015-7554
620400-1 CVE-2017-6141 K21154730 TMM crash during TLS processing
610255-1 CVE-2017-6161 K62279530 CMI improvement
596340-8 CVE-2016-9244 K05121675 F5 TLS vulnerability CVE-2016-9244
580026-5 CVE-2017-6165 K74759095 HSM logging error
648879-2 CVE-2016-6136 CVE-2016-9555 K90803619 Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
641612-2 CVE-2017-0302 K87141725 APM crash
638137 CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 K51201255 CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
635412 CVE-2017-6137 K82851041 Invalid mss with fast flow forwarding and software syn cookies
635252-1 CVE-2016-9256 K47284724 CVE-2016-9256
631688-7 CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 K55405388 K87922456 K63326092 K51444934 K80996302 Multiple NTP vulnerabilities
630150-1 CVE-2016-9253 K51351360 Websockets processing error
627916-1 CVE-2017-6144 K81601350 Improve cURL Usage
627907-1 CVE-2017-6143 K11464209 Improve cURL usage
627747-1 CVE-2017-6142 K20682450 Improve cURL Usage
625372-5 CVE-2016-2179 K23512141 OpenSSL vulnerability CVE-2016-2179
623119 CVE-2016-4470 K55672042 Linux kernel vulnerability CVE-2016-4470
622496 CVE-2016-5829 K28056114 Linux kernel vulnerability CVE-2016-5829
622126-1 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 K54308010 PHP vulnerability CVE-2016-7124
621337-6 CVE-2016-7469 K97285349 XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-6 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
615267-2 CVE-2016-2183 K13167034 OpenSSL vulnerability CVE-2016-2183
613225-7 CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 K90492697 OpenSSL vulnerability CVE-2016-6306
606710-10 CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 K15479471 Mozilla NSS vulnerability CVE-2016-2834
605420-5 CVE-2016-5387, CVE-2007-6750 K80513384 httpd security update - CVE-2016-5387
600232-9 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
600223-2 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
599858-7 CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 K68785753 ImageMagick vulnerability CVE-2015-8898
635933-3 CVE-2004-0790 K23440942 The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
628832-4 CVE-2016-6161 K71581599 libgd vulnerability CVE-2016-6161
622662-7 CVE-2016-6306 K90492697 OpenSSL vulnerability CVE-2016-6306
617901-1 CVE-2018-5525 K00363258 GUI to handle file path manipulation to prevent GUI instability.
609691-1 CVE-2014-4617 K21284031 GnuPG vulnerability CVE-2014-4617
600205-9 CVE-2016-2178 K53084033 OpenSSL Vulnerability: CVE-2016-2178
600198-2 CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 K53084033 OpenSSL vulnerability CVE-2016-2178
599285-2 CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 K51390683 PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-10 CVE-2016-2178 K53084033 OpenSSL vulnerability CVE-2016-2178
621937-1 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
621935-6 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
606771-2 CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 K35799130 Multiple PHP vulnerabilities
601268-5 CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 K43267483 PHP vulnerability CVE-2016-5766


Functional Change Fixes

ID Number Severity Solution Article(s) Description
653453 2-Critical   ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
628972-2 2-Critical   BMC version 2.51.7 for iSeries appliances
624831-2 2-Critical   BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
616918-1 2-Critical   BMC version 2.50.3 for iSeries appliances
633723-3 3-Major   New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-1 3-Major   GUI Error trying to modify IP Data-Group
609614-3 3-Major   Yafuflash 4.25 for iSeries appliances
597797-4 3-Major K78449695 Allow users to disable enforcement of RFC 7507 Fallback SCSV
584471-1 3-Major K34343741 Priority order of clientssl profile selection of virtual server.
581840-5 3-Major K46576869 Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.
564876-2 3-Major   New DB variable log.lsn.comma changes CGNAT logs to CSV format
609084-2 4-Minor K03808942 Max number of chunks not configurable above 1000 chunks
597270-2 4-Minor   tcpdump support missing for VXLAN-GPE NSH


TMOS Fixes

ID Number Severity Solution Article(s) Description
655500 1-Blocking   Rekey SSH sessions after one hour
642058-1 1-Blocking   CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-5 1-Blocking K00216423 Backslash removal in LTM monitors after upgrade
627433-1 1-Blocking   HSB transmitter failure on i2x00 and i4x00 platforms
602830-1 1-Blocking   BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
648056-2 2-Critical K16503454 bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805 2-Critical K92637255 LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses
641248 2-Critical   IPsec-related tmm segfault
641013-5 2-Critical   GRE tunnel traffic pinned to one TMM
638935-3 2-Critical   Monitor with send/receive string containing double-quote may cause upgrade to fail.
636918-2 2-Critical   Fix for crash when multiple tunnels use the same traffic selector
636290 2-Critical   vCMP support for B4450 blade
627898-2 2-Critical K53050234 tmm leaks memory in the ECM subsystem
625824-1 2-Critical   iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
624263-4 2-Critical   iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
618779-1 2-Critical   Route updates during IPsec tunnel setup can cause tmm to restart
616059-1 2-Critical K19545861 Modifying license.maxcores Not Allowed Error
614296-1 2-Critical   Dynamic routing process ripd may core
613536-5 2-Critical   tmm core while running the iRule STATS:: command
610295-1 2-Critical K32305923 TMM may crash due to internal backplane inconsistency after reprovisioning
583516-2 2-Critical   tmm ASSERT's "valid node" on Active, after timer fire..
567457-2 2-Critical   TMM may crash when changing the IKE peer config.
652484-2 3-Major   tmsh show net f5optics shows information for only 1 chassis slot in a cluster
649617-2 3-Major   qkview improvement for OVSDB management
648544-5 3-Major K75510491 HSB transmitter failure may occur when global COS queues enabled
646760 3-Major   Common Criteria Mode Disrupts Administrative SSH Access
644892-1 3-Major   Files captured multiple times in qkview
644490-1 3-Major   Finisar 100G LR4 values need to be revised in f5optics
637559-1 3-Major   Modifying iRule online could cause TMM to be killed by SIGABRT
636535 3-Major K24844444 HSB lockup in vCMP guest doesn't generate core file
635961-1 3-Major   gzipped and truncated files may be saved in qkview
635129 3-Major   Chassis systems in HA configuration become Active/Active during upgrade
635116-1 3-Major K34100550 Memory leak when using replicated remote high-speed logging.
634115-1 3-Major   Not all topology records may sync.
633879-1 3-Major K52833014 Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633512-1 3-Major   HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633413-1 3-Major   IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
631627-4 3-Major   Applying BWC over route domain sometimes results in tmm not becoming ready on system start
630622-1 3-Major   tmm crash possible if high-speed logging pool member is deleted and reused
630610-5 3-Major K43762031 BFD session interface configuration may not be stored on unit state transition
630546-1 3-Major   Very large core files may cause corrupted qkviews
629499-9 3-Major   tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
629085-1 3-Major K55278069 Any CSS content truncated at a quoted value leads to a segfault
628202-4 3-Major   Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-3 3-Major K20766432 OSPF with multiple processes may incorrectly redistribute routes
628009-1 3-Major   f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
627961-3 3-Major K15130343 nic_failsafe reboot doesn't trigger if HSB fails to disable interface
627914-1 3-Major   Unbundled 40GbE optics reporting as Unsupported Optic
627214-3 3-Major   BGP ECMP recursive default route not redistributed to TMM
626839 3-Major   sys-icheck error for /var/lib/waagent in Azure.
626721-5 3-Major   "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
625703-2 3-Major   SELinux: snmpd is denied access to tmstat files
625085 3-Major   lasthop rmmod causes kernel panic
624361-1 3-Major   Responses to some of the challenge JS are not zipped.
623930-3 3-Major   vCMP guests with vlangroups may loop packets internally
623401-1 3-Major   Intermittent OCSP request failures due to non-optimal default TCP profile setting
623336-4 3-Major   After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS
623055-1 3-Major   Kernel panic during unic initialization
622183-5 3-Major   The alert daemon should remove old log files but it does not.
621909-4 3-Major K23562314 Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-1 3-Major   DSR tunnels with transparent monitors may cause TMM crash.
620659-3 3-Major   The BIG-IP system may unecessarily run provisioning on successive reboots
620366-4 3-Major   Alertd can not open UDP socket upon restart
617628-1 3-Major   SNMP reports incorrect value for sysBladeTempTemperature OID
615934-1 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1 3-Major   Cannot SSH from AOM/SCCP to host without password (host-based authentication).
613765-3 3-Major   Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
612809-1 3-Major   Bootup script fails to run on on a vCMP guest due to a missing reference file.
611658-3 3-Major   "less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1 3-Major   AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3 3-Major   vCMP: VLAN failsafe does not trigger on guest
610417-1 3-Major K54511423 Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609119-7 3-Major   Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-3 3-Major   iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604727-1 3-Major   Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.
604237-3 3-Major   Vlan allowed mismatch found error in VCMP guest
604061-2 3-Major   Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602376-1 3-Major   qkview excludes files
598498-7 3-Major   Cannot remove Self IP when an unrelated static ARP entry exists.
598134-1 3-Major   Stats query may generate an error when tmm on secondary is down
596067-2 3-Major   GUI on VIPRION hangs on secondary blade reboot
590211-2 3-Major   jitterentropy-rngd quietly fails to start
586738-4 3-Major   The tmm might crash with a segfault.
583754-7 3-Major   When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
575027-1 3-Major   Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
562928-2 3-Major   Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
559080-5 3-Major   High Speed Logging to specific destinations stops from individual TMMs
557471-3 3-Major   LTM Policy statistics showing zeros in GUI
543208-1 3-Major   Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.
534520-1 3-Major   qkview may exclude certain log files from /var/log
424542-5 3-Major   tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
418349-2 3-Major   Update/overwrite of FIPS keys error
643404-2 4-Minor K30014507 'tmsh system software status' does not display properly in a specific cc-mode situation
636520-3 4-Minor K88813435 Detail missing from power supply 'Bad' status log messages
633181-1 4-Minor   A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
632668-5 4-Minor   When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-3 4-Minor   Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
621957-2 4-Minor   Timezone data on AOM not syncing with host
609107-1 4-Minor   mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
599191-2 4-Minor   One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-2 4-Minor K20937139 ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
585097-1 4-Minor   Traffic Group score formula does not result in unique values.
541550-3 4-Minor   Defining more than 10 remote-role groups can result in authentication failure
541320-10 4-Minor K50973424 Sync of tunnels might cause restore of deleted tunnels.
500452-8 4-Minor K28520025 PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
642015-2 5-Cosmetic   SSD Manufacturer "unavailable"
524277-2 5-Cosmetic   Missing power supplies issue warning message that should be just a notice message.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
651476 2-Critical   bigd may core on non-primary bigd when FQDN in use
648715-2 2-Critical   BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
643396-2 2-Critical K34553627 Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-2 2-Critical   Path MTU discovery occasionally fails
640352-2 2-Critical K01000259 Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639744-1 2-Critical K84228882 Memory leak in STREAM::expression iRule
637181-4 2-Critical   VIP-on-VIP traffic may stall after routing updates
632685 2-Critical   bigd memory leak for FQDN nodes on non-primary bigd instance
630306-1 2-Critical   TMM crash in DNS processing on UDP virtual server with no available pool members
629145-1 2-Critical   External datagroups with no metadata can crash tmm
628890-1 2-Critical   Memory leak when modifying large datagroups
627403-2 2-Critical   HTTP2 can can crash tmm when stats is updated on aborting of a new connection
626311-2 2-Critical K75419237 Potential failure of DHCP relay functionality credits to incorrect route lookup.
625198-1 2-Critical   TMM might crash when TCP DSACK is enabled
622856-1 2-Critical   BIG-IP may enter SYN cookie mode later than expected
621870-2 2-Critical   Outage may occur with VIP-VIP configurations
619663-3 2-Critical K49220140 Terminating of HTTP2 connection may cause a TMM crash
619528-4 2-Critical   TMM may accumulate internal events resulting in TMM restart
619071-3 2-Critical   OneConnect with verified accept issues
614509-1 2-Critical   iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
609027-1 2-Critical   TMM crashes when SSL forward proxy is enabled.
608304-1 2-Critical K55292305 TMM crash on memory corruption
603667-2 2-Critical   TMM may leak or corrupt memory when configuration changes occur with plugins in use
603082-3 2-Critical   Ephemeral pool members are getting deleted/created over and over again.
602136-5 2-Critical   iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server.
601828-1 2-Critical K13338433 An untrusted certificate can cause tmm to crash.
600982-5 2-Critical   TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599720-2 2-Critical   TMM may crash in bigtcp due to null pointer dereference
597828-1 2-Critical   SSL forward proxy crashes in some cases
596450-1 2-Critical   TMM may produce a core file after updating SSL session ticket key
594642-3 2-Critical   Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
581746-1 2-Critical K42175594 MPTCP or SSL traffic handling may cause a BIG-IP outage
557358-5 2-Critical   TMM SIGSEGV and crash when memory allocation fails.
423629-3 2-Critical K08454006 bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
653201 3-Major   Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
651106 3-Major   memory leak on non-primary bigd with changing node IPs
649571-1 3-Major   Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990 3-Major   Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
641512-4 3-Major K51064420 DNSSEC key generations fail with lots of invalid SSL traffic
632324-2 3-Major   PVA stats does not show correct connection number
629412-3 3-Major   BIG-IP closes a connection when a maximum size window is attempted
627246-1 3-Major K09336400 TMM memory leak when ASM policy configured on virtual server
626386-1 3-Major K28505256 SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
626106-3 3-Major   LTM Policy with illegal rule name loses its conditions and actions during upgrade
625106-2 3-Major   Policy Sync can fail over a lossy network
624616-1 3-Major   Safenet uninstall is unable to remove libgem.so
620625-2 3-Major K38094257 Changes to the Connection.VlanKeyed db key may not immediately apply
620079-3 3-Major   Removing route-domain may cause monitors to fail
619849-4 3-Major   In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430-2 3-Major   iRules LX data not included in qkview
618428 3-Major   iRules LX - Debug mode does not function in dedicated mode
618254-4 3-Major   Non-zero Route domain is not always used in HTTP explicit proxy
617858-2 3-Major   bigd core when using Tcl monitors
616022-2 3-Major K46530223 The BIG-IP monitor process fails to process timeout conditions
613326-1 3-Major   SASP monitor improvements
612694-5 3-Major   TCP::close with no pool member results in zombie flows
610429-5 3-Major   X509::cert_fields iRule command may memory with subpubkey argument
610302-1 3-Major   Link throughput graphs might be incorrect.
609244-4 3-Major   tmsh show ltm persistence persist-records leaks memory
608551-3 3-Major   Half-closed congested SSL connections with unclean shutdown might stall.
607152-1 3-Major   Large Websocket frames corrupted
604496-4 3-Major   SQL (Oracle) monitor daemon might hang.
603979-4 3-Major   Data transfer from the BIG-IP system self IP might be slow
603723-2 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603550-1 3-Major K63164073 Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
600827-8 3-Major K21220807 Stuck Nitrox crypto queue can erroneously be reported
600593-1 3-Major   Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
600052-1 3-Major   GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
599121-2 3-Major K24036315 Under heavy load, hardware crypto queues may become unavailable.
592871-3 3-Major   Cavium Nitrox PX/III stuck queue diagnostics missing.
591666-3 3-Major   TMM crash in DNS processing on TCP virtual with no available pool members
589400-1 3-Major K33191529 With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
584310-1 3-Major K83393638 TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-6 3-Major   Fragmented packets may cause tmm to core under heavy load
582769-1 3-Major K99405272 WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
579926-1 3-Major   HTTP starts dropping traffic for a half-closed connection when in passthrough mode
568543-4 3-Major   Syncookie mode is activated on wildcard virtuals
562267-3 3-Major   FQDN nodes do not support monitor alias destinations.
517756-6 3-Major   Existing connections can choose incorrect route when crossing non-strict route-domains
509858-5 3-Major   BIG-IP FastL4 profile vulnerability
419741-3 3-Major   Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
352957-4 3-Major K03005026 Route lookup after change in route table on established flow ignores pool members
660170-1 4-Minor K28505910 tmm may crash at ~75% of VLAN failsafe timeout expiration
631862-1 4-Minor K32107573 Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
618517-1 4-Minor K61255401 bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
611161-3 4-Minor K28540353 VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
587966-1 4-Minor K77283304 LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
583943-1 4-Minor K27491104 Forward proxy does not work when netHSM is configured on TMM interfaces
574020-5 4-Minor   Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')


Performance Fixes

ID Number Severity Solution Article(s) Description
621115-1 2-Critical   IP/IPv6 TTL/hoplimit may not be preserved for host traffic


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
642039-2 2-Critical K20140595 TMM core when persist is enabled for wideip with certain iRule commands triggered.
584374-2 2-Critical K67622400 iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
642330-2 3-Major   GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.
640903-1 3-Major   Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
632423-4 3-Major K40256229 DNS::query can cause tmm crash if AXFR/IXFR types specified.
629530-2 3-Major K53675033 Under certain conditions, monitors do not time out.
628897-1 3-Major   Add Hyperlink to gslb server and vs on the Pool Member List Page
625671-4 3-Major   The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-1 3-Major   Response Policy Zones can trigger even after entry removed from zone
624193-2 3-Major   Topology load balancing not working as expected
623023-1 3-Major   Unable to set DNS Topology Continent to Unknown via GUI
621239-2 3-Major   Certain DNS queries bypass DNS Cache RPZ filter.
620215-5 3-Major   TMM out of memory causes core in DNS cache
619398-7 3-Major   TMM out of memory causes core in DNS cache
612769-1 3-Major K33842313 Hard to use search capabilities on the Pool Members Manage page.
601180-2 3-Major K73505027 Link Controller base license does not allow DNS namespace iRule commands.
567743-2 3-Major K70663134 Possible gtmd crash under certain conditions.
557434-4 3-Major   After setting a Last Resort Pool on a Wide IP, cannot reset back to None
366695-1 5-Cosmetic   Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
646511-1 2-Critical   BD crashes repeatedly after interrupted roll-forward upgrade
636397-1 2-Critical   bd cores when persistent storage configuration and under some memory conditions.
634001-2 2-Critical   ASM restarts after deleting a VS that has an ASM security policy assigned to it
627117-1 2-Critical   crash with wrong ceritifcate in WSS
625783-1 2-Critical   Chassis sync fails intermittently due to sync file backlog
618771-1 2-Critical   Some Social Security Numbers are not being masked
601378-2 2-Critical   Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
584082-3 2-Critical   BD daemon crashes unexpectedly
540928-1 2-Critical   Memory leak due to unnecessary logging profile configuration updates.
640824-1 3-Major K20770267 Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log
635754-1 3-Major K65531575 Wildcard URL pattern match works inncorectly in Traffic Learning
632344-2 3-Major   POP DIRECTIONAL FORMATTING causes false positive
632326-2 3-Major K52814351 relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631737-1 3-Major K61367823 ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
630929-1 3-Major K69767100 Attack signature exception list upload times-out and fails
627360-1 3-Major   Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log
626438-1 3-Major   Frame is not showing in the browser and/ or an error appears
625832-4 3-Major   A false positive modified domain cookie violation
622913-2 3-Major   Audit Log filled with constant change messages
621524-2 3-Major   Processing Timeout When Viewing a Request with 300+ Violations
620635-2 3-Major   Request having upper case JSON login parameter is not detected as a failed login attempt
614563-3 3-Major   AVR TPS calculation is inaccurate
611151-2 3-Major   An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
608245 3-Major   Reporting missing parameter details when attack signature is matched against parameter value
583024-1 3-Major   TMM restart rarely during startup
581406-1 3-Major   SQL Error on Peer Device After Receiving ASM Sync in a Device Group
580168-4 3-Major   Information missing from ASM event logs after a switchboot and switchboot back
576591-6 3-Major   Support for some future credit card number ranges
572885-1 3-Major   Policy automatic learning mode changes to manual after failover
392121-3 3-Major   TMSH Command to retrieve the memory consumption of the bd process
642874-1 4-Minor K15329152 Ready to be Enforced filter for Policy Signatures returns too many signatures


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
634215-1 2-Critical   False detection of attack after restarting dosl7d
573764-1 2-Critical   In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
642221-2 3-Major   Incorrect entity is used when exporting TCP analytics from GUI
641574 3-Major K06503033 AVR doesn't report on virtual and client IP in DNS statistics
635561-1 3-Major   Heavy URLs statistics are not shown after upgrade.
631722 3-Major   Some HTTP statistics not displayed after upgrade
631131-3 3-Major   Some tmstat-adapters based reports stats are incorrect
605010-1 3-Major   Thrift::TException error
560114-6 3-Major   Monpd is being affected by an I/O issue which makes some of its threads freeze


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
645339-2 1-Blocking   TMM may crash when processing APM data
637308-8 2-Critical K41542530 apmd may crash when HTTP Auth agent is used in an Access Policy
632005-1 2-Critical   BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
622244-2 2-Critical   Edge client can fail to upgrade when always connected is selected
617310-2 2-Critical   Edge client can fail to upgrade when Always Connected is selected
614322-1 2-Critical K31063537 TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
608424-2 2-Critical   Dynamic ACL agent error log message contains garbage data
608408-2 2-Critical   TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
593078-1 2-Critical   CATEGORY::filetype command may cause tmm to crash and restart
643547-1 3-Major K43036745 APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
638799-1 3-Major   Per-request policy branch expression evaluation fails
638780-3 3-Major   Handle 302 redirects for VMware Horizon View HTML5 client
636044-1 3-Major K68018520 Large number of glob patterns affects custom category lookup performance
634576 3-Major K48181045 TMM core in per-request policy
634252 3-Major K99114539 TMM crash with per-request policy in SWG explicit
632504-1 3-Major K31277424 APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-1 3-Major K70551821 APM Policy Sync: Resources under webtop section are not sync'ed automatically
632472-1 3-Major   Frequently logged "Silent flag set - fail" messages
632386-1 3-Major   EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
630571-1 3-Major K35254214 Edge Client on Mac OSX Sierra stuck in a reconnect loop
629801-2 3-Major   Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
629698-1 3-Major   Edge client stuck on "Initializing" state
629069-2 3-Major   Portal Access may delete scripts from HTML page in some cases
628687-2 3-Major   Edge Client reconnection issues with captive portal
628685-2 3-Major K79361498 Edge Client shows several security warnings after roaming to a network with Captive Portal
627972-2 3-Major K11327511 Unable to save advanced customization when using Exchange iApp
627059-1 3-Major   In some rare cases TMM may crash while handling VMware View client connection
626910-1 3-Major   Policy with assigned SAML Resource is exported with error
625474-1 3-Major   POST request body is not saved in session variable by access when request is sent using edge client
625159-1 3-Major   Policy sync status not shown on standby device in HA case
624966-2 3-Major   Edge client starts new APM session when Captive portal session expire
623562-3 3-Major   Large POSTs rejected after policy already completed
622790-1 3-Major   EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621976-4 3-Major   OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-4 3-Major   Skype For Business thick client shows javascript errors when rendering APM logon page
621447-1 3-Major   In some rare cases, VDI may crash
621210-2 3-Major   Policy sync shows as aborted even if it is completed
621126-2 3-Major   Import of config with saml idp connector with reuse causes certificate not found error
620829-2 3-Major K34213161 Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
620801-3 3-Major   Access Policy is not able to check device posture for Android 7 devices
620614-4 3-Major   Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1 3-Major   HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2 3-Major   Machine Cert OCSP check fails with multiple Issuer CA
619486-3 3-Major   Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-2 3-Major   Browser may hang at APM session logout
618170-3 3-Major   Some URL unwrapping functions can behave bad
617063-1 3-Major   After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1 3-Major   SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3 3-Major   Citrix Remote desktop resource custom parameter name does not accept hyphen character
615970-1 3-Major   SSO logging level may cause failover
615254-2 3-Major   Network Access Launch Application item fails to launch in some cases
612419-1 3-Major   APM - suspected memory leak (umem_alloc_32/network access (variable))
611968-3 3-Major   JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611669-4 3-Major   Mac Edge Client customization is not applied on macOS 10.12 Sierra
610180-2 3-Major   SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
597214-5 3-Major   Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
595819-1 3-Major   Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595272-1 3-Major   Edge client may show a windows displaying plain text in some cases
591246-1 3-Major   Unable to launch View HTML5 connections in non-zero route domain virtual servers
584582-1 3-Major   JavaScript: 'baseURI' property may be handled incorrectly
570217-2 3-Major   BIG-IP APM now uses Airwatch v2 API to retreive device posture information
533956-3 3-Major K30515450 Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
503842-4 3-Major   Microsoft WebService HTML component does not work after rewriting
640521-1 4-Minor   EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254-2 4-Minor   Cannot reinitiate a sync on a target device when sync is completed
618404-1 4-Minor   Access Profile copying might be invalid if policies are named series of names.
606257-3 4-Minor K56716107 TCP FIN sent with Connection: Keep-Alive header for webtop page resources


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
630661-2 3-Major K30241432 WAM may leak memory when a WAM policy node has multiple variation header rules


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
644970-1 2-Critical   Editing a virtual server config loses SSL encryption on iSession connections
644489-1 3-Major K14899014 Unencrypted iSession connection established even though data-encrypt configured in profile


Service Provider Fixes

ID Number Severity Solution Article(s) Description
639236-1 2-Critical K66947004 Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
624023-3 2-Critical   TMM cores in iRule when accessing a SIP header that has no value
569316-1 2-Critical   Core occurs on standby in MRF when routing to a route using a transport config
649933-1 3-Major   Fragmented RADIUS messages may be dropped
629663-1 3-Major K23210890 CGNAT SIP ALG will drop SIP INVITE
625542-1 3-Major   SIP ALG with Translation fails for REGISTER refresh.
625098-3 3-Major   SCTP::local_port iRule not supported in MRF events
601255-4 3-Major   RTSP response to SETUP request has incorrect client_port attribute


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
632731-2 2-Critical K21964367 specific external logging configuration can cause TMM service restart
628623-1 2-Critical   tmm core with AFM provisioned
639193-1 3-Major K03453591 For HA BIG-IP devices, deleting parent policy causes sync to fail.
631025-1 3-Major   500 internal error on inline rule editor for certain firewall policies
610129-3 3-Major K43320840 Config load failure when cluster management IP is not defined, but instead uses address-list.
592113-5 3-Major   tmm core on the standby unit with dos vectors configured
590805-4 3-Major   Active Rules page displays a different time zone.
431840-3 3-Major   Cannot add vlans to whitelist if they contain a hyphen


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
627257-2 2-Critical   Potential PEM crash during a Gx operation
626851-2 2-Critical K37665112 Potential crash in a multi-blade chassis during CMP state changes.
624744-1 2-Critical   Potential crash in a multi-blade chassis during CMP state changes.
624733-1 2-Critical   Potential crash in a multi-blade chassis during CMP state changes.
624228-1 2-Critical   Memory leak when using insert action in pem rule and flow gets aborted
623922-5 2-Critical K64388805 TMM failure in PEM while processing Service-Provider Disaggregation
641482-2 3-Major   Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-3 3-Major   BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-2 3-Major   Session Creation failure after HA
635233-3 3-Major K80902149 Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
630611-1 3-Major K84324392 PEM module crash when subscriber not fund
627798-3 3-Major   Buffer length check for quota bucket objects
627279-2 3-Major   Potential crash in a multi-blade chassis during CMP state changes.
623927-2 3-Major K41337253 Flow entry memory leaked after DHCP DORA process
564281-3 3-Major   TMM (debug) assert seen during Failover with Gy
628869-4 4-Minor   Unconditional logs seen due to the presence of a PEM iRule.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
609788 2-Critical   PCP may pick an endpoint outside the deterministic mapping
642284 3-Major   Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
629871-2 3-Major   FTP ALG deployment should not rewrite PASV response 464 XLAT cases


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
639750-1 2-Critical   username aliases are not supported
636370 3-Major   Application Layer Encryption AJAX support
629627-1 3-Major   FPS Log Publisher is not grouped nor filtered by partition
629127-1 3-Major   Parent profiles cannot be saved using FPS GUI
628348-1 3-Major   Cannot configure any Mobile Security list having 11 records or more via the GUI
628337-1 3-Major   Forcing a single injected tag configuration is restrictive
625275-1 3-Major   Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
624198-1 3-Major   Unable to add multiple User-Defined alerts with the same search category
623518-1 3-Major   Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
594127-2 3-Major   Pages using Angular may hang when Websafe is enabled
635541 4-Minor   "Application CSS Locations" is not inherited if changing parent profile


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
625172-1 2-Critical   tmm crashes when classification is enabled and ftp traffic is flowing trough the box
631472-1 3-Major   Reseting classification signatures to default may result in non-working configuration


Device Management Fixes

ID Number Severity Solution Article(s) Description
606518-3 2-Critical K00762373 iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username.
642983-1 3-Major K94534313 Update to max message size limit doesn't work sometimes
629845-2 3-Major   Disallowing TLSv1 connections to HTTP causes iControl/REST issues
626542-2 3-Major   Unable to set maxMessageBodySize in iControl REST after upgrade



Cumulative fixes from BIG-IP v12.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
618306-2 CVE-2016-9247 K33500120 TMM vulnerability CVE-2016-9247
616864-1 CVE-2016-2776 K18829561 BIND vulnerability CVE-2016-2776
613282-2 CVE-2016-2086, CVE-2016-2216, CVE-2016-1669 K15311661 NodeJS vulnerability CVE-2016-2086
611469-3 CVE-2016-7467 K95444512 Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-2 CVE-2016-9252 K46535047 Improper handling of IP options
591328-7 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591325-8 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K75152412 OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-17 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K23230229 OpenSSL vulnerabilities
560109-7 CVE-2017-6160 K19430431 Client capabilities failure
618549-1 CVE-2016-9249 K71282001 Fast Open can cause TMM crash CVE-2016-9249
618263-1 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
614147-1 CVE-2017-6157 K02692210 SOCKS proxy defect resolution
614097-1 CVE-2017-6157 K02692210 HTTP Explicit proxy defect resolution
607314-1 CVE-2016-3500 CVE-2016-3508 K25075696 Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
605039-3 CVE-2016-2775 K92991044 lwresd and bind vulnerability CVE-2016-2775
601059-6 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 K14614344 libxml2 vulnerability CVE-2016-1840
599536-1 CVE-2017-6156 K05263202 IPsec peer with wildcard selector brings up wrong phase2 SAs
597023-1 CVE-2016-4954 K82644737 NTP vulnerability CVE-2016-4954
595242-1 CVE-2016-3705 K54225343 libxml2 vulnerabilities CVE-2016-3705
595231-1 CVE-2016-3627 K54225343 libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
594496-1 CVE-2016-4539 K35240323 PHP Vulnerability CVE-2016-4539
593447-1 CVE-2016-5024 K92859602 BIG-IP TMM iRules vulnerability CVE-2016-5024
592485 CVE-2015-5157 CVE-2015-8767 K17326 Linux kernel vulnerability CVE-2015-5157
592001-1 CVE-2016-4071 CVE-2016-4073 K64412100 CVE-2016-4073 PHP vulnerabilities
591455-7 CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 K24613253 NTP vulnerability CVE-2016-2516
591447-1 CVE-2016-4070 K42065024 PHP vulnerability CVE-2016-4070
591358-1 CVE-2016-3425 CVE-2016-0695 CVE-2016-3427 K81223200 Oracle Java SE vulnerability CVE-2016-3425
585424-1 CVE-2016-1979 K20145801 Mozilla NSS vulnerability CVE-2016-1979
580747-1 CVE-2016-0739 K57255643 libssh vulnerability CVE-2016-0739
557190-3 CVE-2017-6166 K65615624 'packet_free: double free!' tmm core
597010-1 CVE-2016-4955 K03331206 NTP vulnerability CVE-2016-4955
596997-1 CVE-2016-4956 K64505405 NTP vulnerability CVE-2016-4956
591767-8 CVE-2016-1547 K11251130 NTP vulnerability CVE-2016-1547
591438-7 CVE-2015-8865 K54924436 PHP vulnerability CVE-2015-8865
575629-3 CVE-2015-8139 K00329831 NTP vulnerability: CVE-2015-8139
573343-1 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 K01324833 NTP vulnerability CVE-2015-8158


Functional Change Fixes

ID Number Severity Solution Article(s) Description
615377-3 3-Major   Unexpected rate limiting of unreachable and ICMP messages for some addresses.
590122-2 3-Major   Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
581438-2 3-Major   Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
561348-7 3-Major   krb5.conf file is not synchronized between blades and not backed up
541549-2 3-Major   AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-3 3-Major   OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
246726-1 3-Major K8940 System continues to process virtual server traffic after disabling virtual address
225634-1 3-Major   The rate class feature does not honor the Burst Size setting.
599839-3 4-Minor   Add new keyords to SIP::persist command to specify how Persistence table is updated
591733-4 4-Minor K83175883 Save on Auto-Sync is missing from the configuration utility.


TMOS Fixes

ID Number Severity Solution Article(s) Description
625784 1-Blocking   TMM crash on i4x00 and i2x00 platforms with large ASM configuration.
617622 1-Blocking   In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
621422 2-Critical   i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1 2-Critical   Assert on deletion of paired in-and-out IPsec traffic selectors
617935 2-Critical   IKEv2 VPN tunnels fail to establish
617481-1 2-Critical   TMM can crash when HTML minification is configured
614865-5 2-Critical   Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-1 2-Critical   TMM crash on invalid memory access to loopback interface stats object
605476-3 2-Critical   statsd can core when reading corrupt stats files.
601527-4 2-Critical   mcpd memory leak and core
600894-1 2-Critical   In certain situations, the MCPD process can leak memory
598748 2-Critical   IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-1 2-Critical   vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created
595712-1 2-Critical   Not able to add remote user locally
591495-2 2-Critical   VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1 2-Critical   ospfd cores due to an incorrect debug statement.
588686 2-Critical   High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3 2-Critical   bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2 2-Critical   sod core during upgrade from 10.x to 12.x.
583936-5 2-Critical   Removing ECMP route from BGP does not clear route from NSM
557680-4 2-Critical   Fast successive MTU changes to IPsec tunnel interface crashes TMM
355806-7 2-Critical   Starting mcpd manually at the command line interferes with running mcpd
622877-1 3-Major   i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622199 3-Major   sys-icheck reports error with /var/lib/waagent
622194 3-Major   sys-icheck reports error with ssh_host_rsa_key
621423 3-Major   sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621242-1 3-Major   Reserve enough space in the image for future upgrades.
621225 3-Major   LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620782 3-Major   Azure cloud now supports hourly billing
619410-1 3-Major   TMM hardware accelerated compression not registering for all compression levels.
617986-2 3-Major   Memory leak in snmpd
617229-1 3-Major K54245014 Local policy rule descriptions disappear when policy is re-saved
616242-3 3-Major K39944245 basic_string::compare error in encrypted SSL key file if the first line of the file is blank
614530-2 3-Major   Dynamic ECMP routes missing from Linux host
614180-1 3-Major   ASM is not available in LTM policy when ASM is licensed as the main active module
610441-3 3-Major   When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610352-1 3-Major   sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1 3-Major   sys-icheck reports error with /config/bigpipe/defaults.scf
610273-3 3-Major   Not possible to do targeted failover with HA Group configured
605894-3 3-Major   Remote authentication for BIG-IP users can fail
603149-2 3-Major   Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-8 3-Major   Missing ASM control option from LTM policy rule screen in the Configuration utility
602502-2 3-Major   Unable to view the SSL Cert list from the GUI
601989-3 3-Major K88516119 Remote LDAP system authenticated username is case sensitive
601893-2 3-Major K89212666 TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601502-4 3-Major   Excessive OCSP traffic
600558-5 3-Major   Errors logged after deleting user in GUI
599816-2 3-Major   Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
598443-1 3-Major   Temporary files from TMSH not being cleaned up intermittently.
598039-6 3-Major   MCP memory may leak when performing a wildcard query
597729-5 3-Major   Errors logged after deleting user in GUI
596104-1 3-Major K84539934 HA trunk unavailable for vCMP guest
595773-4 3-Major   Cancellation requests for chunked stats queries do not propagate to secondary blades
594426-2 3-Major   Audit forwarding Radius packets may be rejected by Radius server
592870-2 3-Major   Fast successive MTU changes to IPsec tunnel interface crashes TMM
592344-2 3-Major   NTP Security Updates
592320-5 3-Major   ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
589083-2 3-Major   TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
586878-4 3-Major   During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
585833-3 3-Major   Qkview will abort if /shared partition has less than 2GB free space
585547-1 3-Major   NTP configuration items are no longer collected by qkview
585485-3 3-Major   inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
584583-3 3-Major K18410170 Timeout error when using the REST API to retrieve large amount of data
583285-5 3-Major K24331010 BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1 3-Major   BWC policy in device sync groups.
580500-1 3-Major   /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
578551-5 3-Major   bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-7 3-Major   Potential MCPd leak in IPSEC SPD stats query code
575649-5 3-Major   MCPd might leak memory in IPFIX destination stats query
575591-6 3-Major   Potential MCPd leak in IKE message stats query code
575589-5 3-Major   Potential MCPd leak in IKE event stats query code
575587-7 3-Major   Potential MCPd leak in BWC policy class stats query code
575176-1 3-Major K58275035 Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1 3-Major   Management DHCP settings do not take effect
570818-4 3-Major   Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
568672-1 3-Major   Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4 3-Major   Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
553795-7 3-Major   Differing cert/key after successful config-sync
547479-5 3-Major   Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-1 3-Major   Creating local user for previously remote user results in incomplete user definition.
540872-1 3-Major   Config sync fails after creating a partition.
527206-5 3-Major   Management interface may flap due to LOP sync error
393270-1 3-Major   Configuration utility may become non-responsive or fail to load.
618421 4-Minor   Some mass storage is left un-used
617124 4-Minor   Cannot map hardware type (12) to HardwareType enumeration
581835-1 4-Minor   Command failing: tmsh show ltm virtual vs_name detail.
567546-1 4-Minor   Files with file names larger than 100 characters are omitted from qkview
564771-1 4-Minor   cron sends purge_mysql_logs.pl email error on LTM-only device
564522-2 4-Minor K40547220 cron is configured with MAILTO=root but mailhost defaults to 'mail'
559837-4 4-Minor   Misleading error message in catalina.out when listing certificates.
551349-5 4-Minor K80203854 Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade
460833-5 4-Minor   MCPD sync errors and restart after multiple modifications to file object in chassis
572133-5 5-Cosmetic   tmsh save /sys ucs command sends status messages to stderr
442231-4 5-Cosmetic   Pendsect log entries have an unexpected severity


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
618905-1 1-Blocking   tmm core while installing Safenet 6.2 client
616215-4 2-Critical   TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-1 2-Critical   L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
612229-1 2-Critical   TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-2 2-Critical   CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6 2-Critical   Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-1 2-Critical   Configuring asymmetric routing with a VE rate limited license will result in tmm crash
607724-2 2-Critical K25713491 TMM may crash when in Fallback state.
607524-2 2-Critical   Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-5 2-Critical   Safenet 6.2 library missing after upgrade
606573-3 2-Critical   FTP traffic does not work through SNAT when configured without Virtual Server
605865-4 2-Critical   Debug TMM produces core on certain ICMP PMTUD packets
604133-2 2-Critical   Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603032-1 2-Critical   clientssl profiles with sni-default enabled may leak X509 objects
602326-1 2-Critical   Intermittent pkcs11d core when stopping or restarting pkcs11d service
599135-2 2-Critical   B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-2 2-Critical K34453301 TMM may crash or behave abnormally on a Standby BIG-IP unit
588351-5 2-Critical   IPv6 fragments are dropped when packet filtering is enabled.
586449-1 2-Critical   Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1 2-Critical   Transparent HTTP profiles cannot have iRules configured
575011-1 2-Critical K21137299 Memory leak. Nitrox3 Hang Detected.
574880-3 2-Critical   Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
549329-3 2-Critical K02020031 L7 mirrored ACK from standby to active box can cause tmm core on active
545810-3 2-Critical K14304373 TMM halts and restarts
459671-4 2-Critical   iRules source different procs from different partitions and executes the incorrect proc.
617862-2 3-Major   Fastl4 handshake timeout is absolute instead of relative
617824-3 3-Major   "SSL::disable/enable serverside" + oneconnect reuse is broken
615143-1 3-Major   VDI plugin-initiated connections may select inappropriate SNAT address
613429-2 3-Major   Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613369-4 3-Major   Half-Open TCP Connections Not Discoverable
613079-4 3-Major   Diameter monitor watchdog timeout fires after only 3 seconds
613065-1 3-Major   User can't generate netHSM key with Safenet 6.2 client using GUI
612040-4 3-Major   Statistics added for all crypto queues
611320-3 3-Major   Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-3 3-Major   Total connections in bigtop, SNMP are incorrect
608024-3 3-Major   Unnecessary DTLS retransmissions occur during handshake.
607803-3 3-Major K33954223 DTLS client (serverssl profile) fails to complete resumed handshake.
607304-5 3-Major   TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-3 3-Major   Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6 3-Major   Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-2 3-Major K52231531 TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
604977-2 3-Major K08905542 Wrong alert when DTLS cookie size is 32
603236-1 3-Major   1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602385-1 3-Major   Add zLib compression
602366-1 3-Major   Safenet 6.2 HA performance
602358-5 3-Major   BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-4 3-Major   iRules and OCSP Stapling
601178-6 3-Major   HTTP cookie persistence 'preferred' encryption
598874-2 3-Major   GTM Resolver sends FIN after SYN retransmission timeout
597978-2 3-Major   GARPs may be transmitted by active going offline
597879-1 3-Major   CDG Congestion Control can lead to instability
597532-1 3-Major   iRule: RADIUS avp command returns a signed integer
597089-8 3-Major   Connections are terminated after 5 seconds when using ePVA full acceleration
593530-6 3-Major K26430211 In rare cases, connections may fail to expire
592784-2 3-Major   Compression stalls, does not recover, and compression facilities cease.
592497-1 3-Major   Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-5 3-Major K47203554 Server shutdown is propagated to client after X-Cnection: close transformation.
591476-7 3-Major K53220379 Stuck crypto queue can erroneously be reported
591343-5 3-Major K03842525 SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589223-1 3-Major   TMM crash and core dump when processing SSL protocol alert.
588115-1 3-Major   TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3 3-Major   SSL resumed connections may fail during mirroring
587016-3 3-Major   SIP monitor in TLS mode marks pool member down after positive response.
585813-3 3-Major K22111214 SIP monitor with TLS mode fails to find cert and key files.
585412-4 3-Major   SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-6 3-Major   The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1 3-Major   Cannot generate key after SafeNet HSM is rebooted
580303-5 3-Major   When going from active to offline, tmm might send a GARP for a floating address.
579843-1 3-Major   tmrouted may not re-announce routes after a specific succession of failover states
579371-4 3-Major K70126130 BIG-IP may generate ARPs after transition to standby
578951-2 3-Major   TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572281-5 3-Major   Variable value in the nesting script of foreach command get reset when there is parking command in the script
570057-2 3-Major   Can't install more than 16 SafeNet HSMs in its HA group
569288-6 3-Major   Different LACP key may be used in different blades in a chassis system causing trunking failures
565799-4 3-Major   CPU Usage increases when using masquerade addresses
551208-6 3-Major   Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-4 3-Major   Networking devices might block a packet that has a TTL value higher than 230.
545796-5 3-Major   [iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-5 3-Major   Log activation/deactivation of TM.TCPMemoryPressure
537553-8 3-Major   tmm might crash after modifying virtual server SSL profiles in SNI configuration
534457-4 3-Major   Dynamically discovered routes might fail to remirror connections.
530266-7 3-Major   Rate limit configured on a node can be exceeded
506543-5 3-Major   Disabled ephemeral pool members continue to receive new connections
483953-1 3-Major   Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7 3-Major   Memory leak with multiple client SSL profiles.
464801-3 3-Major   Intermittent tmm core
423392-6 3-Major   tcl_platform is no longer in the static:: namespace
371164-1 3-Major   BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
598860-4 4-Minor   IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587676-2 4-Minor   SMB monitor fails due to internal configuration issue
560471-1 4-Minor   Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
544033-5 4-Minor K30404012 ICMP fragmentation request is ignored by BIG-IP
222034-4 4-Minor   HTTP::respond in LB_FAILED with large header/body might result in truncated response


Performance Fixes

ID Number Severity Solution Article(s) Description
510631-1 3-Major   B4450 L4 No ePVA or L7 throughput lower than expected


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
603598-3 2-Critical   big3d memory under extreme load conditions
587656-2 2-Critical   GTM auto discovery problem with EHF for ID574052
587617-1 2-Critical   While adding GTM server, failure to configure new IP on existing server leads to gtmd core
615338-2 3-Major   The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-1 3-Major   QOS load balancing links display as gray
613045-7 3-Major   Interaction between GTM and 10.x LTM results in some virtual servers marked down
607658-1 3-Major   GUI becomes unresponsive when managing GSLB Pool
589256-1 3-Major K71283501 DNSSEC NSEC3 records with different type bitmap for same name.
588289-1 3-Major   GTM is Re-ordering pools when adding pool including order designation
584623-2 3-Major   Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-4 3-Major   GTM autoconf can cause high CPU usage for gtmd
370131-4 3-Major   Loading UCS with low GTM Autoconf Delay drops pool Members from config


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
609499-1 2-Critical   Compiled signature collections use more memory than prior versions
603945-2 2-Critical   BD config update should be considered as config addition in case of update failure
588087-1 2-Critical   Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2 2-Critical   IP exceptions may have issues with route domain
575133-1 2-Critical   asm_config_server_rpc_handler_async.pl SIGSEGV and core
622386-1 3-Major   Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
621808-1 3-Major   Proactive Bot Defense failing in IE11 with Compatibility View enabled
616169 3-Major   ASM Policy Export returns HTML error file
613459-1 3-Major   Non-common browsers blocked by Proactive Bot Defense
613396-1 3-Major   Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1 3-Major   "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
610857-1 3-Major   DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1 3-Major   FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
609496-2 3-Major   Improved diagnostics in BD config update (bd_agent) added
608509-1 3-Major   Policy learning is slow under high load
606875-1 3-Major   DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
604923-5 3-Major   REST id for Signatures change after update
604612-1 3-Major K20323120 Modified ASM cookie violation happens after upgrade to 12.1.x
602221-2 3-Major   Wrong parsing of redirect Domain
601924-1 3-Major   Selenium detection by ports scanning doesn't work even if the ports are opened
596502-1 3-Major   Unable to force Bot Defense action to Allow in iRule
584642-1 3-Major   Apply Policy Failure
584103-2 3-Major   FPS periodic updates (cron) write errors to log
582683-2 3-Major   xpath parser doesn't reset a namespace hash value between each and every scan
582133-1 3-Major   Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581315-1 3-Major   Selenium detection not blocked
579917-1 3-Major   User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1 3-Major   Error when loading Upgrade UCS
521204-2 3-Major   Include default values in XML Policy Export
501892-1 3-Major   Selenium is not detected by headless mechanism when using client version without server


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
602654-2 2-Critical   TMM crash when using AVR lookups
602434-1 2-Critical   Tmm crash with compressed response
601056 2-Critical   TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735 3-Major   TCP Analytics statistics does not list all virtual servers
618944-1 3-Major   AVR statistic is not save during the upgrade process
601035 3-Major   TCP-Analytics can fail to collect all the activity


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
618506 2-Critical   TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1 2-Critical   Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-3 2-Critical   Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3 2-Critical   APM ACL construction may cause TMM to core if TMM is out of memory
569563-3 2-Critical   Sockets resource leak after loading complex policy
619250-1 3-Major   Returning to main menu from "RSS Feed" breaks ribbon
617187-1 3-Major   APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
614891-2 3-Major   Routing table doesn't get updated when EDGE client roams among wireless networks
613613-2 3-Major   Incorrect handling of form that contains a tag with id=action
611922-1 3-Major   Policy sync fails with policy that includes custom CA Bundle.
611240-3 3-Major   Import of config with securid might fail
610224-3 3-Major   APM client may fetch expired certificate when a valid and an expired certificate co-exist
608941-1 3-Major   AAA RADIUS system authentication fails on IPv6 network
604767-1 3-Major   Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-1 3-Major   POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-3 3-Major   DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3 3-Major K06913155 APM ACL does not get enforced all the time under certain conditions
598211-1 3-Major   Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-2 3-Major   VPN establishment may fail when computer wakes up from sleep
596116-3 3-Major   LDAP Query does not resolve group membership, when required attribute(s) specified
595227-1 3-Major   SWG Custom Category: unable to have a URL in multiple custom categories
594288-1 3-Major   Access profile configured with SWG Transparent results in memory leak.
592414-4 3-Major   IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1 3-Major   encryption_key in access config is NULL in whitelist
591590-1 3-Major   APM policy sync results are not persisted on target devices
591268-1 3-Major   VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
590820-3 3-Major   Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3 3-Major K80124134 Empty URI rewriting is not done as required by browser.
586718-1 3-Major   Session variable substitutions are logged
586006-1 3-Major   Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3 3-Major   VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
583113-1 3-Major   NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3 3-Major   Macrocall could be topologically not connected with the rest of policy.
582526-3 3-Major   Unable to display and edit huge policies (more than 4000 elements)
580893-2 3-Major K08731969 Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3 3-Major   flash.utils.Proxy functionality is not negotiated
572558-1 3-Major   Internet Explorer: incorrect handling of document.write() to closed document
569309-3 3-Major   Clientside HTML parser does not recognize HTML event attributes without value
562636-2 3-Major K05489319 Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
525429-11 3-Major   DTLS renegotiation sequence number compatibility
455975-1 3-Major   Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
389484-6 3-Major   OAM reporting Access Server down with JDK version 1.6.0_27 or later
386517-1 3-Major   Multidomain SSO requires a default pool be configured
238444-3 3-Major K14219 An L4 ACL has no effect when a layered virtual server is used.
605627 4-Minor   Selinux denial seen for apmd when it is being shutdown.
584373-2 4-Minor   AD/LDAP resource group mapping table controls are not accessible sometimes
573611-1 4-Minor   Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
557411-1 4-Minor   Full Webtop resources appear overlapping in IE11 compatibility mode


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
619757-1 2-Critical   iSession causes routing entry to be prematurely freed


Service Provider Fixes

ID Number Severity Solution Article(s) Description
613297-3 2-Critical   Default generic message routing profile settings may core
612135-3 2-Critical   Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-2 2-Critical   tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-2 2-Critical   SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
609575-5 3-Major   BIG-IP drops ACKs containing no max-forwards header
609328-3 3-Major K53447441 SIP Parser incorrectly parsers empty header
607713-3 3-Major   SIP Parser fails header with multiple sequential separators inside quoted string.
603019-3 3-Major   Inserted SIP VIA branch parameter not unique between INVITE and ACK
599521-5 3-Major   Persistence entries not added if message is routed via an iRule
598854-3 3-Major   sipdb tool incorrectly displays persistence records without a pool name
598700-6 3-Major   MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-3 3-Major K12228503 Branch parameter in inserted VIA header not consistent as per spec
583010-4 3-Major   Sending a SIP invite with 'tel' URI fails with a reset
578564-4 3-Major   ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4 3-Major   ADAPT recursive loop when handling successive iRule events
566576-6 3-Major   ICAP/OneConnect reuses connection while previous response is in progress
401815-1 3-Major   BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
585807-2 4-Minor   'ICAP::method <method>' iRule is documented but is read-only
561500-4 4-Minor   ICAP Parsing improvement


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
612874-1 2-Critical   iRule with FLOW_INIT stage execution can cause TMM restart
609095-1 2-Critical   mcpd memory grows when updating firewall rules
622281-1 3-Major   Network DoS logging configuration change can cause TMM crash
614284-2 3-Major   Performance fix to not reset a data structure in the packet receive hotpath.
608566-1 3-Major   The reference count of NW dos log profile in tmm log is incorrect
605427-1 3-Major   TMM may crash when adding and removing virtual servers with security log profiles
594869-4 3-Major   AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-2 3-Major   Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
586070 3-Major   'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1 3-Major   FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
609005-2 1-Blocking   Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
611467-3 2-Critical   TMM coredump at dhcpv4_server_set_flow_key().
608009-1 2-Critical   Crash: Tmm crashing when active system connections are deleted from cli
603825-2 2-Critical   Crash when a Gy update message is received by a debug TMM
593070-2 2-Critical   TMM may crash with multiple IP addresses per session
472860-5 2-Critical   RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
623491-2 3-Major   After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-2 3-Major   Disruption during manipulation of PEM data with suspected flow irregularity
618657-4 3-Major   Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-3 3-Major   tmm core using PEM
608742-2 3-Major K48561135 DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
608591-1 3-Major   Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5 3-Major   DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3 3-Major K60250444 PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-5 3-Major K56504204 DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
606066-2 2-Critical   LSN_DELETE messages may be lost after HA failover
605525-1 2-Critical   Deterministic NAT combined with NAT64 may cause a TMM core
587106-1 2-Critical   Inbound connections are reset prematurely when zombie timeout is configured.
602171-1 3-Major   TMM may core when remote LSN operations time out


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
617648 2-Critical   Surfing with IE8 sometimes results with script error
603234-3 2-Critical   Performance Improvements
597471 2-Critical   Some Alerts are sent with outdated username value
617688 3-Major   Encryption is not activated unless "real-time encryption" is selected
613671-2 3-Major   Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
610897-2 3-Major   FPS generated request failure throw "unspecified error" error in old IE.
609098-1 3-Major   Improve details of ajax failure
604885-1 3-Major   Redirect/Route action doesn't work if there is an alert logging iRule
601083-1 3-Major   FPS Globally Forbidden Words lists freeze in IE 11
588058-3 3-Major   False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
609114-1 4-Minor   Add the ability to control dropping of alerts by before-load-function
605125-2 4-Minor   Sometimes, passwords fields are readonly
592274-3 4-Minor   RAT-Detection alerts sent with incorrect duration details


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
588405-1 3-Major   BADOS - BIG-IP Self-protection during (D)DOS attack
608826-1 4-Minor   Greylist (bad actors list) is not cleaned when attack ends


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
624370-1 2-Critical   tmm crash during classification hitless upgrade if virtual server configuration is modified


Device Management Fixes

ID Number Severity Solution Article(s) Description
621401 3-Major   When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
615824-1 3-Major   REST API calls to invalid REST endpoint log level change



Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
613127-3 CVE-2016-5696 K46514822 Linux TCP Stack vulnerability CVE-2016-5696


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
612564 1-Blocking   mysql does not start
618382-4 2-Critical   qkview may cause tmm to restart or may take 30 or more minutes to run
614766-1 3-Major   lsusb uses unknown ioctl and spams kernel logs
612952-1 3-Major   PSU FW revision not displayed correctly
611352 3-Major K68092141 Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
610307 3-Major   Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325 3-Major   Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1 3-Major   i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1 3-Major   On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2 3-Major   Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1 3-Major   LCD might display incorrect output.
521270-1 3-Major   Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6 3-Major K25051022 Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1 4-Minor   Dossier warning 14
607857-1 4-Minor   Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1 4-Minor   Switch interfaces may seem up after bcm56xxd goes down
602061 4-Minor   i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309 4-Minor   Locator LED no longer persists across reboots
592716-1 4-Minor   BMC timezone value was not being synchronized by BIG-IP


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
597708-4 3-Major   Stats are unavailable and vCMP state and status are incorrect



Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
598294-1 CVE-2016-7472 K17119920 BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
601938-2 CVE-2016-7474 K52180214 MCPD stores certain data incorrectly


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
542097-4 2-Critical   Update to RHEL6 kernel
601927-1 4-Minor K52180214 Security hardening of control plane


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
602653-1 2-Critical   TMM may crash after updating bot-signatures
599769 2-Critical   TMM may crash when managing APM clients.
605682-2 3-Major   With forward proxy enabled, sometimes the client connection will not complete.
599054-2 3-Major   LTM policies may incorrectly use those of another virtual server


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
585120-1 2-Critical   Memory leak in bd under rare scenario


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
596674-2 2-Critical   High memory usage when using CS features with gzip HTML responses.
575170-2 2-Critical   Analytics reports may not identify virtual servers correctly
590074-1 3-Major   Wrong value for TCP connections closed measure


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
603997 2-Critical   Plugin should not inject nonce to CSP header with unsafe-inline
594910-1 3-Major   FPS flags no cookie when length check fails
590608-1 3-Major   Alert is not redirected to alert server when unseal fails
590578-4 3-Major   False positive "URL error" alerts on URLs with GET parameters
593355 4-Minor   FPS may erroneously flag missing cookie
589318-1 4-Minor   Clicking 'Customize All' checkbox does not work.


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
603605-1 2-Critical   Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2 3-Major   Some iApp LX packages will not be saved during upgrade or UCS save/restore



Cumulative fixes from BIG-IP v12.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
596488-1 CVE-2016-5118 K82747025 GraphicsMagick vulnerability CVE-2016-5118.
579955-6 CVE-2016-7475 K01587042 BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
587077-1 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 K37603172 Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1 CVE-2016-1950 K91100352 Mozilla NSS vulnerability CVE-2016-1950
570697-1 CVE-2015-8138 K71245322 NTP vulnerability CVE-2015-8138
580340-1 CVE-2016-2842 K52349521 OpenSSL vulnerability CVE-2016-2842
580313-1 CVE-2016-0799 K22334603 OpenSSL vulnerability CVE-2016-0799
579829-7 CVE-2016-0702 K79215841 OpenSSL vulnerability CVE-2016-0702
579085-6 CVE-2016-0797 K40524634 OpenSSL vulnerability CVE-2016-0797
578570-1 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
569355-1 CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 K50118123 Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1 CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 K17235 Multiple PCRE Vulnerabilities
570667-2 CVE-2016-0701 CVE-2015-3197 K64009378 OpenSSL vulnerabilities


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
606509-4 2-Critical   Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover
595605 2-Critical   Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail
591119 2-Critical   OOM with session messaging may result in TMM crash
601076 3-Major   Fix watchdog event for accelerated compression request overflow
597303 3-Major   "tmsh create net trunk" may fail
595693 3-Major   Incorrect PVA indication on B4450 blade
591261 3-Major   BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1 3-Major   New HA Pair created using serial cable failover only will remain Active/Active
589661 3-Major   PS2 power supply status incorrect after removal
588327 3-Major   Observe "err bcm56xxd' liked log from /var/log/ltm
587735 3-Major   False alarm on LCD indicating bad fan
587668 3-Major   LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332 3-Major   Virtual Edition network settings aren't pinned correctly on startup
584670 3-Major   Output of tmsh show sys crypto master-key
584661 3-Major   Last good master key
584655 3-Major   platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177 3-Major   LCD text truncated by heartbeat icon on VIPRION
581945-2 3-Major   Device-group 'datasync-global-dg' becomes out-of-sync every hour
581811 3-Major   The blade alarm LED may not reflect the warning that non F5 optics is used.
579529 3-Major   Stats file descriptors kept open in spawned child processes
578064 3-Major   tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1 3-Major   incorrect crontab can cause large number of email alerts
573584 3-Major   CPLD update success logs at the same error level as an update failure
563592 3-Major   Content diagnostics and LCD
559655 3-Major   Post RMA, system does not display correct platform name regardless of license
555039-4 3-Major K24458124 VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360 3-Major   Firmware update that includes might take over 15 minutes. Do not turn off device.
526708 3-Major   system_check shows fan=good on removed PSU of 4000 platform
433357 3-Major   Management NIC speed reported as 'none'
400778 3-Major   Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550 3-Major   LCD listener error during shutdown
587780 4-Minor   warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986 4-Minor   Powered down DC PSU is treated as not-present
418009 5-Cosmetic   Hardware data display inaccuracies


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
603700 2-Critical   tmm core on multiple SSL::disable calls
598052-1 2-Critical   SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139 2-Critical   TMM QAT segfault after zlib/QAT compression conflation.
585654 2-Critical   Enhanced implementation of AES in Common Criteria mode
579953 2-Critical   Updated the list of Common Criteria ciphersuites
584926-1 3-Major   Accelerated compression segfault when devices are all in error state.
566342 3-Major   Cannot set 10T-FD or 10T-HD on management port


Performance Fixes

ID Number Severity Solution Article(s) Description
599803 1-Blocking   TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2 2-Critical   apmd crash under rare conditions with LDAP


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
581824-2 3-Major   "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
588049-1 2-Critical   Improve detection of browser capabilities
585352-2 2-Critical   bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1 2-Critical   BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2 3-Major   High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1 3-Major   Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1 3-Major   Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4 3-Major   ASM policy creation fails with after upgrading


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
587419-1 3-Major   TMM may restart when SAML SLO is performed after APM session is closed
585442-2 3-Major   Provisioning APM to 'none' creates a core file


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
596809-1 3-Major   It is possible to create ssh rules with blank space for auth-info
593925-1 3-Major   ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1 3-Major   Sync fails when deleting an ssh profile


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
584921-1 2-Critical   Inbound connections fail to keep port block alive



Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-9 CVE-2016-5745 K64743453 NAT64 vulnerability CVE-2016-5745
599168-7 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1 CVE-2013-0169 CVE-2016-6907 CVE-2019-6593 K14190 K39508724 K10065173 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
604211-1 2-Critical K72931250 License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.
600859-2 2-Critical   Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.
599033-5 2-Critical   Traffic directed to incorrect instance after network partition is resolved
595394-3 2-Critical   Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.
606110-2 3-Major   BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4 3-Major   HA Failover fails in certain valid AWS configurations
596603-2 3-Major   AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
600357-2 3-Major   bd crash when asm policy is removed from virtual during specific configuration change



Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
569467-5 CVE-2016-2084 K11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591806-8 CVE-2016-3714 K03151140 ImageMagick vulnerability CVE-2016-3714
591918-2 CVE-2016-3718 K61974123 ImageMagick vulnerability CVE-2016-3718
591908-2 CVE-2016-3717 K29154575 ImageMagick vulnerability CVE-2016-3717
591894-2 CVE-2016-3715 K10550253 ImageMagick vulnerability CVE-2016-3715
591881-1 CVE-2016-3716 K25102203 ImageMagick vulnerability CVE-2016-3716


Functional Change Fixes

ID Number Severity Solution Article(s) Description
583631-2 1-Blocking   ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993 3-Major   Unable to load configs from /usr/libexec/aws/.
576478 3-Major   Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477 3-Major   New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.


TMOS Fixes

ID Number Severity Solution Article(s) Description
591039 2-Critical   DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779 2-Critical   Rest API - log profile in json return does not include the partition but needs to
588140 2-Critical   Pool licensing fails in some KVM/OpenStack environments
587791-1 2-Critical   Set execute permission on /var/lib/waagent
565137 2-Critical K12372003 Pool licensing fails in some KVM/OpenStack environments.
554713-2 2-Critical   Deployment failed: Failed submitting iControl REST transaction
592363 3-Major   Remove debug output during first boot of VE
592354 3-Major   Raw sockets are not enabled on Cloud platforms


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
592699-3 2-Critical   IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1 3-Major   Connection hangs when processing large compressed responses from server
592854-1 3-Major   Protocol version set incorrectly on serverssl renegotiation
592682-1 3-Major   TCP: connections may stall or be dropped
531979-6 3-Major   SSL version in the record layer of ClientHello is not set to be the lowest supported version.


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
582629-1 2-Critical   User Sessions lookups are not cleared, session stats show marked as invalid


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
590601-2 3-Major   BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1 3-Major   The "ACCESS::session create" iRule command does not work
590345-1 3-Major   ACCESS policy running iRule event agent intermittently hangs
585905-1 3-Major   Citrix Storefront integration mode with pass-through authentication fails
581834-5 3-Major   Firefox signed plugin for VPN, Endpoint Check, etc


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
588399-1 3-Major   BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1 3-Major   Multiple 'Loading state for virtual server' messages in admd.log
569121-1 3-Major   Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1 4-Minor   Bad actor quarantining


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
590795-1 2-Critical   tmm crash when loading default signatures or updating classification signature

 

Cumulative fix details for BIG-IP v12.1.6 that are included in this release

981169-5 : F5 TMUI XSS vulnerability CVE-2021-22994

Solution Article: K66851119


980809-5 : ASM REST Signature Rule Keywords Tool Hardening

Component: Application Security Manager

Symptoms:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Conditions:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Impact:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Workaround:
N/A.

Fix:
The ASM REST Signature Rule Keywords Tool now follows current best practices.


975233-5 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Solution Article: K52510511


974205-6 : Unconstrained wr_urldbd size causing box to OOM

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.


973333-1 : TMM buffer-overflow vulnerability CVE-2021-22991

Solution Article: K56715231


968421-6 : ASM attack signature doesn't matched

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.


960437-5 : The BIG-IP system may initially fail to resolve some DNS queries

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure cascades to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6.
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.


955145-5 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


954381-5 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


953845-6 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.


953729-5 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Solution Article: K56142644


953677-5 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488


950077-5 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488


949861 : Wr_urldbd returns unknown results for customdb on some blades

Component: Traffic Classification Engine

Symptoms:
Some blades return 'Unknown' for newly added URLs in a custom database

Conditions:
This might occur under when feedlist updates are done quickly in a loop

Impact:
BIG-IP is unable to classify using url categories defined in the custom database.

Workaround:
Restart wr_urldbd

Fix:
Customdb classification now work as expected with the provided fix


949145-2 : Improve TCP's response to partial ACKs during loss recovery

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.


948769-2 : TMM panic with SCTP traffic

Component: TMOS

Symptoms:
TMM panics and generates a core file. The panic message is "balanced nodes".

Conditions:
SCTP enabled virtual server

Impact:
Traffic interrupted while TMM restarts

Workaround:
Ensure that you have a route to the server's alternate address (like a default route since the remote server might not be under direct control) or
On versions earlier than 13.0 make sure that auto-lasthop is enabled for the virtual server (either via global, vlan or virtual setting)

Fix:
TMM now handles SCTP traffic properly


947057-5 : Traffic intelligence feeds to do not follow best practices

Component: Traffic Classification Engine

Symptoms:
Traffic intelligence feeds to do not follow best practices

Conditions:
AFM or PEM are provisioned

Impact:
Traffic intelligence feeds to do not follow best practices

Workaround:
None

Fix:
Traffic intelligence feeds now follow best practices


945109-6 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Component: TMOS

Symptoms:
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.

Conditions:
An attacker may leverage this vulnerability by creating a crafted input file causing low confidentiality.

Impact:
In ps_parser_skip_PS_token(), lack of proper validation may lead the reading cursor holding the current position being processed to go beyond the end of the text content. This further causes an out of bounds read skip_comment() function and unexpected data may be exposed as a result of the over-read.

Workaround:
N/A

Fix:
Updated Freetype to patch for CVE-2015-9382


943125-5 : Web-Socket request with JSON payload causing core during the payload parsing

Component: Application Security Manager

Symptoms:
Any web-socket request with JSON payload may cause a core witihin the JSON parser, depending on the used machine memory distribution.

Conditions:
Depends on the memory distribution of the used machine.
Sending web-socket request with JSON payload to the backend server.

Impact:
BD crash while parsing the JSON payload.

Workaround:
N/A

Fix:
No crashes during JSON payload parsing.


941853-4 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.


941449-6 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Solution Article: K55237223


941089-5 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.


940897-6 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.


940401-5 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.


940249-5 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.


939845-5 : BIG-IP MPTCP vulnerability CVE-2021-23004

Solution Article: K31025212


939841-5 : BIG-IP MPTCP vulnerability CVE-2021-23003

Solution Article: K43470422


939529-5 : Branch parameter not parsed properly when topmost via header received with comma separated values

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.


938233-5 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Component: Local Traffic Manager

Symptoms:
BIG-IP exhibits gradual and linear increase in memory accumulation (high xfrag accumulation) leading to high CPU utilization.

Impact:
This may start affecting BIG-IPs capacity to serve other incoming requests as CPU utilization tends towards maximum limit.

Fix:
BIG-IP no longer shows the known issues of high memory (xfrag) accumulation that leads to the high CPU utilization.


935721-2 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291


935401-6 : BIG-IP ASM iControl REST vulnerability CVE-2021-23001

Solution Article: K06440657


933741-6 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Solution Article: K63497634


933461-1 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.


932697 : BIG-IP TMM vulnerability CVE-2021-23000

Solution Article: K34441555


932065-5 : iControl REST vulnerability CVE-2021-22978

Solution Article: K87502622


931837-4 : NTP has predictable timestamps

Component: TMOS

Symptoms:
No known symptoms.

Conditions:
Ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 are vulnerable.

Two main prerequisites for this to be exploited.

1. Having the BIG-IP act as an NTP server.
2. Sources for BIG-IP's time being unreliable/unauthenticated upstream NTP servers

Impact:
A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. An attacker who can send a large number of packets with the spoofed IPv4 address of the upstream server can use this flaw to modify the victim's clock by a limited amount or cause ntpd to exit.

Workaround:
Redhat suggested the following mitigations:

1. Have enough trustworthy sources of time.

2. If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.

3. Use NTP packet authentication where appropriate.

4. Pay attention to error messages logged by ntpd.

5. Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.

6. If you must get unauthenticated time over IPv4 on a hostile network, Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.


929001-6 : ASM form handling improvements

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.


927617-5 : "Illegal Base64 value" violation is detected for cookie with valid base64 value

Component: Application Security Manager

Symptoms:
Request that should be passed to the backend server with cookie header which contain cookie valid value encoded to base64 is blocked.

Conditions:
A cookie name has to be defined in "Security ›› Application Security : Headers : Cookies List ›› New Cookie..." with enabled "Base64 Decoding".

Impact:
Blocking page, while the request should not be blocked.

Workaround:
Disable "Base64 Decoding" for the desired cookie.

Fix:
Requests with valid base64 encoding cookies should not get blocked by the enforcer.


922317 : Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections

Component: Local Traffic Manager

Symptoms:
-- Stalled serverside connections visible in connection table.
-- No traffic going out towards pool member.
-- Sometimes tmm crashes may occur.

Conditions:
The LSN::persistence_entry Tcl command is used inside of an iRule triggered by a serverside event, e.g., SERVER_CONNECTED.

Impact:
-- Traffic not reaching pool members.
-- System disruption while tmm restarts in case of crash.

Workaround:
Do not use the LSN::persistence_entry command in iRules triggered by serverside events.

Fix:
Traffic now reaches pool members, no stalled connections occur, and crashes are eliminated.


921337-4 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Solution Article: K88230177


918933-5 : The BIG-IP ASM system may not properly perform signature checks on cookies

Solution Article: K88162221

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221


917509-6 : BIG-IP ASM vulnerability CVE-2020-27718

Solution Article: K58102101


917005-2 : ISC BIND Vulnerability: CVE-2020-8619

Solution Article: K19807532


915281-7 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.


913441-1 : Tmm cores while doing Hitless Upgrade while there are active flows

Component: Traffic Classification Engine

Symptoms:
Tmm cores.

Conditions:
Addition of new flows to existing lib while Hitless Upgrade is in progress.

Impact:
Tmm core while doing app detection for new flows. Traffic disrupted while tmm restarts.

Workaround:
Restrict addition of new flows if a Hitless Upgrade is in progress.

Fix:
New flows are no longer added to the classification engine to any of the library if the Hitless Upgrade process is in progress.


912289-5 : Cannot roll back after upgrading on certain platforms

Component: Local Traffic Manager

Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

- BIG-IP v14.1.4 or later in the v14.x branch of code
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

-- Upgrade the software to one of the following software versions:

  + BIG-IP v14.1.4 or later in the v14.x branch of code
  + BIG-IP v15.1.1 or later in the v15.x branch of code
  + BIG-IP v16.0.0 or later

-- Attempt to roll back to a previous version.

Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.

Workaround:
None.

Fix:
Contact F5 Support for the reversion process if this is required.

Behavior Change:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

The particular platforms are:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

The particular software versions are:
  + BIG-IP v14.1.4 or later in the v14.x branch of code
  + BIG-IP v15.1.1 or later in the v15.x branch of code
  + BIG-IP v16.0.0 or later


912221-4 : CVE-2020-12662 & CVE-2020-12663

Solution Article: K37661551


911761-6 : F5 TMUI XSS vulnerability CVE-2020-5948

Solution Article: K42696541


909237-2 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642


909233-2 : DNS Hardening

Solution Article: K97810133


908673-1 : TMM may crash while processing DNS traffic

Solution Article: K43850230


905905-5 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245


904937-6 : Excessive resource consumption in zxfrd

Solution Article: K25595031


902417-1 : Configuration error caused by Drafts folder in a deleted custom partition

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.


898949-5 : APM may consume excessive resources while processing VPN traffic

Solution Article: K04518313


895993-6 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895981-6 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895881-5 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305


895525-6 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


889557-4 : jQuery Vulnerability CVE-2019-11358

Solution Article: K20455158


888497-6 : Cacheable HTTP Response

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.


888493-6 : ASM GUI Hardening

Solution Article: K40843345


887089-6 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.


886085-7 : BIG-IP TMM vulnerability CVE-2020-5925

Solution Article: K45421311


883717-5 : BD crash on specific server cookie scenario

Solution Article: K37466356


883097-3 : Radius authentication may consume excessive resources

Solution Article: K11400411


882633-6 : Active Directory authentication does not follow current best practices

Component: Access Policy Manager

Symptoms:
Under certain conditions, Active Directory authentication does not follow the current best practices.

Conditions:
When ADAuth agent is used in VPE

Impact:
ADAuth agent is not following best practices

Workaround:
None.

Fix:
Active Directory authentication now follows the current best practices.


882185-3 : BIG-IP Edge Client Windows ActiveX

Solution Article: K20346072


881445-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Solution Article: K69154630


880361-5 : iRules LX vulnerability CVE-2021-22973

Solution Article: K13323323


879745-7 : TMM may crash while processing Diameter traffic

Solution Article: K82530456


879413-5 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.


879025-7 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Solution Article: K72752002


872673-5 : TMM can crash when processing SCTP traffic

Solution Article: K26464312


871657-4 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.


870273-1 : TMM may consume excessive resources when processing SSL traffic

Solution Article: K44020030


866021-5 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.


860517-5 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.


860477-7 : SCP hardening

Solution Article: K82518062


860005-5 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.


859089-2 : TMSH allows SFTP utility access

Solution Article: K00091341


858301-5 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858297-5 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858229-1 : XML with sensitive data gets to the ICAP server

Solution Article: K22493037

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.


858189-6 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.

Component: Device Management

Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.

Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.

Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.

Workaround:
None.

Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.

Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:

restnoded.timeout
restjavad.timeout
icrd.timeout

The default value is 60 seconds for each of these.

A restart of restjavad and restnoded is required for the change to take effect.

tmsh restart /sys service restjavad
tmsh restart /sys service restnoded


858025-6 : BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984

Solution Article: K33440533


857669 : BIG-IP Edge Client may log sensitive data on Linux client

Solution Article: K33023560


854177-1 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.


853585-4 : REST Wide IP object presents an inconsistent lastResortPool value

Component: Global Traffic Manager (DNS)

Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:

...
"lastResortPool": "aaaa \"\""
...

Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:

tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.

Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.

Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.


852929-4 : AFM WebUI Hardening

Solution Article: K25160703


852445-6 : Big-IP : CVE-2019-6477 BIND Vulnerability

Solution Article: K15840535


851789-1 : SSL monitors flap with client certs with private key stored in FIPS

Component: Local Traffic Manager

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.

Fix:
Optimized FIPS API calls to improve performance of SSL monitors.


851045-5 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.


850673-5 : BD sends bad ACKs to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.

-- The policy may be incomplete in the bd causing incorrect enforcement actions.

Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.

Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).

-- A partial policy may exist in bd causing improper enforcement.

Workaround:
-- Unassign and reassign the policy.

-- if unassign/reassign does not help, export and then reimport the policy.

Fix:
Fixed inconsistency scenario between bd and bd_agent.


848445-5 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer

Solution Article: K86285055

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer


848405-7 : TMM may consume excessive resources while processing compressed HTTP traffic

Solution Article: K26244025


846917-6 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354


842937-1 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.

Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.


842717-2 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855

Solution Article: K55102004


842189-1 : Tunnels removed when going offline are not restored when going back online

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.

Fix:
Tunnels removed when going offline are now restored when going back online.


841953-2 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm process no longer crashes under these conditions.


841577-7 : iControl REST hardening

Solution Article: K20606443


841333-2 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


839453-1 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354


838909-2 : BIG-IP APM Edge Client vulnerability CVE-2020-5893

Solution Article: K97733133


838881-6 : APM Portal Access Vulnerability: CVE-2020-5853

Solution Article: K73183618


837837-6 : F5 SSH server key size vulnerability CVE-2020-5917

Solution Article: K43404629


837773-5 : Restjavad Storage and Configuration Hardening

Solution Article: K12936322


836357-2 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.


833685-2 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.


832885-6 : Self-IP hardening

Solution Article: K05975972


832757-2 : Linux kernel vulnerability CVE-2017-18551

Solution Article: K48073202


832205-2 : ASU cannot be completed after Signature Systems database corruption following binary Policy import

Component: Application Security Manager

Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database, after a binary policy containing a user-defined Signature Set using an unknown System was imported.

Conditions:
Signature systems are corrupted in configuration database, because a binary policy containing a user-defined Signature Set using an unknown System was imported.

Impact:
Signatures cannot be updated.

Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"


831661-5 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.

Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations

Impact:
Control Plane instability and poor learning performance on the device.

Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.


831325-4 : HTTP PSM detects more issues with Transfer-Encoding headers

Solution Article: K10701310

Component: Local Traffic Manager

Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.

Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.

Impact:
Traffic is not alarmed/blocked as expected.

Workaround:
None.

Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.


831293-1 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.


830401-6 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228


829121-6 : State mirroring default does not require TLS

Solution Article: K65720640


829117-6 : State mirroring default does not require TLS

Solution Article: K17663061


826601-2 : Prevent receive window shrinkage for looped flows that use a SYN cookie

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Set the initial receive window value of the VIP to 3.

Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.


825689-6 : Enhance FIPS crypto-user storage

Component: Local Traffic Manager

Symptoms:
Existing TMOS releases use legacy storage and generation facilities that have been supplanted in newer TMOS releases.

Conditions:
Crypto-officer access to TMSH / fipsutil.

Impact:
Did not leverage Secure Vault facilities.

Workaround:
None.

Fix:
FIPS crypto-user storage now leverages Secure Vault facilities.


825049-2 : Windows code signing certificate update 2019

Component: Access Policy Manager

Symptoms:
The certificate for APM Edge Client (v7.1.8.1) expires on 12 Dec. 2019

Conditions:
Code signing certificate expired on December 11,2019.

Impact:
Certificate is expired.

Fix:
Update APM client with the certificate attributes and use the new code singing certificate.


824093-2 : Parameters payload parser issue

Component: Application Security Manager

Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.

Conditions:
-- ASM in use.
-- Request contains multipart headers.

Impact:
Incorrect policy enforcement.

Workaround:
None.

Fix:
This release fixes an issue related to multipart requests.


823893-5 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649


822025-5 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.


819397-4 : TMM does not enforce RFC compliance when processing HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.

Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client

Impact:
Pool members may be exposed to non-compliant HTTP requests.

Workaround:
None.

Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

Behavior Change:
A new BigDB variable has been added.

The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.

If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.

If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.


819197-7 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394


819189-6 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441


818709-5 : TMSH does not follow current best practices

Solution Article: K36814487


818429-1 : TMM may crash while processing HTTP traffic

Solution Article: K70275209


818177-7 : CVE-2019-12295 Wireshark Vulnerability

Solution Article: K06725231


817085-1 : Multicast Flood Can Cause the Host TMM to Restart

Component: TMOS

Symptoms:
A vCMP host tmm is restarted.

Conditions:
The vCMP host is processing heavy multicast traffic.

Impact:
The host TMM restarts and traffic stops for the guests.

Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:

# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm

The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.

Fix:
The host TMM no longer restarts.


816529 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.

Component: Traffic Classification Engine

Symptoms:
URLCAT lookups to Custom DB return Unknown result.

Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time

Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.

Workaround:
None.

Fix:
Wr_urldbd restores connection to Custom DB after restart.


815877-5 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.


814761-4 : PostgreSQL monitor fails on second ping with count != 1

Component: Local Traffic Manager

Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.

When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:

Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
    at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
    at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
    at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
    at java.lang.Thread.run(Thread.java:748)

Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.

Impact:
Unable to monitor the health of postgresql server pool members accurately.

Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.

Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.


814585-6 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


812981-1 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.


812237-4 : i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD

Component: TMOS

Symptoms:
"tmsh show sys hardware" will not display a "Name" for the Platform on i100000 series appliances with part number 505-0030.
The LCD will not display the system name.

Conditions:
i10000 series appliances with part number 505-0030 with HDVC (high voltage DC) power supplies.

Impact:
Display only. No functional impact.

The LCD and "tmsh show sys hardware" will not display the product name of i10600 or i10800 as expected.

Workaround:
None

Fix:
Display correct F5 marketing name for i10000 series appliances with high voltage DC power supplies.


811789-5 : Device trust UI hardening

Solution Article: K57214921


811109 : TMM RAM Cache Vulnerability: CVE-2020-5861

Solution Article: K22113131


810957-6 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core

Component: TMOS

Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.

Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.

Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.

Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:

tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>

Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.


810557-5 : ASM ConfigSync Hardening

Solution Article: K05123525


809205-2 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated


809165-5 : TMM may crash will processing connector traffic

Solution Article: K50046200


809125-4 : CSRF false positive

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm


808409-2 : Unable to specify if giaddr will be modified in DHCP relay chain

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced

The default is :

sys db tmm.dhcp.relay.giaddr.overwrite {
    value "enable"
}

On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP

On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain


807821-1 : ICMP echo requests occasionally go unanswered

Component: Local Traffic Manager

Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.

Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.

Impact:
Possible traffic failures.

Workaround:
None.

Fix:
ICMP echo replies are always sent for a valid ICMP echo request.


807477-4 : ConfigSync Hardening

Solution Article: K04280042


807005-6 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.


805837-5 : REST does not follow current design best practices

Solution Article: K22441651


805557-5 : TMM may crash while processing crypto data

Solution Article: K43815022


805017-4 : DB monitor marks pool member down if no send/recv strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.

Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).


803233-5 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.


801637-2 : Cmp_dest on C2200 platform may give incorrect results

Component: TMOS

Symptoms:
Cmp_dest on C2200 platform may give incorrect results.

Conditions:
Run cmp_dest.

Impact:
Incorrect results from cmp_dest.

Fix:
Cmp_dest now gives correct results.


800185-1 : Saving a large encrypted UCS archive may fail and might trigger failover

Component: TMOS

Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:

# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

-- If saving UCS is automated you may find related errors in /var/log/audit:

err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))

-- Other services might be restarted due to lack of memory, which might result in failover.

--System management via config utility or command line may be sluggish while UCS saves.

Conditions:
-- Large encrypted UCS files and low free host memory.

-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.

Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.

The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.

Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.

Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)

If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.

Fix:
Saving a large UCS file no longer fails.


799617-5 : ConfigSync Hardening

Solution Article: K05123525


799589-5 : ConfigSync Hardening

Solution Article: K05123525


797885-5 : ConfigSync Hardening

Solution Article: K05123525


796993-2 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability

Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.


796469-1 : ConfigSync Hardening

Solution Article: K05123525


795797-5 : AFM WebUI Hardening

Solution Article: K21121741


795649-1 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system


795437-1 : Improve handling of TCP traffic for iRules

Solution Article: K06747393


795197-4 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426


794501-5 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
SNMP OIDs relating to interfaces may yield incomplete results.

Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.


794413-5 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


794389-5 : iControl REST endpoint response inconsistency

Solution Article: K89509323


793149-1 : Adding the Strict-transport-Policy header to internal responses

Component: Application Security Manager

Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.

Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.

Impact:
Responses arrives to the browser without the Strict-transport-Policy header.

Workaround:
Create an iRule to add the header to the response.

Fix:
Adding a BigDB parameter (asm.strict_transport_policy) which allows to add the header to all internal responses. Default is disabled.


790205-1 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when adding routes to child domains.


789893-5 : SCP file transfer hardening

Solution Article: K54336216


788773-5 : HTTP/2 Vulnerability: CVE-2019-9515

Solution Article: K50233772


788769-5 : HTTP/2 Vulnerability: CVE-2019-9514

Solution Article: K01988340


788577-2 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.


788513-5 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.


788325-5 : Header continuation rule is applied to request/response line

Solution Article: K39794285

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.


788301-2 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.


788057-6 : MCPD may crash while processing syncookies

Solution Article: K00103216


787825-4 : Database monitors debug logs have plaintext password printed in the log file

Solution Article: K58243048

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.


785481-5 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached

Component: Local Traffic Manager

Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.

Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.

Impact:
Reset packets are not sent back to clients when they should be.

Workaround:
None.

Fix:
Packets that match a BIG-IP object but fail due to connection limits will now be rejected with an RST.


785009-1 : Binary policy import fails with a user-defined Signature Set containing only non-existent signatures

Component: Application Security Manager

Symptoms:
Binary policy import fails if the policy contains a user-defined Signature Set which contains only non-existent Signatures (such as user-defined Signatures).

The error in the GUI:
Failed to insert to PLC.PL_POLICY_NEGSIG_SETS (DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails (`PLC`.`PL_POLICY_NEGSIG_SETS`, CONSTRAINT `PL_POLICY_NEGSIG_SETS_ibfk_2` FOREIGN KEY (`set_id`) REFERENCES `NEGSIG_SETS` (`set_id`) ON DELETE CASCADE) at /usr/local/share/perl5/F5/BatchInsert.pm line 223.
)

The error in /var/log/asm:

crit g_server_rpc_handler_async.pl[26870]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Failed to insert to PLC.PL_POLICY_NEGSIG_SETS (DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails (`PLC`.`PL_POLICY_NEGSIG_SETS`, CONSTRAINT `PL_POLICY_NEGSIG_SETS_ibfk_2` FOREIGN KEY (`set_id`) REFERENCES `NEGSIG_SETS` (`set_id`) ON DELETE CASCADE) at /usr/local/share/perl5/F5/BatchInsert.pm line 223.

Conditions:
A binary policy file contains a user-defined Signature Set which contains only signatures that don't exist on the target device (such as user-defined Signatures).

Impact:
Policy import fails.

Workaround:
You can use either of the following Workarounds:

-- Re-export the policy as XML.
-- Create the missing user-defined Signatures.

Fix:
Binary policy import succeeds even with empty user-defined Signature Sets.


784565-5 : VLAN groups are incompatible with fast-forwarded flows

Component: Local Traffic Manager

Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.

Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.

Impact:
Some connections may fail.

Workaround:
None.

Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.


783505-1 : ASU is very slow on device with hundreds of policies due to table checksums

Component: Application Security Manager

Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.

Impact:
The ASU process takes hours to complete.

Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.


783113-2 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted

Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.


782529-5 : iRules does not follow current design best practices

Solution Article: K30215839


781605-2 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
False positive or false negative attack signature match on multipart payload.

Conditions:
Very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

Fix:
Multi part parser issue was fixed.


781377-3 : tmrouted may crash while processing Multicast Forwarding Cache messages

Solution Article: K93417064


781225-4 : HTTP profile Response Size stats incorrect for keep-alive connections

Component: Local Traffic Manager

Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.

Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses

Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.

Workaround:
None.

Fix:
The HTTP Response Size statistics are correctly updated using per-response values.


780817-3 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

  + VIPRION B4300, B4340, and B44xx blades.
  + BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.


780601-5 : SCP file transfer hardening

Solution Article: K03585731


779177-5 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Solution Article: K37890841


778077-2 : Virtual to virtual chain can cause TMM to crash

Solution Article: K53183580


777261-1 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.


774301-1 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:

err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.

-- This is also applicable to any SAML requests/responses that are signed:
   a) SAML Authentication Request
   b) SAML Assertion
   c) SAML Artifact Response
   e) SAML SLO Request/Response

Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.

Workaround:
None.

Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.


773673-5 : HTTP/2 Vulnerability: CVE-2019-9512

Solution Article: K98053339


773653-3 : APM Client Logging

Solution Article: K23876153


773649-3 : APM Client Logging

Solution Article: K23876153


773641-3 : APM Client Logging

Solution Article: K23876153


773637-3 : APM Client Logging

Solution Article: K23876153


773633-3 : APM Client Logging

Solution Article: K23876153


773621-3 : APM Client Logging

Solution Article: K23876153


773553-5 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.


773421-5 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.


771873-2 : TMSH Hardening

Solution Article: K40378764


770477-4 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.

Fix:
Allow both signaling mechanism in client_hello.


769817-5 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.

Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.


769809-1 : The vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.

Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade


769309-4 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).


769193-3 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.


768981-5 : VCMP Hypervisor Hardening

Solution Article: K05765031


767373-4 : CVE-2019-8331: Bootstrap Vulnerability

Solution Article: K24383845


767013-5 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.


766577-5 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.


766169-1 : Replacing all VLAN interfaces resets VLAN MTU to a default value

Component: Local Traffic Manager

Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.

Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.

Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.

Workaround:
There are two workarounds:

-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.

Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.


766017-5 : [APM][LocalDB] Local user database instance name length check inconsistencies

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

Fix:
Tmsh now enforces the length limit for localdb instance names.


765809 : Memory increases for the bd daemon on cluster environment primary blade

Component: Application Security Manager

Symptoms:
BD memory increases. The increased memory is seen as a very large number in the last column of the bd.log files UMU prints.

Conditions:
-- ASM provisioned on cluster environment.
-- ASM policy attached to a virtual.
-- Brute force protection configured.

Impact:
Memory increase; swap usage.

Workaround:
None.

Fix:
Freed a chunk of memory which was allocated upon a sync from secondary to primary blade.


765533-5 : Sensitive information logged when DEBUG logging enabled

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


762453-4 : Hardware cryptography acceleration may fail

Solution Article: K63558580


762073-3 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.

Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.


761231-5 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Solution Article: K79240502

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.


761185-5 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550


761144-2 : Broadcast frames may be dropped

Solution Article: K95117754


761112-6 : TMM may consume excessive resources when processing FastL4 traffic

Solution Article: K76328112


761014-5 : TMM may crash while processing local traffic

Solution Article: K11447758


760950-1 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Note: A previous bug had this same symptom, but was due to a different root cause.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system.


760878-1 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.


760723-4 : Qemu Vulnerability

Solution Article: K64765350


760629-1 : Remove Obsolete APM keys in BigDB

Component: Access Policy Manager

Symptoms:
Several APM/Access BigDB keys are obsolete and should be removed as they only add confusion

Conditions:
--BigIp is UP and Running

Impact:
Though those keys are not being used they create confusion as a placeholder

Workaround:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade

Fix:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade


760550-2 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.


760471-5 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.


760439-1 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.


760234-3 : Configuring Advanced shell for Resource Administrator User has no effect

Component: TMOS

Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.

Conditions:
Configuring Advanced shell for Resource Administrator User.

Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.

Workaround:
None.

Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.

Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.


759968-1 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
-- Distinct vCMP guests are able to cluster with each other.

-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac

Check the 'rebroad_mac' field for duplicate mac addresses.

vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------

Conditions:
-- It is not yet clear under what circumstances the issue occurs.

-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

To disable the db variable on the affected guest, log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

Then run the following commands, in sequence:

stop sys service clusterd
modify sys db clusterd.communicateovertmmbp value false
start sys service clusterd
save sys config

Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask and then changing it back.

With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Important: Applying procedure described in K13030 interrupts traffic.

Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.


759596-4 : Tcl errors in iRules 'table' command

Component: TMOS

Symptoms:
The iRules 'table delete' command causes Tcl errors due to improperly handling the return code from SessionDB.

Conditions:
-- iRules 'table delete' command is used.
-- Does not occur consistently, but is more prone to occur when the system is processing more traffic.

Impact:
The 'table delete' command randomly fails and causes disruptions in traffic.

Workaround:
Do not use 'table delete' command

Fix:
Fixed 'table delete' to properly interpret the return code from SessionDB.


759480-1 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

Component: Local Traffic Manager

Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.

Conditions:
When all of the following conditions are met:

-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.

-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).

-- A CLIENT_CLOSED event is present.

-- The pool member fails in some manner, triggering LB_FAILED

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.


759343-3 : MacOS Edge Client installer does not follow best security practices

Solution Article: K49827114


758872-1 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.


758772-5 : DNS Cache RRSET Evictions Stat not increasing

Component: Global Traffic Manager (DNS)

Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.

Conditions:
This occurs when the cache is full enough for records to be evicted.

Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.

Workaround:
None.

Fix:
Fixed an issue preventing the DNS Cache's 'Resource Record Cache' statistic from counting 'Evictions'.


758764-5 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).


758631-1 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.


758527-5 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Solution Article: K39604784

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.


758336-2 : Incorrect recommendation in Online Help of Proactive Bot Defense

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.


758119-3 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


758065-3 : TMM may consume excessive resources while processing FIX traffic

Solution Article: K82781208


758018-2 : APD/APMD may consume excessive resources

Solution Article: K61705126


757578-5 : RAM cache is not compatible with verify-accept

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.


757520 : After a software upgrade, the BIG-IP system does not use the correct hostname for logging.

Component: TMOS

Symptoms:
After performing a regular software upgrade during which the configuration was rolled forward, the log messages for all daemons except tmm on the upgraded unit, report the default hostname (i.e., localhost) instead of the hostname assigned to the BIG-IP system.

Conditions:
Performing a software upgrade to BIG-IP version 11.5.6, 11.5.7, 11.5.8, or 12.1.4 while rolling forward the existing configuration.

This can also happen when you first set up remote syslog on a new LTM on an affected version.

Impact:
There is no impact to the BIG-IP system itself. However, a BIG-IP Administrator may wrongly assume that the configuration failed to load the configuration due to the default hostname being visible in the logs.

This is not the case; the BIG-IP system correctly loads the configuration post-upgrade. If you are concentrating logs to an external server this may make it difficult to determine where some logs originated.

Workaround:
To work around this issue, run the following command:

bigstart restart syslog-ng

Note: This issue occurs only the very first time one of the affected versions is booted. Once the issue has been worked around once, the issue does not recur. Therefore, this workaround can be considered permanent.

Fix:
After software upgrade, the BIG-IP system now uses the intended hostname for logging.


757464-4 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record

Component: Global Traffic Manager (DNS)

Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.

tmm crash

Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.

Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.

Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.

Fix:
Fixed an issue preventing records from a DNS Validating Resolver's 'Key' sub-cache from being deleted when utilizing the TMSH command:
delete ltm dns cache records key cache


757455-4 : Excessive resource consumption when processing REST requests

Solution Article: K87920510


757391-1 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.

Fix:
tmm no longer crashes under these conditions.


757088 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.


757027-4 : BIND Update

Solution Article: K01713115


757026-4 : BIND Update

Solution Article: K25244852


757025-4 : BIND Update

Solution Article: K00040234


757023-5 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656


756774-3 : Aborted DNS queries to a cache may cause a TMM crash

Solution Article: K24401914


756538-2 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.

Solution Article: K15759349


756450-3 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: Local Traffic Manager

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.

Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.


756270-1 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.


756153-1 : Add diskmonitor support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.


756094-1 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.


755997-3 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address

Component: Local Traffic Manager

Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.

Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.

Impact:
The incorrect source address is used.

Workaround:
None.

Fix:
The IPsec traffic uses now the correct IP source-address.


755727-4 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755507-1 : [App Tunnel] 'URI sanitization' error

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.


755005-4 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.

Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.


754944-4 : AVR reporting UI does not follow best practices

Solution Article: K00432398


754460 : No failover on HA Dual Chassis setup using HA score

Component: TMOS

Symptoms:
On a high availability (HA) set up of two chassis, an HA failover does not occur, despite HA score on Standby being greater than Active.

Conditions:
-- Multiple blades disabled.
-- Both active and standby chassis have same HA score.
-- Enabling blades on standby chassis.

Impact:
Although enabling blades on the standby chassis causes a higher HA score on the standby (which should cause a failover to occur), HA state remains the same on both chassis. HA failover is not occurring using HA score calculation.

Workaround:
None.


754365-2 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.


754345-4 : WebUI does not follow best security practices

Solution Article: K79902360


754257 : URL lookup queries not working

Component: Traffic Classification Engine

Symptoms:
Occasionally, there is no response to a url-categorization query.

Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.

Impact:
URL does not get classified. Cannot take any actions against those URLs.

Workaround:
None.

Fix:
URL lookup queries now work as expected.


754103-3 : iRulesLX NodeJS daemon does not follow best security practices

Solution Article: K75532331


753912-1 : UDP flows may not be swept

Solution Article: K44385170

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.

Fix:
The system now correctly manages all expired flows.


753805-2 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.

Component: Local Traffic Manager

Symptoms:
After failover, a longer time than expected for the virtual server to become available.

Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.

Impact:
Virtual server takes longer than expected to become available.

Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.


753796-3 : SNMP does not follow best security practices

Solution Article: K40443301


753776-3 : TMM may consume excessive resources when processing UDP traffic

Solution Article: K07127032


753014-2 : PEM iRule action with RULE_INIT event fails to attach to PEM policy

Component: Policy Enforcement Manager

Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.

Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.

Impact:
PEM fails to update the new iRule action.

Workaround:
Force mcpd to reload the BIG-IP configuration.

To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.


752930 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop or mcpd process restarting loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.


752835-1 : Mitigate mcpd out of memory error with auto-sync enabled.

Solution Article: K46971044

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
Mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.


751586-1 : Http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.

Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.

Impact:
The traffic is still translated to the destination address to the pool member.

Workaround:
None.

Fix:
Translate-address disabled is working correctly now.


751036-4 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Solution Article: K52035247


750586-3 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.

Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.


750488 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.

Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Cache.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.


750484 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.


750473-2 : VA status change while 'disabled' are not taken into account after being 'enabled' again

Component: Local Traffic Manager

Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.

Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.

Impact:
No route-advertisement of the virtual-address.

Workaround:
Toggle the route-advertisement for virtual-address.

Fix:
The virtual-address now operations as expected when disabled.


750472 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok


750460-4 : Subscriber management configuration GUI

Solution Article: K61002104


750457 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.

Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Express.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok


750292-3 : TMM may crash when processing TLS traffic

Solution Article: K54167061


750213-1 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Solution Article: K25351434

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.


750187-4 : ASM REST may consume excessive resources

Solution Article: K29149494


749879 : Possible interruption while processing VPN traffic

Solution Article: K47527163


749785-3 : nsm can become unresponsive when processing recursive routes

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.

Fix:
nsm now processes recursive route without issues.


749774-2 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749675-2 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


749508-4 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.

Fix:
The system contains improvements for handling OOM conditions properly.


749414-1 : Invalid monitor rule instance identifier error

Component: Local Traffic Manager

Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.

Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.

-- Pool members are incorrectly marked down.

Workaround:
You can use either of the following:

-- Failover or failback traffic to the affected device.

-- Run the following command: tmsh load sys config.


749388-4 : 'table delete' iRule command can cause TMM to crash

Component: TMOS

Symptoms:
TMM SegFaults and restarts.

Conditions:
'table delete' gets called after another iRule command.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.

Fix:
Fixed code to prevent invalid use of internal data structure.


749324-4 : jQuery Vulnerability: CVE-2012-6708

Solution Article: K62532311


749294-1 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.


749153 : Cannot create LTM policy from GUI using iControl

Component: TMOS

Symptoms:
LTM policy cannot be created from GUI using iControl REST.

Conditions:
Using iControl to create an LTM policy.

Impact:
LTM policy cannot be created from the GUI

Workaround:
Create LTM policy using TMSH.

Fix:
Can now create LTM policy from GUI using iControl.


749007-4 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list

Component: TMOS

Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.

Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.

Impact:
Cannot select South Sudan county from GTM country list.

Workaround:
None

Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.


748902-8 : Incorrect handling of memory allocations while processing DNSSEC queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.


748502-4 : TMM may crash when processing iSession traffic

Solution Article: K72335002


748205-2 : SSD bay identification incorrect for RAID drive replacement

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.


748187-1 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.


748177-4 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request gets wrong answer.

Workaround:
There is no workaround at this time.

Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.


747968-4 : DNS64 stats not increasing when requests go through DNS cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.

Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.

Impact:
DNS64 stats are not correct.

Workaround:
There is no workaround at this time.


747909-2 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.

Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.


747725-1 : Kerberos Auth agent may override settings that manually made to krb5.conf

Component: Access Policy Manager

Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent

Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm

Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly

Workaround:
None

Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings


747617-4 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
SSL filter will no longer be enabled after connection close.


747592-4 : PHP vulnerability CVE-2018-17082

Component: TMOS

Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.

Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.

Workaround:
No known workaround.

Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.


747585-1 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.

Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.


747560-2 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.

Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.


747192-3 : Small memory leak while creating Access Policy items

Component: Access Policy Manager

Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.

Conditions:
The leak occurs while creating new policy items in Access.

Impact:
After a long uptime interval, mcpd may crash due to lack of memory.

Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.

Fix:
Leak was fixed by clearing the leaked objects.


747187-4 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.


747104-4 : LibSSH: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493


746922-3 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.

Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.

Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.

Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.

Workaround:
Use either of these workaround after a new route in child domain is added.

-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.

-- Recreate a routing object.
  - If a pool member is affected, recreate the pool member.
  - If a SNAT pool list is affected, recreate it.
  - And so on.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.


746877-4 : Omitted check for success of memory allocation for DNSSEC resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSSEC traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.

Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.


746868 : memory leakage when "apply to base domain" is enabled

Component: Fraud Protection Services

Symptoms:
Memory leakage when "apply to base domain" is enabled. this can result in a crash or aggressive sweeper mode.

Conditions:
"apply to base domain" is enabled in the anti-fraud profile

Impact:
Aggressive connections sweeper mode, and traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


746768-2 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.

Fix:
Memory growth has been addressed.


746348-3 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.


746266-4 : A vCMP guest VLAN MAC mismatch across blades.

Component: TMOS

Symptoms:
The vCMP guests running on blades in a single chassis report different MAC addresses on a single VLAN upon host reboot for the vCMP guest.

Conditions:
This issue may be seen when all of the following conditions are met:

-- One or more blades are turned off completely via AOM.
-- There are two VLANs.
-- You deploy a multi-slot guest with the higher lexicographic VLAN, and assign the lower VLAN to the guest.
-- Reboot the host.

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
None.

Fix:
There is no longer a vCMP guest VLAN MAC mismatch across blades under these conditions.


746091-4 : TMSH Vulnerability: CVE-2019-19151

Solution Article: K21711352


746077-2 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified

Component: Local Traffic Manager

Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.

Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,

Impact:
RFC 1542 violation

Workaround:
None.

Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.


745713-2 : TMM may crash when processing HTTP/2 traffic

Solution Article: K94563344


745654-1 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.


745574-4 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.


745405 : Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover

Component: TMOS

Symptoms:
Under heavy SSL traffic, it is observed that sw crypto codec queue is stuck and taken out of service, but no failover happened

Conditions:
Heavy SSL traffic

Impact:
Traffic is impacted and a large number of SSL handshakes to the BIG-IP are failing.

Workaround:
Increase crypto.queue.timeout to a much larger number(from 100 to 500 for example). Restart tmms for the change to take effect.


745404-3 : MRF SIP ALG does not reparse SDP payload if replaced

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
None.

Fix:
The SDP payload is now reparsed if modified or replaced.


745387-4 : Resource-admin user roles can no longer get bash access

Solution Article: K07702240


745371-3 : AFM GUI does not follow best security practices

Solution Article: K68151373


745358-4 : ASM GUI does not follow best practices

Solution Article: K14812883


745261-3 : The TMM process may crash in some tunnel cases

Component: TMOS

Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.

Conditions:
There are two scenarios that may lead to this issue:

Scenario 1: DSR
- DSR is deployed.


Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.

Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM process no longer crashes.


745257-4 : Linux kernel vulnerability: CVE-2018-14634

Solution Article: K20934447


745165-4 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195


744959-2 : SNMP OID for sysLsnPoolStatTotal not incremented in stats

Component: Carrier-Grade NAT

Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.

Conditions:
This affects all of the global port block allocation (PBA) counters.

Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.

Workaround:
None.

Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.


744937-4 : BIG-IP DNS and GTM DNSSEC security exposure

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442

Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442

Impact:
For more information please see: https://support.f5.com/csp/article/K00724442

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:

-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.

These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.

When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.

When using these variables:

-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.


744707-1 : Crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.

Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.


744536 : HTTP/2 may garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes.

Impact:
Application functionality may be disrupted because large header values, such as for cookies, may be truncated when passed to the endpoint.

Workaround:
None.

Fix:
The HTTP/2 filter now correctly encodes large HTTP headers.


744516-2 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

Fix:
TMM no longer panics regardless of the number of remote picks.


744347-1 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.


744331-1 : OpenSSH hardening

Component: TMOS

Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.

Conditions:
Administrative SSH access enabled.

Impact:
OpenSSH does not follow best practices.

Fix:
The default OpenSSH configuration includes best practices for security hardening.


744269-3 : dynconfd restarts if FQDN template node deleted while IP address change in progress

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.

Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).

Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.

Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.


744117-6 : The HTTP URI is not always parsed correctly

Solution Article: K18263026

Component: Local Traffic Manager

Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.

Conditions:
-- HTTP profile is configured.
-- The URI is inspected.

Impact:
If the URI is used for security checks, then those checks might be bypassed.

Workaround:
None.

Fix:
The HTTP URI is parsed in a more robust manner.


744035-3 : APM Client Vulnerability: CVE-2018-15332

Solution Article: K12130880


743950-3 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled

Component: Local Traffic Manager

Symptoms:
TMM raises a segmentation violation and restarts.

Conditions:
-- Set up client-side and server-side SSL with:
  + Client Certificate Constrained Delegation (C3D) enabled.
  + OCSP enabled.

-- Supply SSL traffic.

Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.

Workaround:
Disable C3D.

Fix:
Memory no longer leaks when C3D and OCSP are both enabled with client SSL and server SSL set up.


743815-4 : vCMP guest observes connflow reset when a CMP state change occurs.

Component: TMOS

Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.

Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.

Impact:
This might interrupt a long-lived flow and eventually cause an outage.

Workaround:
None.

Fix:
The system now drops the connflow instead of resetting it.


743803-5 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


743790-4 : BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.

Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.

Impact:
No failover to standby unit after this error condition, causing site outage.

Workaround:
None.

Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.


743105-5 : BIG-IP SNAT vulnerability CVE-2021-22998

Solution Article: K31934524


743082-3 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members

Component: TMOS

Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.

Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.

Impact:
Configuration fails to load.

Workaround:
Remove stray colon-character from bigip_gtm.conf.

Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.


742628-6 : A tmsh session initiation adds increased control plane pressure

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
-- Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

-- You are running certain versions of BIG-IP software, specifically:
   - 12.1.x versions earlier than 12.1.5.3.
   - 13.1.x versions earlier than 13.1.3.4.
   - Any 14.x version earlier than 14.1.4, except 14.1.2.6.
   - 15.0.x versions earlier than 15.0.1.2.
   - 15.1.x versions earlier than 15.1.0.4.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash

Fix:
This issue is fixed in the following releases:
-- 12.1.5.3 and later
-- 13.1.3.4 and later
-- 14.1.2.6
-- 14.1.4 and later
-- 15.0.1.2 and later
-- 15.1.0.4 and later
-- 16.0.0 and later


742237-1 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd

Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.


742226-3 : TMSH platform_check utility does not follow best security practices

Solution Article: K11330536


742078-1 : Incoming SYNs are dropped and the connection does not time out.

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.

Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable


741994 : Cleanup Webroot database files when database fail to download

Component: Traffic Classification Engine

Symptoms:
/var partition gets full when the temporary files are not deleted.

Conditions:
When the update process of the wr_urldb encounters errors, the temporary (downloaded/created) files do not appear to be deleted, and /var directory fills with them.

Impact:
/var partition may get full.

Workaround:
Empty /var/wr_urldb/bcdatabase, and restart wr_urldbd to re-download the new database file.

Fix:
With this release, the temp files downloaded during the database download process get deleted when the download fails.


741951-3 : Multiple extensions in SIP NOTIFY request cause message to be dropped.

Component: Service Provider

Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.

Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.

Impact:
NOTIFY message is not forwarded.

Workaround:
None.

Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.


741919-1 : HTTP response may be dropped following a 100 continue message.

Component: Local Traffic Manager

Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.

Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).

Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.

Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.

Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.

-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable


741902-4 : sod does not validate message length vs. received packet length

Component: TMOS

Symptoms:
sod may crash or produce unexpected behavior.

Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.

Impact:
sod may crash, causing a failover.

Workaround:
None.

Fix:
sod validates the received packet length and does not reference invalid memory.


741423-1 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync

Component: TMOS

Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.

The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.

Conditions:
-- Cluster devices are joined in the trust for high availability (HA) or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.

Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.

Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):

1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.

For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:

tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }

2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.

Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established high availability (HA) or config-sync configurations.


741108 : tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses

Component: Application Security Manager

Symptoms:
tmm memory leak can lead to tmm out-of-memory state.

Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has device ID enabled.
-- HTTP profile accept_xff enabled.

Impact:
Unexpected tmm out-of-memory state can be reached, causing sweeper activity and disrupting traffic.

Workaround:
Disable accept_xff in HTTP profile that is assigned to a virtual server along with ASM policy.

Fix:
The leak is now fixed.


740963-3 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart

Component: Local Traffic Manager

Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.

Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.

Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP retransmit bursts are now handled gracefully.


740959-1 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.

Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.


740777-2 : Secondary blades mcp daemon restart when subroutine properties are configured

Component: Access Policy Manager

Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.

Conditions:
When a subroutine is configured in the access policy.

Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.

Workaround:
There is no workaround other than to not use subroutine in the access policy.

Fix:
You can now use subroutines in the access policy.


740490-2 : Configuration changes involving HTTP2 or SPDY may leak memory

Component: Local Traffic Manager

Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.

Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.

Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.

Workaround:
None.

Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.


740228-3 : TMM crash while sending a DHCP Lease Query to a DHCP server

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes while sending a DHCP Lease Query to a DHCP server.


739971-3 : Linux kernel vulnerability: CVE-2018-5391

Solution Article: K74374841


739970-3 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321


739963-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.


739947-3 : TMM may crash while processing APM traffic

Solution Article: K42465020


739945-1 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.


739927-1 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.


739872-3 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover

Component: TMOS

Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.

Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.

Impact:
Unintended failover.

Workaround:
None.

Fix:
HA Group scores are no longer updated when running 'load sys config verify' commands.


739846-4 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.


739798 : Massive number of log messages being generated and written to the bd.log.

Component: Application Security Manager

Symptoms:
Log messages regarding parameters might fill the bd.log file. The system logs messages appear similar to the following:

deleting job-> converterd key
deleting p_node

Conditions:
No special conditions are required to cause this to occur.

Impact:
Lots of I/O processing. Potentially large bd.log file.

Workaround:
None.

Fix:
Fixed a scenario that resulted in a massive number of log messages being generated and written to the bd.log.


739744-2 : Import of Policy using Pool with members is failing

Component: Access Policy Manager

Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)

Conditions:
Policy has pool attached to it with resource assign or chained objects

Impact:
Policy is not being imported on the same box

Workaround:
There is no workaround at this time.

Fix:
ng-import is now importing policy correctly.


739638-1 : BGP failed to connect with neighbor when pool route is used

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.

Fix:
BGP peering can be properly established through a pool route.


739570-1 : Unable to install EPSEC package

Component: Access Policy Manager

Symptoms:
Installation of EPSEC package via tmsh fails with error:

Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).

Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso

Impact:
First-time installation of EPSEC package through tmsh fails.

Workaround:
You can do a first-time installation of EPSEC with the following commands:

tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso

Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.


739144-1 : Domain logoff scripts runs after VPN connection is closed

Component: Access Policy Manager

Symptoms:
APM Network Access option: 'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.

Conditions:
Following options configured for Microsoft Windows clients:
* Synchronize with Active Directory policies on connection establishment.
and
* Execute logoff scripts on connection termination.

-- Windows client is part of a domain.
-- Domain logoff script is not available without VPN connection.

Impact:
'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.

Workaround:
None.

Fix:
Changes in APM client allow it to wait until domain logoff script execution completes before closing VPN connection, so this issue no longer occurs.


739094-4 : APM Client Vulnerability: CVE-2018-5546

Solution Article: K54431371


738945-1 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.


738943-1 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon


738887-2 : BIG-IP SNMPD vulnerability CVE-2019-6608

Component: TMOS

Symptoms:
https://support.f5.com/csp/article/K12139752

Conditions:
https://support.f5.com/csp/article/K12139752

Impact:
https://support.f5.com/csp/article/K12139752

Workaround:
https://support.f5.com/csp/article/K12139752

Fix:
https://support.f5.com/csp/article/K12139752


738789-3 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog

Component: Application Security Manager

Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii".

Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- ASM handles XML traffic with encoding="us-ascii" (use of the value encoding="us-ascii" is very uncommon, the typical value is encoding="utf-8").

Impact:
Blocked XML requests.

Workaround:
You can use either of the following workarounds:

-- Remove XML profile from a URL in the ASM policy.

-- Disable XML malformed document detection via ASM policy blocking settings.

Fix:
XML parser now supports encoding="us-ascii".


738669-3 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.


738647-1 : Add the login detection criteria of 'status code is not X'

Component: Application Security Manager

Symptoms:
There is a criterion needed to detect successful login.

Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).

Impact:
Cannot configure login criteria.

Workaround:
None.

Fix:
This release adds a new criterion to the login criteria.


738523-3 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.

Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.


738521-2 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There are two workarounds:

-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.

Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.


738445-1 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup

Component: TMOS

Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:

-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.

-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.

Either alone prevents finding the SA to delete.

Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.

Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.

Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>

Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.


738397-2 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.

Component: Access Policy Manager

Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.

The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.

Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
  + The IdP has a Per-Request policy (in addition to a V1 policy).
  + That Per-Request policy has a subroutine or a subroutine macro with a logon page.

Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.

Workaround:
None.

Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.


738236-3 : UCS does not follow current best practices

Solution Article: K25607522


738119-3 : SIP routing UI does not follow best practices

Solution Article: K23566124


738046-3 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.

Fix:
SERVER_CONNECTED now fires when expected on the standby device.


737998 : Brute Force end attack condition isn't satisfied for successful logins only

Component: Application Security Manager

Symptoms:
When brute force attack is detected and prevented by asm, asm continue to prevent login attempts even the attacking traffic has stopped 5 minutes ago.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM Brute Force protection enabled in the asm policy
- There is an ongoing brute force attack on the backend server.

Impact:
ASM doesn't report that brute force attack is finished and logins mitigation continues to occur.

Workaround:
While ongoing endless brute force attack, change an arbitrary field in brute force configuration and apply policy. Brute force attack end event will be triggered and the system will stop brute force prevention, if the attacking traffic still being sent, new brute force attack event will be raised and the mitigation will reoccur.

Fix:
Fix brute force end condition check for a case when only successful logins are sent.


737910-1 : Security hardening on the following platforms

Solution Article: K18535734


737758-1 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.

Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.


737731-3 : iControl REST input sanitization

Solution Article: K44885536


737597 : AVR DoS Attack report misses virtual server name in a specific config

Component: Application Visibility and Reporting

Symptoms:
In Security :: Reporting : DoS : Network, the report shows the attack, but categorizes the attack under 'Aggregated' in the Virtual Server name value, rather than the actual name of the Virtual Server on which the attack is happening.

Conditions:
-- A Virtual Server is configured with a IP/Subnet range.

For example,
-- Virtual Server with Destination Address: 10.10.10.0/27 (meaning the destination range is 10.10.10.32 - 10.10.10.63).
-- Destination Address of the Client Traffic and Attack: 10.10.10.63

View AVR Reporting, which does not resolve the to any specific Virtual Server, but instead categorizes the attack as 'Aggregate'.

Impact:
AVR report missing the Virtual Server information.

Workaround:
None.


737574-3 : iControl REST input sanitization

Solution Article: K20541896


737565-3 : iControl REST input sanitization

Solution Article: K20445457


737442-1 : Error in APM Hosted Content when set to public access

Solution Article: K32840424


737441-1 : Disallow hard links to svpn log files

Solution Article: K54431371


737437-1 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages

Component: TMOS

Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.

Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.

Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.

Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.

Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.


737389 : Kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed

Component: TMOS

Symptoms:
There may be a large number of messages in /var/log/kern.log similar to the following:

Tracklist initialized
Tracklist destroyed

Conditions:
This can happen when vCMP is provisioned, which enables SR-IOV mode.

Impact:
It causes messages to show up in /var/log/kern.log, but does not affect traffic. This is a cosmetic issue and does not indicate a functionality issue.

Workaround:
None.

Fix:
Tracklist is now disabled, so this issue no longer occurs.


737332-2 : It is possible for DNSX to serve partial zone information for a short period of time

Component: Global Traffic Manager (DNS)

Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.

Conditions:
-- Two zones being transferred during the same time period
  + zone1.example.net
  + zone2.example.net

-- Transfer of zone1 has started, but not finished.

-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.

Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.

Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.

Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.


737322-1 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes at startup if the configuration load fails.


737055-3 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.


735832-2 : RAM Cache traffic fails on B2150

Component: Performance

Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.

Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.

Impact:
B2150 does not pass any RAM Cache traffic.

Workaround:
None.

Fix:
RAM Cache traffic now succeeds on B2150.


735565-3 : BGP neighbor peer-group config element not persisting

Component: TMOS

Symptoms:
neighbor peer-group configuration element not persisting after restart

Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart

Impact:
BGP peer-group configuration elements don't persist

Workaround:
Reconfigure BGP neighbor peer-group after restart

Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart


734622 : Policy change with newly enforced signatures causes sig collection failure in other policies

Solution Article: K83093212

Component: Application Security Manager

Symptoms:
An ASM policy change with newly enforced signatures causes a signature collection failure in all other policies.

Conditions:
An ASM policy is changed by adding newly enforced signatures.

Impact:
Signature collection failures are logged for all other policies.

Workaround:
For each other policy on the device, make a spurious change (such as modifying policy description and saving) and apply the policy. Alternatively, a new user-defined signature which would be included in enforcement can be spuriously added and then immediately removed.


734539-2 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads

Component: TMOS

Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.

Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.

Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.

Workaround:
There is no workaround at this time.

Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.


734527-4 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-