Supplemental Document : BIG-IP 13.1.3.5 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.1.3

BIG-IP APM

  • 13.1.3

BIG-IP Analytics

  • 13.1.3

BIG-IP LTM

  • 13.1.3

BIG-IP Link Controller

  • 13.1.3

BIG-IP AFM

  • 13.1.3

BIG-IP PEM

  • 13.1.3

BIG-IP DNS

  • 13.1.3

BIG-IP FPS

  • 13.1.3

BIG-IP ASM

  • 13.1.3

BIG-IP Release Information

Version: 13.1.3.5
Build: 5.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
935721-3 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
912221-3 CVE-2020-12662
CVE-2020-12663
K37661551 CVE-2020-12662 & CVE-2020-12663
891457-5 CVE-2020-5939 K75111593 NIC driver may fail while transmitting data
882189-4 CVE-2020-5897 K20346072 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897
882185-4 CVE-2020-5897 K20346072 BIG-IP Edge Client Windows ActiveX
881317-3 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
881293-4 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
879745-5 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic
879025-6 CVE-2020-5913 K72752002 When processing TLS traffic, LTM may not enforce certificate chain restrictions
846917-5 CVE-2019-10744 K47105354 lodash Vulnerability: CVE-2019-10744
839453-2 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
788057-1 CVE-2020-5921 K00103216 MCPD may crash while processing syncookies
917005-3 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619
889557-3 CVE-2019-11358 K20455158 jQuery Vulnerability CVE-2019-11358
881445-4 CVE-2020-5898 K69154630 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
856961-4 CVE-2018-12207 K17269881 INTEL-SA-00201 MCE vulnerability CVE-2018-12207
848405-1 CVE-2020-5933 K26244025 TMM may consume excessive resources while processing compressed HTTP traffic
842717-3 CVE-2020-5855 K55102004 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
816413-4 CVE-2019-1125 K31085564 CVE-2019-1125: Spectre SWAPGS Gadget
778049-6 CVE-2018-13405 K00854051 Linux Kernel Vulnerability: CVE-2018-13405
888493-5 CVE-2020-5928 K40843345 ASM GUI Hardening
852929-2 CVE-2020-5920 K25160703 AFM WebUI Hardening
818213-6 CVE-2019-10639 K32804955 CVE-2019-10639: KASLR bypass using connectionless protocols
818177-1 CVE-2019-12295 K06725231 CVE-2019-12295 Wireshark Vulnerability
773693-3 CVE-2020-5892 K15838353 CVE-2020-5892: APM Client Vulnerability
682352-2 CVE-2017-3735 K21462542 OpenSSL vulnerability CVE-2017-3735
834533-4 CVE-2019-15916 K57418558 Linux kernel vulnerability CVE-2019-15916


Functional Change Fixes

ID Number Severity Solution Article(s) Description
890229-4 3-Major   Source port preserve setting is not honored
738330-1 3-Major   /mgmt/toc endpoint issue after configuring remote authentication
657912-3 3-Major   PIM can be configured to use a floating self IP address
745465-3 4-Minor   The tcpdump file does not provide the correct extension


TMOS Fixes

ID Number Severity Solution Article(s) Description
749738-2 1-Blocking   After upgrade to 13.1.3.3 or 13.1.3.4, B2250 blades may fail to detect HSB and have restarting chmand
910201-5 2-Critical   OSPF - SPF/IA calculation scheduling might get stuck infinitely
896217-5 2-Critical   BIG-IP GUI unresponsive
860517-4 2-Critical   MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
829677-4 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
812237-3 2-Critical   i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD
810593-4 2-Critical K10963690 Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade
796601-6 2-Critical   Invalid parameter in errdefsd while processing hostname db_variable
770989-1 2-Critical   Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.
769817 2-Critical   BFD fails to propagate sessions state change during blade restart
769581 2-Critical   Timeout when sending many large requests iControl Rest requests
706521-5 2-Critical   The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
924493-5 3-Major   VMware EULA has been updated
915825-5 3-Major   Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
908021-3 3-Major   Management and VLAN MAC addresses are identical
898705-2 3-Major   IPv6 static BFD configuration is truncated or missing
888497-5 3-Major   Cacheable HTTP Response
887089-5 3-Major   Upgrade can fail when filenames contain spaces
871657-3 3-Major   Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
867013-5 3-Major   Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
858197-4 3-Major   Merged crash when memory exhausted
846441-4 3-Major   Flow-control is reset to default for secondary blade's interface
846137-5 3-Major   The icrd returns incorrect route names in some cases
814585-5 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
810821-4 3-Major   Management interface flaps after rebooting the device
810381-1 3-Major   The SNMP max message size check is being incorrectly applied.
808281 3-Major   OVA/Azure template sets '/var' partition with not enough space
802685-4 3-Major   Unable to configure performance HTTP virtual server via GUI
802281-4 3-Major   Gossip shows active even when devices are missing
797829-3 3-Major   The BIG-IP system may fail to deploy new or reconfigure existing iApps
795649-2 3-Major   Loading UCS from one iSeries model to another causes FPGA to fail to load
788577 3-Major   BFD sessions may be reset after CMP state change
783113 3-Major   BGP sessions remain down upon new primary slot election
767737-3 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
755197-1 3-Major   UCS creation might fail during frequent config save transactions
754971-1 3-Major   OSPF inter-process redistribution might break OSPF route redistribution of various types.
751021-3 3-Major   One or more TMM instances may be left without dynamic routes.
750194-2 3-Major   Moderate: net-snmp security update
746704-1 3-Major   Syslog-ng Memory Leak
745261-1 3-Major   The TMM process may crash in some tunnel cases
740589-3 3-Major   Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
737098-3 3-Major   ASM Sync does not work when the configsync IP address is an IPv6 address
725985-1 3-Major   REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured
720569-1 3-Major   BIG-IP Source IP cmp-hash setting is distributing traffic unequally
707320-2 3-Major   Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
705655-2 3-Major   Virtual address not responding to ICMP when ICMP Echo set to Selective
699091-2 3-Major   SELinux denies console access for remote users.
658715-1 3-Major   Mcpd crash
615934-3 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
605675-2 3-Major   Sync requests can be generated faster than they can be handled
489572-3 3-Major K60934489 Sync fails if file object is created and deleted before sync to peer BIG-IP
902417-5 4-Minor   Configuration error caused by Drafts folder in a deleted custom partition
890277-1 4-Minor   Full config sync to a device group operation takes a long time when there are a large number of partitions.
864757-1 4-Minor   Traps that were disabled are enabled after configuration save
831293-2 4-Minor   SNMP address-related GET requests slow to respond.
804309-3 4-Minor   [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
801637-1 4-Minor   Cmp_dest on C2200 platform may give incorrect results
779857-4 4-Minor   Misleading GUI error when installing a new version in another partition
692165-1 4-Minor   A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
591732-3 4-Minor   Local password policy not enforced when auth source is set to a remote type.
583084-10 4-Minor K15101680 iControl produces 404 error while creating records successfully
714176-4 5-Cosmetic   UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
946581 2-Critical   HTTP RFC enforcement feature can reset the connection and leak the memory.
941089-4 2-Critical   TMM core when using Multipath TCP
909837-3 2-Critical   TMM may consume excessive resources when AFM is provisioned
898949-4 2-Critical   APM may consume excessive resources while processing VPN traffic
851857-4 2-Critical   HTTP 100 Continue handling does not work when it arrives in multiple packets
687603-2 2-Critical K36243347 tmsh query for dns records may cause tmm to crash
933297 3-Major   FTP virtual server active data channels do not pass traffic
915689-5 3-Major   HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
915605-4 3-Major   Image install fails if iRulesLX is provisioned and /usr mounted read-write
915281-6 3-Major   Do not rearm TCP Keep Alive timer under certain conditions
909757 3-Major   HTTP CONNECT method with a delayed payload can cause a connection to be closed
892385-3 3-Major   HTTP does not process WebSocket payload when received with server HTTP response
880361-4 3-Major   TMM may crash while processing iRules LX commands
862597-3 3-Major   Improve MPTCP's SYN/ACK retransmission handling
828601-4 3-Major   IPv6 Management route is preferred over IPv6 tmm route
818853-5 3-Major   Duplicate MAC entries in FDB
810445-3 3-Major   PEM: ftp-data not classified or reported
807821-3 3-Major   ICMP echo requests occasionally go unanswered
790845-1 3-Major   An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
786517-1 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
783617-4 3-Major   Virtual Server resets connections when all pool members are marked disabled
766169-3 3-Major   Replacing all VLAN interfaces resets VLAN MTU to a default value
758631-2 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
758599-4 3-Major   IPv6 Management route is preferred over IPv6 tmm route
758437-4 3-Major   SYN w/ data disrupts stat collection in Fast L4
758436-2 3-Major   Optimistic ACKs degrade Fast L4 statistics
758041-4 3-Major   Pool Members may not be updated accurately when multiple identical database monitors configured
751036-3 3-Major   Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
745923-4 3-Major   Connection flow collision can cause packets to be sent with source and/or destination port 0
745663-2 3-Major   During traffic forwarding, nexthop data may be missed at large packet split
724824-4 3-Major   Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
710930-1 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
681814-1 3-Major   Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded
522241-2 3-Major   Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete
814037-1 4-Minor   No virtual server name in Hardware Syncookie activation logs.
781225-3 4-Minor   HTTP profile Response Size stats incorrect for keep-alive connections
726983-4 4-Minor   Inserting multi-line HTTP header not handled correctly


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
960437-4 2-Critical   The BIG-IP system may initially fail to resolve some DNS queries
919553-4 2-Critical   GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
908673-2 2-Critical   TMM may crash while processing DNS traffic
783125-4 2-Critical   iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
781829-4 3-Major   GTM TCP monitor does not check the RECV string if server response string not ending with \n
760471-4 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.
758772-4 3-Major   DNS Cache RRSET Evictions Stat not increasing
757464-3 3-Major   DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
708421-2 3-Major K52142743 DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
700118-1 3-Major   rrset statistics unavailable
529896-1 3-Major   DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared
904937-5 4-Minor   Excessive resource consumption in zxfrd
643455-1 4-Minor   Update TTL for equally trusted records only


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
903453 2-Critical   TMM crash following redirect when Proactive Bot Defense is used
943125-4 3-Major   Web-Socket request with JSON payload causing core during the payload parsing
941853-3 3-Major   Logging Profiles do not disassociate from virtual server when multiple changes are made
917509-1 3-Major   ASM processes some requests longer than usual
900797-5 3-Major   Brute Force Protection (BFP) hash table entry cleanup
900793-3 3-Major K32055534 APM Brute Force Protection resources do not scale automatically
900789-5 3-Major   Alert before Brute Force Protection (BFP) hash are fully utilized
848445-4 3-Major K86285055 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer
833685-1 3-Major   Idle async handlers can remain loaded for a long time doing nothing
722337-3 3-Major   Always show violations in request log when post request is large
692279-1 3-Major   Request logging is briefly suspended after policy re-assignment
424588-1 3-Major   iRule command [DOSL7::profile] returns empty value
935293-1 4-Minor   'Detected Violation' Field for event logs not showing
882769-5 4-Minor   Request Log: wrong filter applied when searching by Response contains or Response does not contain


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
722392-2 2-Critical   AVR: analytics statistics are displayed even if they are disabled
908065-5 3-Major   Logrotation for /var/log/avr blocked by files with .1 suffix
902485-1 3-Major   Incorrect pool member concurrent connection value
838685-1 3-Major   DoS report exist in per-widget but not under individual virtual
721408-4 3-Major   Possible to create Analytics overview widgets in '[All]' partition
866613-2 4-Minor   Missing MaxMemory Attribute


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
928037-4 2-Critical   APM Hardening
905125-4 2-Critical   Security hardening for APM Webtop
831777-2 2-Critical   Tmm crash in Ping access use case
811965-3 2-Critical   Some VDI use cases can cause excessive resource consumption
833049-3 3-Major   Category lookup tool in GUI may not match actual traffic categorization
766017-2 4-Minor   [APM][LocalDB] Local user database instance name length check inconsistencies
679751-3 4-Minor   Authorization header can cause a connection reset


Service Provider Fixes

ID Number Severity Solution Article(s) Description
815877-4 3-Major   Information Elements with zero-length value are rejected by the GTP parser
845461-1 5-Cosmetic   MRF DIAMETER: additional details to log event to assist debugging


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
703165-5 3-Major   shared memory leakage


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
783289-3 2-Critical   PEM actions not applied in VE bigTCP.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
943889 2-Critical   Reopening the publisher after a failed publishing attempt
933741-5 2-Critical   Security hardening in FPS GUI
876581-5 3-Major   JavaScript engine file is empty if the original HTML page cached for too long
940401-4 5-Cosmetic   Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
913441 2-Critical   Tmm cores while doing Hitless Upgrade while there are active flows
745733-1 3-Major   TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup
689614-1 3-Major   If DNS is not configured and management proxy is setup correctly, Webroot database fails to download


Device Management Fixes

ID Number Severity Solution Article(s) Description
932065-4 3-Major   iControl REST framework exception handling hardening
911761-5 3-Major   iControl REST endpoint response includes the request content
767613-3 3-Major   Restjavad can keep partially downloaded files open indefinitely


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
912969-5 3-Major   iAppsLX Security Hardening



Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
900757-5 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895525-5 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
909237-3 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability
909233-3 CVE-2020-8616 K97810133 DNS Hardening
905905-4 CVE-2020-5904 K31301245 TMUI CSRF vulnerability CVE-2020-5904
895993-5 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895981-5 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895881-4 CVE-2020-5903 K43638305 BIG-IP TMUI XSS vulnerability CVE-2020-5903
883717-4 CVE-2020-5914 K37466356 BD crash on specific server cookie scenario
852445-5 CVE-2019-6477 K15840535 Big-IP : CVE-2019-6477 BIND Vulnerability
841577-6 CVE-2020-5922 K20606443 iControl REST hardening
838677-5 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
837773-4 CVE-2020-5912 K12936322 Restjavad Storage and Configuration Hardening
830401-5 CVE-2020-5877 K54200228 TMM may crash while processing TCP traffic with iRules
819197-6 CVE-2019-13135 K20336394 BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-5 CVE-2019-13136 K03512441 BIGIP: CVE-2019-13136 ImageMagick vulnerability
818709-4 CVE-2020-5858 K36814487 TMSH does not follow current best practices
778077-1 CVE-2019-6680 K53183580 Virtual to virtual chain can cause TMM to crash
767373-3 CVE-2019-8331 K24383845 CVE-2019-8331: Bootstrap Vulnerability
750292-4 CVE-2019-6592 K54167061 TMM may crash when processing TLS traffic
886085-1 CVE-2020-5925 K45421311 BIG-IP TMM vulnerability CVE-2020-5925
872673-4 CVE-2020-5918 K26464312 TMM can crash when processing SCTP traffic
868349-5 CVE-2020-5935 K62830532 TMM may crash while processing iRules with MQTT commands
860477-6 CVE-2020-5906 K82518062 SCP hardening
859089-3 CVE-2020-5907 K00091341 TMSH allows SFTP utility access
832885-5 CVE-2020-5923 K05975972 Self-IP hardening
829121-5 CVE-2020-5886 K65720640 State mirroring default does not require TLS
829117-5 CVE-2020-5885 K17663061 State mirroring default does not require TLS
811789-4 CVE-2020-5915 K57214921 Device trust UI hardening
789921-4 CVE-2020-5881 K03386032 TMM may restart while processing VLAN traffic
761112-5 CVE-2019-6683 K76328112 TMM may consume excessive resources when processing FastL4 traffic
756458-1 CVE-2018-18559 K28241423 Linux kernel vulnerability: CVE-2018-18559
745103-4 CVE-2018-7159 K27228191 NodeJS Vulnerability: CVE-2018-7159
715969-1 CVE-2017-5703 K19855851 CVE-2017-5703: Unsafe Opcodes exposed in Intel SPI based products
823893-4 CVE-2020-5890 K03318649 Qkview may fail to completely sanitize LDAP bind credentials
746091-3 CVE-2019-19151 K21711352 TMSH Vulnerability: CVE-2019-19151
717276-5 CVE-2020-5930 K20622530 TMM Route Metrics Hardening
759536-4 CVE-2019-8912 K31739796 Linux kernel vulnerability: CVE-2019-8912


Functional Change Fixes

ID Number Severity Solution Article(s) Description
819397-3 1-Blocking K50375550 TMM does not enforce RFC compliance when processing HTTP traffic
858229-2 3-Major K22493037 XML with sensitive data gets to the ICAP server
691499-1 3-Major   GTP::ie primitives in iRule to be certified
617929-4 3-Major   Support non-default route domains


TMOS Fixes

ID Number Severity Solution Article(s) Description
841333-3 2-Critical   TMM may crash when tunnel used after returning from offline
792285-3 2-Critical   TMM crashes if the queuing message to all HSL pool members fails
780817 2-Critical   TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
767013-4 2-Critical   Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
762205-1 2-Critical   IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
882557-5 3-Major   TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
866925-1 3-Major   The TMM pages used and available can be viewed in the F5 system stats MIB
865225-2 3-Major   100G modules may not work properly in i15000 and i15800 platforms
842125-2 3-Major   Unable to reconnect outgoing SCTP connections that have previously aborted
812981-2 3-Major   MCPD: memory leak on standby BIG-IP device
807005-3 3-Major   Save-on-auto-sync is not working as expected with large configuration objects
804477-2 3-Major   Log HSB registers when parts of the device becomes unresponsive
800185-2 3-Major   Saving a large encrypted UCS archive may fail and might trigger failover
762073-1 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
760439-2 3-Major   After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
753860-1 3-Major   Virtual server config changes causing incorrect route injection.
749153-1 3-Major   Cannot create LTM policy from GUI using iControl
742628-5 3-Major K53843889 Tmsh session initiation adds increased control plane pressure
739872-2 3-Major   The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
738943-5 3-Major   imish command hangs when ospfd is enabled
738881-2 3-Major   Qkview does not collect any data under certain conditions that cause a timeout
734846-3 3-Major   Redirection to logon summary page does not occur after session timeout
701529-1 3-Major   Configuration may not load or not accept vlan or tunnel names as "default" or "all"
688399-4 3-Major   HSB failure results in continuous TMM restarts
648621-5 3-Major   SCTP: Multihome connections may not expire
641450-5 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
625901-2 3-Major   SNAT pools allow members in different partitions to be assigned, but this causes a load failure
748940-1 4-Minor   iControl REST cert creation not working for non-Common folder
743815-3 4-Minor   vCMP guest observes connflow reset when a CMP state change occurs.
726317-4 4-Minor   Improved debugging output for mcpd
722230-5 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
816273-4 1-Blocking   L7 Policies may execute CONTAINS operands incorrectly.
715032-5 1-Blocking K73302459 iRulesLX Hardening
853329 2-Critical   HTTP explicit proxy can crash TMM when used with classification profile
841469-3 2-Critical   Application traffic may fail after an internal interface failure on a VIPRION system.
831325-3 2-Critical K10701310 HTTP PSM detects more issues with Transfer-Encoding headers
826601-3 2-Critical   Prevent receive window shrinkage for looped flows that use a SYN cookie
813561-1 2-Critical   MCPD crashes when assigning an iRule that uses a proc
812525-5 2-Critical K27551003 HTTP parsing restrictions
757578-4 2-Critical   RAM cache is not compatible with verify-accept
696908-1 2-Critical   Updating iRule causes TMM to crash
690291-1 2-Critical   tmm crash
858301-4 3-Major K27551003 HTTP RFC compliance now checks that the authority matches between the URI and Host header
858297-4 3-Major K27551003 HTTP requests with multiple Host headers are rejected if RFC compliance is enabled
858289-4 3-Major K27551003 HTTP parsing restrictions
858285-4 3-Major K27551003 HTTP parsing of Request URIs with spaces in them has changed
796993-3 3-Major   Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
788753-1 3-Major   GATEWAY_ICMP monitor marks node down with wrong error code
778517-2 3-Major K91052217 Large number of in-TMM monitors results in delayed processing
776229-4 3-Major   iRule 'pool' command no longer accepts pool members with ports that have a value of zero
761185-4 3-Major K50375550 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
760679 3-Major   Memory corruption when using C3D on certain platforms
759480-2 3-Major   HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
758872-2 3-Major   TMM memory leak
756494-1 3-Major   For in-tmm monitoring: multiple instances of the same agent are running on the Standby device
753805-1 3-Major   BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
716167-1 3-Major   The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
686059-2 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
751586-5 4-Minor   Http2 virtual does not honour translate-address disabled
747585-2 4-Minor   TCP Analytics supports ANY protocol number
594064-5 4-Minor K57004151 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
807177-1 2-Critical   HTTPS monitoring is not caching SSL sessions correctly
802961-1 3-Major   The 'any-available' prober selection is not as random as in earlier versions
778365-1 3-Major   dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
774481-3 3-Major   DNS Virtual Server creation problem with Dependency List
756470-3 3-Major   Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.
746348-1 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
704198-3 3-Major K29403988 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
744280-1 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
858025-5 2-Critical K33440533 Proactive Bot Defense does not validate redirected paths
803813-3 2-Critical   TMM may experience high latency when processing WebSocket traffic
754109-3 2-Critical   ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive
854177-2 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
850673-4 3-Major   BD sends bad ACKs to the bd_agent for configuration
846493 3-Major   ASM CAPTCHA is not working the first time when a request contains sensitive parameters
783505 3-Major   ASU is very slow on device with hundreds of policies due to table checksums
697269-1 3-Major   Request logging is briefly suspended after policy creation
689987-3 3-Major   Requests are not logged on new virtual servers after UCS load while ASM is running
681010-2 3-Major K33572148 'Referer' is not masked when 'Query String' contains sensitive parameter
673522-1 3-Major   RST when using Bot Defense profile and surfing to a long URL on related domain
629628-1 3-Major   Request Events Missing Due to Policy Builder Restart


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
838709-2 2-Critical   Enabling DoS stats also enables page-load-time
828937-4 2-Critical K45725467 Some systems can experience periodic high IO wait due to AVR data aggregation
870957-2 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
863161-5 3-Major   Scheduled reports are sent via TLS even if configured as non encrypted
833113-1 3-Major   Avrd core when sending large messages via https
830073-5 3-Major   AVRD may core when restarting due to data collection device connection timeout
700035-5 3-Major   /var/log/avr/monpd.disk.provision not rotate


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
885241 2-Critical   TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event.
747192-2 2-Critical   Small memory leak while creating Access Policy items
660913-4 2-Critical   For ActiveSync client type, browscap info provided is incorrect.
850277-5 3-Major   Memory leak when using OAuth
803825 3-Major   WebSSO does not support large NTLM target info length
744407-5 3-Major   While the client has been closed, iRule function should not try to check on a closed session


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
833213-5 3-Major   Conditional requests are served incorrectly with AAM policy in webacceleration profile


Service Provider Fixes

ID Number Severity Solution Article(s) Description
814097-4 2-Critical   Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
811105-3 2-Critical   MRF SIP-ALG drops SIP 183 and 200 OK messages
766405-3 2-Critical   MRF SIP ALG with SNAT: Fix for potential crash on next-active device
745397-3 2-Critical   Virtual server configured with FIX profile can leak memory.
882273-1 3-Major   MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
866021-4 3-Major   Diameter Mirror connection lost on the standby due to "process ingress error"
842625-1 3-Major   SIP message routing remembers a 'no connection' failure state forever
824149-1 3-Major   SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
815529-4 3-Major   MRF outbound messages are dropped in per-peer mode
811033-3 3-Major   MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
804313-4 3-Major   MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
803809-1 3-Major   SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
782353-8 3-Major   SIP MRF via header shows TCP Transport when TLS is enabled
754658-1 3-Major   Improved matching of response messages uses end-to-end ID
754617-1 3-Major   iRule 'DIAMETER::avp read' command does not work with 'source' option
746731-3 3-Major   BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
744275-3 3-Major   BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
727288-3 3-Major   Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
696348-2 3-Major   "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
676709-3 3-Major K37604585 Diameter virtual server has different behavior of connection-prime when persistence is on/off
836357-1 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
793013 4-Minor   MRF DIAMETER: Implement sweeper for pending request messages queue
788513-4 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
786981-1 4-Minor   Pending GTP iRule operation maybe aborted when connection is expired
753790 4-Minor   Allow 'DIAMETER::persist reset' command in EGRESS events
711641-1 4-Minor   MRF DIAMETER: Add log events to log when stale messages are removed from pending request queue
793005-4 5-Cosmetic   'Current Sessions' statistic of MRF/Diameter pool may be incorrect


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
852289-6 3-Major K23278332 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
751116-3 3-Major   DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring


Device Management Fixes

ID Number Severity Solution Article(s) Description
839597-2 3-Major   Restjavad fails to start if provision.extramb has a large value



Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release


Functional Change Fixes

None


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
803645-1 3-Major   GTMD daemon crashes



Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
818429-2 CVE-2020-5857 K70275209 TMM may crash while processing HTTP traffic
808301-1 CVE-2019-6678 K04897373 TMM may crash while processing IP traffic
805837-4 CVE-2019-6657 K22441651 REST does not follow current design best practices
795437-2 CVE-2019-6677 K06747393 Improve handling of TCP traffic for iRules
795197-3 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
781377-1 CVE-2019-6681 K93417064 tmrouted may crash while processing Multicast Forwarding Cache messages
780601-4 CVE-2020-5873 K03585731 SCP file transfer hardening
769589-4 CVE-2019-6974 K11186236 CVE-2019-6974: Linux Kernel Vulnerability
762453 CVE-2020-5872 K63558580 Hardware cryptography acceleration may fail
757357 CVE-2019-6676 K92002212 TMM may crash while processing traffic
636400-1 CVE-2019-6665 K26462555 CPB (BIG-IP->BIGIQ log node) Hardening
810537-3 CVE-2020-5883 K12234501 TMM may consume excessive resources while processing iRules
809165-4 CVE-2020-5854 K50046200 TMM may crash will processing connector traffic
808525-4 CVE-2019-6686 K55812535 TMM may crash while processing Diameter traffic
795797-4 CVE-2019-6658 K21121741 AFM WebUI Hardening
788773-4 CVE-2019-9515 K50233772 HTTP/2 Vulnerability: CVE-2019-9515
788769-4 CVE-2019-9514 K01988340 HTTP/2 Vulnerability: CVE-2019-9514
782529-4 CVE-2019-6685 K30215839 iRules does not follow current design best practices
781449-4 CVE-2019-6672 K14703097 Increase efficiency of sPVA DoS protection on wildcard virtual servers
777737-2 CVE-2019-6671 K39225055 TMM may consume excessive resources when processing IP traffic
773673-4 CVE-2019-9512 K98053339 HTTP/2 Vulnerability: CVE-2019-9512
768981-4 CVE-2019-6670 K05765031 VCMP Hypervisor Hardening
761144-6 CVE-2019-6684 K95117754 Broadcast frames may be dropped
761014-4 CVE-2019-6669 K11447758 TMM may crash while processing local traffic
758018-3 CVE-2019-6661 K61705126 APD/APMD may consume excessive resources
725551-4 CVE-2019-6682 K40452417 ASM may consume excessive resources
636453-9 CVE-2016-10009 K31440025 OpenSSH vulnerability CVE-2016-10009
789893-4 CVE-2019-6679 K54336216 SCP file transfer hardening
779177-4 CVE-2019-19150 K37890841 Apmd logs "client-session-id" when access-policy debug log level is enabled
749324-2 CVE-2012-6708 K62532311 jQuery Vulnerability: CVE-2012-6708
738236-2 CVE-2019-6688 K25607522 UCS does not follow current best practices


Functional Change Fixes

ID Number Severity Solution Article(s) Description
724556-2 2-Critical   icrd_child spawns more than maximum allowed times (zombie processes)
769193-1 3-Major   Added support for faster congestion window increase in slow-start for stretch ACKs
759135-5 3-Major   AVR report limits are locked at 1000 transactions
788269-1 4-Minor   Adding toggle to disable AVR widgets on device-groups


TMOS Fixes

ID Number Severity Solution Article(s) Description
725950 1-Blocking   Regcomp() leaks memory if passed an invalid regex.
831549 2-Critical   Marketing name does not display properly for BIG-IP i10010 (C127)
765533-4 2-Critical K58243048 Sensitive information logged when DEBUG logging enabled
749388 2-Critical   'table delete' iRule command can cause TMM to crash
747203-4 2-Critical   Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
686996-1 2-Critical   TMM core under heavy load with PEM
809205-3 3-Major   CVE-2019-3855: libssh2 Vulnerability
794501-4 3-Major   Duplicate if_indexes and OIDs between interfaces and tunnels
793121-1 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
788557 3-Major   BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
788301-3 3-Major K58243048 SNMPv3 Hardening
777261-2 3-Major   When SNMP cannot locate a file it logs messages repeatedly
764873-4 3-Major   An accelerated flow transmits packets to a dated, down pool member.
761993-4 3-Major   The nsm process may crash if it detects a nexthop mismatch
759735-1 3-Major   OSPF ASE route calculation for new external-LSA delayed
758781-1 3-Major   iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
758527-4 3-Major K39604784 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
758119-4 3-Major K58243048 qkview may contain sensitive information
747592-2 3-Major   PHP vulnerability CVE-2018-17082
745825-3 3-Major   The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
741902-3 3-Major   sod does not validate message length vs. received packet length
740413-3 3-Major   Sod not logging Failover Condition messages
738445-2 3-Major   IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
724109-4 3-Major   Manual config-sync fails after pool with FQDN pool members is deleted
700712-1 3-Major   MariaDB binary logging takes up disk space
687115-2 3-Major   SNMP performance can be impacted by a long list of allowed-addresses
683135-2 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
680917-1 3-Major   Invalid monitor rule instance identifier
815425 4-Minor   RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x
755018-4 4-Minor   Egress traffic processing may be stopped on one or more VE trunk interfaces
550526-2 4-Minor K84370515 Some time zones prevent configuring trust with a peer device using the GUI.
484683-3 4-Minor   Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
800305-4 2-Critical   VDI::cmp_redirect generates flow with random client port
787825-3 2-Critical K58243048 Database monitors debug logs have plaintext password printed in the log file
739927-3 2-Critical   Bigd crashes after a specific combination of logging operations
693491-1 2-Critical   ASM with Web Acceleration Profile can rarely cause TMM to core
813673-1 3-Major   The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT
788325-4 3-Major K39794285 Header continuation rule is applied to request/response line
781753-1 3-Major   WebSocket traffic is transmitted with unknown opcodes
773421-2 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
770477-3 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
761030-1 3-Major   tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
758992-1 3-Major   The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
757827-3 3-Major   Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
755727-3 3-Major   Ephemeral pool members not created after DNS flap and address record changes
749294-2 3-Major   TMM cores when query session index is out of boundary
747907-1 3-Major   Persistence records leak while the HA mirror connection is down
743257-1 3-Major   Fix block size insecurity init and assign
742237-2 3-Major   CPU spikes appear wider than actual in graphs
739638-2 3-Major   BGP failed to connect with neighbor when pool route is used
726734-1 3-Major   DAGv2 port lookup stringent may fail
726176-4 3-Major   Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
716952-2 3-Major   With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
704450-3 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
693582-1 3-Major   Monitor node log not rotated for certain monitor types
689361-1 3-Major   Configsync can change the status of a monitored pool member
687887-1 3-Major   Unexpected result from multiple changes to a monitor-related object in a single transaction
676990-2 3-Major   No way to enable SNAT of host traffic
676557-1 3-Major   Binary data marshalled to TCL may be converted to UTF8
636842-3 3-Major K51472519 A FastL4 virtual server may drop a FIN packet when mirroring is enabled
601189-3 3-Major   The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
769309-3 4-Minor   DB monitor reconnects to server on every probe when count = 0
760683-2 4-Minor   RST from non-floating self-ip may use floating self-ip source mac-address
754003-1 4-Minor K73202036 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
747628-3 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
744210-1 4-Minor   DHCPv6 does not have the ability to override the hop limit from the client.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
772233-1 3-Major   IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
761032-4 3-Major K36328238 TMSH displays TSIG keys
699512-1 3-Major   UDP packet may be dropped when queued in parallel with another packet
672491-5 3-Major K10990182 net resolver uses internal IP as source if matching wildcard forwarding virtual server


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
813945-1 2-Critical   PB core dump while processing many entities
775105-1 2-Critical   False positive on bot defense logs
812341-1 3-Major   Patch or Delete commands take a long time to complete when modifying an ASM signature set.
800453-1 3-Major K72252057 False positive virus violations
783513-1 3-Major   ASU is very slow on device with hundreds of policies due to logging profile handling
739618-1 3-Major   When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
727107-2 3-Major   Request Logs are not stored locally due to shmem pipe blockage


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
756102-3 2-Critical   TMM can crash with core on ABORT signal due to non-responsive AVR code
797785-3 3-Major   AVR reports no ASM-Anomalies data.
792265-1 3-Major   Traffic logs does not include the BIG-IQ tags
781581-4 3-Major   Monpd uses excessive memory on requests for network_log data
703196-5 3-Major   Reports for AVR are missing data
696191-1 3-Major   AVR-related disk partitions can get full during upgrade


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
811145-4 2-Critical   VMware View resources with SAML SSO are not working
784989-4 2-Critical   TMM may crash with panic message: Assertion 'cookie name exists' failed
777173-4 2-Critical   Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
725505-2 2-Critical   SNAT settings in network resource are not applied after FastL4 profile is updated
618641-1 2-Critical   In rare cases VDI plugin might leak memory or crash while processing client connections
815753-4 3-Major   TMM leaks memory when explicit SWG is configured with Kerberos authentication
799149 3-Major   Authentication fails with empty password
798261-4 3-Major   APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
788417-3 3-Major   Remote Desktop client on macOS may show resource auth token on credentials prompt
787477-1 3-Major   Export fails from partitions with '-' as second character
768025-1 3-Major   SAML requests/responses fail with "failed to find certificate"
766577-4 3-Major   APMD fails to send response to client and it already closed connection.
725040-3 3-Major   Auto-update fails for F5 Helper Applications on Linux
723278-1 3-Major   Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6
697590-4 3-Major   APM iRule ACCESS::session remove fails outside of Access events
653210-1 3-Major   Rare resets during the login process
643935-2 3-Major   Rewriting may cause an infinite loop while processing some objects
719589-3 4-Minor   GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic
684414-2 4-Minor   Retrieving too many groups is causing out of memory errors in TMUI and VPE


Service Provider Fixes

ID Number Severity Solution Article(s) Description
813657 3-Major   MRF SIP ALG with SNAT incorrectly detects ingress queue full
811745-4 3-Major   Failover between clustered DIAMETER devices can cause mirror connections to be disconnected


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
787901 2-Critical   While deleting a DoS profile, tmm might core in sPVA
778869-1 2-Critical K72423000 ACLs and other AFM features (e.g., IPI) may not function as designed
747922-2 2-Critical   With AFM enabled, during bootup, there is a small possibility of a tmm crash
761345-1 3-Major   Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
738284-4 3-Major   Creating or deleting rule list results in warning message: Schema object encode failed
679722-1 3-Major   Configuration sync failure involving self IP references


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
753014-1 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy
747065-3 3-Major   PEM iRule burst of session ADDs leads to missing sessions


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
804185-3 3-Major   Some WebSafe request signatures may not work as expected


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
803477-1 3-Major   BaDoS State file load failure when signature protection is off
767045 4-Minor   TMM cores while applying policy
711708-1 4-Minor   Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation'


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
674795-2 4-Minor   tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.



Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
688627-1 3-Major   OPT-0043 40G optical transceiver cannot be unbundled into 4x10G



Cumulative fixes from BIG-IP v13.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
809377-4 CVE-2019-6649 K05123525 AFM ConfigSync Hardening
771873-3 CVE-2019-6642 K40378764 TMSH Hardening
767653-2 CVE-2019-6660 K23860356 Malformed HTTP request can result in endless loop in an iRule script
758065-2 CVE-2019-6667 K82781208 TMM may consume excessive resources while processing FIX traffic
757023-4 CVE-2018-5743 K74009656 BIND vulnerability CVE-2018-5743
756538-1 CVE-2019-6645 K15759349 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
754103-2 CVE-2019-6644 K75532331 iRulesLX NodeJS daemon does not follow best security practices
739971-2 CVE-2018-5391 K74374841 Linux kernel vulnerability: CVE-2018-5391
726393-4 CVE-2019-6643 K36228121 DHCPRELAY6 can lead to a tmm crash
715923-1 CVE-2018-15317 K43625118 When processing TLS traffic TMM may terminate connections unexpectedly
757455-1 CVE-2019-6647 K87920510 Excessive resource consumption when processing REST requests
773649-4 CVE-2019-6656 K23876153 APM Client Logging


Functional Change Fixes

ID Number Severity Solution Article(s) Description
749704-3 4-Minor   GTPv2 Serving-Network field with mixed MNC digits


TMOS Fixes

ID Number Severity Solution Article(s) Description
774445-3 1-Blocking K74921042 BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2
769809-2 2-Critical   The vCMP guests 'INOPERATIVE' after upgrade
760408-1 2-Critical K23438711 System Integrity Status: Invalid after BIOS update
757722-1 2-Critical   Unknown notify message types unsupported in IKEv2
756402-1 2-Critical   Re-transmitted IPsec packets can have garbled contents
756071-1 2-Critical   MCPD crash
753650 2-Critical   The BIG-IP system reports frequent kernel page allocation failures.
748205-1 2-Critical   SSD bay identification incorrect for RAID drive replacement
734539-3 2-Critical   The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
708968-2 2-Critical   OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
671741-3 2-Critical   LCD on iSeries devices can lock at red 'loading' screen.
648270-3 2-Critical   mcpd can crash if viewing a fast-growing log file through the GUI
756153-2 3-Major   Add diskmonitor support for MySQL /var/lib/mysql
749785-1 3-Major   nsm can become unresponsive when processing recursive routes
746266-1 3-Major   A vCMP guest VLAN MAC mismatch across blades.
735565-1 3-Major   BGP neighbor peer-group config element not persisting
723553-1 3-Major   BIG-IP installations on RAID systems (old style) may not boot
720610 3-Major   Updatecheck logs bogus 'Update Server unavailable' on every run
716166-4 3-Major   Dynamic routing not added when conflicting self IPs exist
709544-2 3-Major   VCMP guests in HA configuration become Active/Active during upgrade
705037-2 3-Major K32332000 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
702310-1 3-Major   The ':l' and ':h' options are not available on the tmm interface in tcpdump
693388-2 3-Major   Log additional HSB registers when device becomes unresponsive
667618-1 3-Major   Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
620954-5 3-Major   Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
721526-2 4-Minor   tcpdump fails to write verbose packet data to file
691171-1 4-Minor   static and dynamically learned blackhole route from ZebOS cannot be deleted


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
757441-2 2-Critical   Specific sequence of packets causes Fast Open to be effectively disabled
757391-3 2-Critical   Datagroup iRule command class can lead to memory corruption
756450-2 2-Critical   Traffic using route entry that's more specific than existing blackhole route can cause core
755585-3 2-Critical   mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
746710-2 2-Critical   Use of HTTP::cookie after HTTP:disable causes TMM core
742184-1 2-Critical   TMM memory leak
740228-1 2-Critical   TMM crash while sending a DHCP Lease Query to a DHCP server
724214-3 2-Critical   TMM core when using Multipath TCP
667779-1 2-Critical   iRule commands may cause the TMM to crash in very rare situations.
794493 3-Major   Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true
790205-2 3-Major   Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
760771-3 3-Major   FastL4-steered traffic might cause SSL resume handshake delay
760550-3 3-Major   Retransmitted TCP packet has FIN bit set
757442-1 3-Major   A missed SYN cookie check causes crash at the standby TMM in HA mirroring system
754349 3-Major   FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4
753594-3 3-Major   In-TMM monitors may have duplicate instances or stop monitoring
753514-1 3-Major   Large configurations containing LTM Policies load slowly
749414-2 3-Major   Invalid monitor rule instance identifier error
746922-4 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
726001-1 3-Major   Rapid datagroup updates can cause type corruption
720219 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
719304-2 3-Major   Inconsistent node ICMP monitor operation for IPv6 nodes
712919-1 3-Major K54802336 Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
705112-2 3-Major   DHCP server flows are not re-established after expiration
675367-2 3-Major K95393925 The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication
604811-2 3-Major   Under certain conditions TMM may crash while processing OneConnect traffic
273104-1 3-Major   Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
759721-4 3-Major K03332436 DNS GUI does not follow best practices
754901-3 3-Major   Frequent zone update notifications may cause TMM to restart
750213-2 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
726412-2 4-Minor   Virtual server drop down missing objects on pool creation


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
781637-4 3-Major   ASM brute force counts unnecessary failed logins for NTLM
781605-1 3-Major   Fix RFC issue with the multipart parser
781069-4 3-Major   Bot Defense challenge blocks requests with long Referer headers
773553-4 3-Major   ASM JSON parser false positive.
769981-3 3-Major   bd crashes in a specific scenario
764373-1 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
763001-2 3-Major K70312000 Web-socket enforcement might lead to a false negative
761941-3 3-Major   ASM does not remove CSRT token query parameter before forwarding a request to the backend server
761231-4 3-Major K79240502 Bot Defense Search Engines getting blocked after configuring DNS correctly
739900-1 3-Major   All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates
713051 3-Major   PB generates a suggestion to add a disallowed filtetype with empty name.
686763-1 3-Major   asm_start is consuming too much memory
686500-1 3-Major   Adding user defined signature on device with many policies is very slow
675673-1 3-Major   Policy history files should be limited by settings in a configuration file.
768761-4 4-Minor   Improved accept action description for suggestions to disable signature/enable metacharacter in policy
761553-4 4-Minor   Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
761549-4 4-Minor   Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
750689-1 4-Minor   Request Log: Accept Request button available when not needed
749184-4 4-Minor   Added description of subviolation for the suggestions that enabled/disabled them
747560-3 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities
695878-4 4-Minor   Signature enforcement issue on specific requests
613728-2 4-Minor   Import/Activate Security policy with 'Replace policy associated with virtual server' option fails
769061-4 5-Cosmetic   Improved details for learning suggestions to enable violation/sub-violation


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
753485-2 2-Critical   AVR global settings are being overridden by HA peers
771025-2 3-Major   AVR send domain names as an aggregate
688544-1 3-Major   SWG reports on BIG-IQ show same series as 'Allowed' and 'Blocked' at the same time


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
760130-1 2-Critical   [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
753370-1 2-Critical   RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
745600-3 2-Critical   Tmm crash and core using iRule
741535-1 2-Critical   Memory leak when using SAML or Form-based Client-initiated SSO
723402-2 2-Critical   Apmd crashes running command: tmsh restart sys service all
686282-2 2-Critical   APMD intermittently crash when processing access policies
783817-4 3-Major   UI becomes unresponsive when accessing Access active session information
775621-4 3-Major   urldb memory grows past the expected ~3.5GB
765621-1 3-Major   POST request being rejected when using OAuth Resource Server mode
760974-1 3-Major   TMM SIGABRT while evaluating access policy
759638-1 3-Major   APM current active and established session counts out of sync after failover
754542-4 3-Major   TMM may crash when using RADIUS Accounting agent
750823-3 3-Major   Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
750631-1 3-Major   There may be a latency between session termination and deletion of its associated IP address mapping
750170-1 3-Major   SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request
749161-1 3-Major   Problem sync policy contains non-ASCII characters
747725-2 3-Major   Kerberos Auth agent may override settings that manually made to krb5.conf
744532-2 3-Major   Websso fails to decrypt secured session variables
600985-3 3-Major   Network access tunnel data stalls
770621-1 4-Minor   [Portal Access] HTTP 308 redirect does not get rewritten
737603-1 4-Minor   Apmd leaks memory when executing per-session policy via iRule


Service Provider Fixes

ID Number Severity Solution Article(s) Description
759077-4 3-Major   MRF SIP filter queue sizes not configurable
748253-3 3-Major   Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
745628-3 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-3 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
745404-2 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
701680-2 3-Major   MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds
747909-3 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
763121-1 2-Critical   Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
757359-3 2-Critical   pccd crashes when deleting a nested Address List
752363 2-Critical   Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
777733-1 3-Major   DoS profile default values cause config load failure on upgrade
771173-1 3-Major   FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.
757306-2 3-Major   SNMP MIBS for AFM NAT do not yet exist


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726665-2 2-Critical   tmm core dump due to SEGFAULT
760438-1 3-Major   PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
759192-1 3-Major   TMM core during display of PEM session under some specific conditions
756311-1 3-Major   High CPU during erroneous deletion
753163-2 3-Major   PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
775013-4 3-Major   TIME EXCEEDED alert has insufficient data for analysis


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
752803-2 2-Critical   CLASSIFICATION_DETECTED running reject can lead to a tmm core



Cumulative fixes from BIG-IP v13.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
807477-9 CVE-2019-6650 K04280042 ConfigSync Hardening
797885-4 CVE-2019-6649 K05123525 ConfigSync Hardening
796469-2 CVE-2019-6649 K05123525 ConfigSync Hardening
810557-9 CVE-2019-6649 K05123525 ASM ConfigSync Hardening
799617-4 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-4 CVE-2019-6649 K05123525 ConfigSync Hardening
794389-9 CVE-2019-6651 K89509323 iControl REST endpoint response inconsistency
794413-9 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471


Functional Change Fixes

ID Number Severity Solution Article(s) Description
744937-9 3-Major K00724442 BIG-IP DNS and GTM DNSSEC security exposure


TMOS Fixes

ID Number Severity Solution Article(s) Description
760622-2 3-Major   Allow Device Certificate renewal from BIG-IP Configuration Utility
760363-2 3-Major   Update Alias Address field with default placeholder text


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
807445 3-Major   Replaced ISC_TRUE and ISC_FALSE with true and false



Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-3 CVE-2018-5744 K00040234 BIND Update
756774-4 CVE-2019-6612 K24401914 Aborted DNS queries to a cache may cause a TMM crash
754944-3 CVE-2019-6626 K00432398 AVR reporting UI does not follow best practices
754345-3 CVE-2019-6625 K79902360 WebUI does not follow best security practices
753975 CVE-2019-6666 K92411323 TMM may crash while processing HTTP traffic with webacceleration profile
753776-1 CVE-2019-6624 K07127032 TMM may consume excessive resources when processing UDP traffic
749879-4 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
748502-3 CVE-2019-6623 K72335002 TMM may crash when processing iSession traffic
737731-2 CVE-2019-6622 K44885536 iControl REST input sanitization
737574-2 CVE-2019-6621 K20541896 iControl REST input sanitization
737565-2 CVE-2019-6620 K20445457 iControl REST input sanitization
726327-2 CVE-2018-12120 K37111863 NodeJS debugger accepts connections from any host
791369-4 CVE-2019-6662 K01049383 The REST framework may reflect client data in error logs
757027-3 CVE-2019-6465 K01713115 BIND Update
757026-3 CVE-2018-5745 K25244852 BIND Update
753796-2 CVE-2019-6640 K40443301 SNMP does not follow best security practices
750460-3 CVE-2019-6639 K61002104 Subscriber management configuration GUI
750187-3 CVE-2019-6637 K29149494 ASM REST may consume excessive resources
745713-1 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic
745387-3 CVE-2019-6618 K07702240 Resource-admin user roles can no longer get bash access
745371-2 CVE-2019-6636 K68151373 AFM GUI does not follow best security practices
745257-3 CVE-2018-14634 K20934447 Linux kernel vulnerability: CVE-2018-14634
745165-3 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
742226-2 CVE-2019-6635 K11330536 TMSH platform_check utility does not follow best security practices
710857-2 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage
703835-2 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-3 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
702469-3 CVE-2019-6633 K73522927 Appliance mode hardening in scp
698376-3 CVE-2019-6614 K46524395 Non-admin users have limited bash commands and can only write to certain directories
673842-4 CVE-2019-6632 K01413496 VCMP does not follow best security practices


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
752835-3 2-Critical K46971044 Mitigate mcpd out of memory error with auto-sync enabled.
750586-1 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
707013 2-Critical   vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
699515-1 2-Critical   nsm cores during update of nexthop for ECMP recursive route
621260-4 2-Critical   mcpd core on iControl REST reference to non-existing pool
760222-5 3-Major   SCP fails unexpected when FIPS mode is enabled
757414 3-Major   GUI Network Map slow page load with large configuration
756088-1 3-Major   The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
754567 3-Major   Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file
751011-1 3-Major   ihealth.sh script and qkview locking mechanism not working
750447-1 3-Major   GUI VLAN list page loading slowly with 50 records per screen
750318-1 3-Major   HTTPS monitor does not appear to be using cert from server-ssl profile
748187-2 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
740345-1 3-Major   TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
725791-4 3-Major K44895409 Potential HW/HSB issue detected
723794-3 3-Major   PTI (Meltdown) mitigation should be disabled on AMD-based platforms
722380-2 3-Major   The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
721805 3-Major   Traffic Policy edit to datagroup errors on adding ASM disable action
720819-2 3-Major   Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720269-2 3-Major   TACACS audit logging may append garbage characters to the end of log strings
714626-2 3-Major   When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
701898-1 3-Major   Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups
698619-2 3-Major   Disable port bridging on HSB ports for non-vCMP systems
681009-1 3-Major   Large configurations can cause memory exhaustion during live-install
581921-3 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
697766-1 4-Minor   Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
687368-1 4-Minor   The Configuration utility may calculate and display an incorrect HA Group Score
686111-1 4-Minor K89363245 Searching and Reseting Audit Logs not working as expected


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
753912 2-Critical K44385170 UDP flows may not be swept
752930-1 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
745533-4 2-Critical   NodeJS Vulnerability: CVE-2016-5325
680564-1 2-Critical   "MCP Message:" seen on boot up with Best License
756270-2 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
750843-1 3-Major   HTTP data re-ordering when receiving data while iRule parked
750200-1 3-Major   DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749689-1 3-Major   HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
747968-2 3-Major   DNS64 stats not increasing when requests go through DNS cache resolver
747617-1 3-Major   TMM core when processing invalid timer
742078-2 3-Major   Incoming SYNs are dropped and the connection does not time out.
738523-2 3-Major   SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
727292-1 3-Major   SSL in proxy shutdown case does not deliver server TCP FIN
712664-2 3-Major   IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
710564 3-Major   DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
709952-1 3-Major   Disallow DHCP relay traffic to traverse between route domains
699979-2 3-Major   Support for Safenet Client Software v7.x
698437-1 3-Major   Internal capacity increase
688553-3 3-Major   SASP GWM monitor may not mark member UP as expected
599567-3 3-Major   APM assumes SNAT automap, does not use SNAT pool
746077-1 4-Minor   If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
664618-1 4-Minor   Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
658382-2 5-Cosmetic   Large numbers of ERR_UNKNOWN appearing in the logs


Performance Fixes

ID Number Severity Solution Article(s) Description
735832-1 2-Critical   RAM Cache traffic fails on B2150


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756094-3 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log
749508-3 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
749222-3 3-Major   dname compression offset overflow causes bad compression pointer
748902-7 3-Major   Incorrect handling of memory allocations while processing DNSSEC queries
746877-3 3-Major   Omitted check for success of memory allocation for DNSSEC resource record
737332-3 3-Major   It is possible for DNSX to serve partial zone information for a short period of time
748177-3 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
759360 2-Critical   Apply Policy fails due to policy corruption from previously enforced signature
758961 2-Critical K58243048 During brute force attack, the attempted passwords may be logged
723790-1 2-Critical   Idle asm_config_server handlers consumes a lot of memory
760878-2 3-Major   Incorrect enforcement of explicit global parameters
755005-3 3-Major   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
754365-3 3-Major   Updated flags for countries that changed their flags since 2010
751710-2 3-Major   False positive cookie hijacking violation
749109-1 3-Major   CSRF situation on BIGIP-ASM GUI
746146-2 3-Major   AVRD can crash with core when disconnecting/reconnecting on HTTPS connection
739945-2 3-Major   JavaScript challenge on POST with 307 breaks application
738647-2 3-Major   Add the login detection criteria of 'status code is not X'
721399-2 3-Major   Signature Set cannot be modified to Accuracy = 'All' after another value
717525-1 3-Major   Behavior for classification in manual learning mode
691945-1 3-Major   Security Policy Configuration Changes When Disabling Learning
761921-3 4-Minor   avrd high CPU utilization due to perpetual connection attempts
758336-1 4-Minor   Incorrect recommendation in Online Help of Proactive Bot Defense


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
763349-1 2-Critical   AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
756205-3 2-Critical   TMSTAT offbox statistics are not continuous
764665-1 3-Major   AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
763005-2 3-Major   Aggregated Domain Names in DNS statistics are shown as random domain name
760356-4 3-Major   Users with Application Security Administrator role cannot delete Scheduled Reports
753446-1 3-Major   avrd process crash during shutdown if connected to BIG-IQ
738614-2 3-Major   'Internal error' appears on Goodput GUI page
738197-2 3-Major   IP address from XFF header is not taken into account when there are trailing spaces after IP address
737863-1 3-Major   Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
718655 3-Major   DNS profile measurement unit name is incorrect.
700322-2 3-Major   Upgrade may fail on a multi blade system when there are scheduled reports in configuration
754330-1 4-Minor   Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
752592-2 2-Critical   VMware Horizon PCoIP clients may fail to connect shortly after logout
704587-2 2-Critical   Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules
660826-3 2-Critical   BIG-IQ Deployment fails with customization-templates
758764-4 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
757992-1 3-Major   RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
757781-1 3-Major   Portal Access: cookie exchange may be broken sometimes
755507-3 3-Major   [App Tunnel] 'URI sanitization' error
755475-3 3-Major   Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
749057-3 3-Major   VMware Horizon idle timeout is ignored when connecting via APM
738430-1 3-Major   APM is not able to do compliance check on iOS devices running F5 Access VPN client
734291-2 3-Major   Logon page modification fails to sync to standby
696835-1 3-Major   Secondary Authentication or SSO fail after changing AD or LDAP password
695985-2 3-Major   Access HUD filter has URL length limit (4096 bytes)
656784-1 3-Major K98510679 Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM


Service Provider Fixes

ID Number Severity Solution Article(s) Description
704555-2 2-Critical   Core occurs if DIAMETER::persist reset is called if no persistence key is set.
752822-3 3-Major   SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
751179-3 3-Major   MRF: Race condition may create to many outgoing connections to a peer
749603-3 3-Major   MRF SIP ALG: Potential to end wrong call when BYE received
748043-3 3-Major   MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
747187-3 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
744949-3 3-Major   MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
751869 2-Critical   Possible tmm crash when using manual mode mitigation in DoS Profile
757279 3-Major   LDAP authenticated Firewall Manager role cannot edit firewall policies
753893-1 3-Major   Inconsistent validation for firewall address-list's nested address-list causes load failure
748081-2 3-Major   Memory leak in Behavioral DoS module
710262-1 3-Major   Firewall is not updated when adding new rules


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
739272-1 3-Major   Incorrect zombie counts in PBA stats with long PBA block-lifetimes


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
752782-3 3-Major   'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
760961 2-Critical   TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts
757088-3 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
752047-2 2-Critical   iRule running reject in CLASSIFICATION_DETECTED event can cause core
761273-1 3-Major   wr_urldbd creates sparse log files by writing from the previous position after logrotate.


Device Management Fixes

ID Number Severity Solution Article(s) Description
761300 3-Major K61105950 Errors in REST token requests may log sensitive data



Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
744035-4 CVE-2018-15332 K12130880 APM Client Vulnerability: CVE-2018-15332
739970-2 CVE-2018-5390 K95343321 Linux kernel vulnerability: CVE-2018-5390
738119-2 CVE-2019-6589 K23566124 SIP routing UI does not follow best practices
745358-3 CVE-2019-6607 K14812883 ASM GUI does not follow best practices
737910-2 CVE-2019-6609 K18535734 Security hardening on the following platforms
737442-2 CVE-2019-6591 K32840424 Error in APM Hosted Content when set to public access
658557-3 CVE-2019-6606 K35209601 The snmpd daemon may leak memory when processing requests.
530775-3 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output
701785-2 CVE-2017-18017 K18352029 Linux kernel vulnerability: CVE-2017-18017


Functional Change Fixes

ID Number Severity Solution Article(s) Description
744685-1 2-Critical   BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
744188 2-Critical   First successful auth iControl REST requests will now be logged in audit and secure log files
748851-1 3-Major   Bot Detection injection include tags which may cause faulty display of application
725878-2 3-Major   AVR does not collect all of APM TMStats
700827-4 3-Major   B2250 blades may lose efficiency when source ports form an arithmetic sequence.
667257-4 3-Major   CPU Usage Reaches 100% With High FastL4 Traffic


TMOS Fixes

ID Number Severity Solution Article(s) Description
682837-2 1-Blocking   Compression watchdog period too brief.
744331 2-Critical   OpenSSH hardening
743790-3 2-Critical   BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus
741423-2 2-Critical   Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
738887-3 2-Critical   BIG-IP SNMPD vulnerability CVE-2019-6608
726487-2 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
723298-2 2-Critical   BIND upgrade to version 9.11.4
713380 2-Critical K23331143 Multiple B4450 blades in the same chassis run into inconsistent DAG state
712738-1 2-Critical   fpdd may core dump when the system is going down
710277-1 2-Critical   IKEv2 further child_sa validity checks
697424-1 2-Critical   iControl-REST crashes on /example for firewall address-lists
688148-3 2-Critical   IKEv1 racoon daemon SEGV during phase-two SA list iteration
680556-1 2-Critical   Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
677937-3 2-Critical K41517253 APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
668041-2 2-Critical K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
751009-1 3-Major   Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
748206 3-Major   Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
745809 3-Major   The /var partition may become 100% full requiring manual intervention to clear space
743803-2 3-Major   IKEv2 potential double free of object when async request queueing fails
737536-1 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
737437-2 3-Major   IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
737397-3 3-Major   User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
724143-1 3-Major   IKEv2 connflow expiration upon ike-peer change
723579-4 3-Major   OSPF routes missing
722691 3-Major   Available datagroup list does not contain datagroups with the correct type.
721016 3-Major   vcmpd fails updating VLAN information on vcmp guest
720110-2 3-Major   0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
718817-2 3-Major   Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
718405-1 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
718397-1 3-Major   IKEv2: racoon2 appends spurious trailing null byte to ID payloads
710666-1 3-Major   VE with interface(s) marked down may report high cpu usage
706104-3 3-Major   Dynamically advertised route may flap
705442-1 3-Major   GUI Network Map objects search on Virtual Server IP Address and Port does not work
698947-2 3-Major   BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
693884-1 3-Major   ospfd core on secondary blade during network unstability
693106-1 3-Major   IKEv1 newest established phase-one SAs should be found first in a search
686926-2 3-Major   IPsec: responder N(cookie) in SA_INIT response handled incorrectly
686124-1 3-Major K83576240 IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
680838-2 3-Major   IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
678925-1 3-Major   Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
678380-2 3-Major K26023811 Deleting an IKEv1 peer in current use could SEGV on race conditions.
676897-3 3-Major K25082113 IPsec keeps failing to reconnect
676092-3 3-Major   IPsec keeps failing to reconnect
674145-1 3-Major   chmand error log message missing data
670197-1 3-Major   IPsec: ASSERT 'BIG-IP_conn tag' failed
652502-2 3-Major   snmpd returns 'No Such Object available' for ltm OIDs
639619-5 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
598085-1 3-Major   Expected telemetry is not transmitted by sFlow on the standby-mode unit.
491560-2 3-Major   Using proxy for IP intelligence updates
738985-2 4-Minor   BIND vulnerability: CVE-2018-5740
689491 4-Minor   cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
689211-3 4-Minor   IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
680856-2 4-Minor   IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
713491-2 5-Cosmetic   IKEv1 logging shows spi of deleted SA with opposite endianess


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
744269-2 2-Critical   dynconfd restarts if FQDN template node deleted while IP address change in progress
744117-5 2-Critical K18263026 The HTTP URI is not always parsed correctly
743857 2-Critical K21942600 Clientssl accepts non-SSL traffic when cipher-group is configured
742627-2 2-Critical   SSL session mirroring may cause memory leakage if HA channel is down
741919 2-Critical   HTTP response may be dropped following a 100 continue message.
740963-2 2-Critical   VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
740490-1 2-Critical   Configuration changes involving HTTP2 or SPDY may leak memory
739003-1 2-Critical   TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms
738945-2 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
738046-2 2-Critical   SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
737758-2 2-Critical   MPTCP Passthrough and VIP-on-VIP can lead to TMM core
734276-2 2-Critical   TMM may leak memory when SSL certificates with VDI or EAM in use
727206 2-Critical   Memory corruption when using SSL Forward Proxy on certain platforms
720136-1 2-Critical   Upgrade may fail on mcpd when external netHSM is used
718210-2 2-Critical   Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
716714-1 2-Critical   OCSP should be configured to avoid TMM crash.
702792-1 2-Critical K82327396 Upgrade creates Server SSL profiles with invalid cipher strings
685254-2 2-Critical K14013100 RAM Cache Exceeding Watchdog Timeout in Header Field Search
513310-5 2-Critical   TMM might core when a profile is changed.
849861 3-Major   TMM may crash with FastL4 and HTTP profile using fallback host and iRule command
752078 3-Major   Header Field Value String Corruption
739963-2 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739379-2 3-Major   Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
739349-1 3-Major   LRO segments might be erroneously VLAN-tagged.
738521-1 3-Major   i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
726319-2 3-Major   'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
724564-1 3-Major   A FastL4 connection can fail with loose-init and hash persistence enabled
724327-1 3-Major   Changes to a cipher rule do not immediately have an effect
721621-1 3-Major   Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
720799-2 3-Major   Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
717896-2 3-Major   Monitor instances deleted in peer unit after sync
717100-3 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716716-2 3-Major   Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
714559-2 3-Major   Removal of HTTP hash persistence cookie when a pool member goes down.
713690-3 3-Major   IPv6 cache route metrics are locked
711981-5 3-Major   BIG-IP system accepts larger-than-egress MTU, PMTU update
710028-2 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
708068-2 3-Major   Tcl commands like "HTTP::path -normalize" do not return normalized path.
707691-4 3-Major   BIG-IP handles some pathmtu messages incorrectly
706102-2 3-Major   SMTP monitor does not handle all multi-line banner use cases
701678-2 3-Major   Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
685519-1 3-Major   Mirrored connections ignore the handshake timeout
683697-1 3-Major K00647240 SASP monitor may use the same UID for multiple HA device group members
674591-3 3-Major K37975308 Packets with payload smaller than MSS are being marked to be TSOed
504522-1 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
719247-2 4-Minor K10845686 HTTP::path and HTTP::query iRule functions cannot be set to a blank string
618884-6 4-Minor   Behavior when using VLAN-Group and STP


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
739846-3 2-Critical   Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
749774-3 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-3 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records
744707-4 3-Major   Crash related to DNSSEC key rollover
726255-2 3-Major   dns_path lingering in memory with last_access 0 causing high memory usage
723288-2 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
710246-2 3-Major   DNS-Express was not sending out NOTIFY messages on VE
702457-2 3-Major   DNS Cache connections remain open indefinitely
717113-2 4-Minor   It is possible to add the same GSLB Pool monitor multiple times


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
750922-3 2-Critical   BD crash when content profile used for login page has no parse parameters set
726537-1 2-Critical   Rare TMM crash when Single Page Application is enabled on DoSL7
576123-4 2-Critical K23221623 ASM policies are created as inactive policies on the peer device
750356-3 3-Major   Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
747777-1 3-Major   Extractions are learned in manual learning mode
747550-1 3-Major   Error 'This Logout URL already exists!' when updating logout page via GUI
745802-3 3-Major   Brute Force CAPTCHA response page truncates last digit in the support id
744347-2 3-Major   Protocol Security logging profiles cause slow ASM upgrade and apply policy
743961-3 3-Major   Signature Overrides for Content Profiles do not work after signature update
738864-1 3-Major   javascript functions in href are learned from response as new URLs
738211-3 3-Major   pabnagd core when centralized learning is turned on
734228-1 3-Major   False-positive illegal-length violation can appear
726377-1 3-Major   False-positive cookie hijacking violation
721752-2 3-Major   Null char returned in REST for Suggestion with more than MAX_INT occurrences
705925-1 3-Major   Websocket Message Type not displayed in Request Log
701792-2 3-Major   JS Injection into cached HTML response causes TCP RST on the fictive URLs
696333-1 3-Major   Threat campaign filter does not return campaign if filter contains quotation marks
690215-2 3-Major   Missing requests in request log
676416-4 3-Major   BD restart when switching FTP profiles
676223-4 3-Major   Internal parameter in order not to sign allowed cookies
663535-2 3-Major   Sending ASM cookies with "secure" attribute even without client-ssl profile
605649-2 3-Major K28782793 The cbrd daemon runs at 100% CPU utilization
748999-1 4-Minor   invalid inactivity timeout suggestion for cookies
747905-1 4-Minor   'Illegal Query String Length' violation displays wrong length
745531-1 4-Minor   Puffin Browser gets blocked by Bot Defense
739345 4-Minor   Reporting invalid signature id after specific signature upgrade
685743-5 4-Minor   When changing internal parameter 'request_buffer_size' in large request violations might not be reported
665470-3 4-Minor   Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
746941 2-Critical   Memory leak in avrd when BIG-IQ fails to receive stats information
739446-2 2-Critical   Resetting SSL-socket correctly for AVR connection
737813-1 2-Critical   BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address
749464 3-Major   Race condition while BIG-IQ updates common file
749461 3-Major   Race condition while modifying analytics global-settings
746823 3-Major   AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
745027 3-Major   AVR is doing extra activity of DNS data collection even when it should not
744595-1 3-Major   DoS-related reports might not contain some of the activity that took place
744589-1 3-Major   Missing data for Firewall Events Statistics
741767-2 3-Major   ASM Resource :: CPU Utilization statistics are in wrong scale
740086 3-Major   AVR report ignore partitions for Admin users
716782-2 3-Major   AVR should add new field to the events it sends: Microtimestamp


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
753368 1-Blocking   Unable to import access policy with pool
747621-2 2-Critical   Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
744556-1 2-Critical K01226413 Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3
714716-2 2-Critical K10248311 Apmd logs password for acp messages when in debug mode
754346-1 3-Major   Access policy was not found while creating configuration snapshot.
750496-1 3-Major   TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP
746771-1 3-Major   APMD recreates config snapshots for all access profiles every minute
746768-1 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
745654-2 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
745574-3 3-Major   URL is not removed from custom category when deleted
743437-1 3-Major   Portal Access: Issue with long 'data:' URL
743150-1 3-Major   Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client
739744-1 3-Major   Import of Policy using Pool with members is failing
719079-1 3-Major   Portal Access: same-origin AJAX request may fail under some conditions.
718136-2 3-Major   32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux


Service Provider Fixes

ID Number Severity Solution Article(s) Description
742829-3 3-Major   SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
741951-2 3-Major   Multiple extensions in SIP NOTIFY request cause message to be dropped.
699431-3 3-Major   Possible memory leak in MRF under low memory


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-3 1-Blocking K52868493 LibSSH: CVE-2018-10933
753028-1 3-Major   AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
747926 3-Major   Rare TMM restart due to NULL pointer access during AFM ACL logging


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744516-1 2-Critical   TMM panics after a large number of LSN remote picks
744959-1 3-Major   SNMP OID for sysLsnPoolStatTotal not incremented in stats
727212-1 3-Major   Subscriber-id query using full length IPv6 address fails.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
748976 3-Major   DataSafe Logging Settings page is missing when DataSafe license is active
742037-3 3-Major   FPS live updates do not install when minor version is different
741449-1 4-Minor   alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
726039 5-Cosmetic   Information is not updated after installing FPS live update via GUI


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
748813-1 2-Critical   tmm cores under stress test on virtual server with DoS profile with admd enabled
748121-1 2-Critical   admd livelock under CPU starvation
741761-1 2-Critical   admd might fail the heartbeat, resulting in a core
704236-1 2-Critical   TMM crash when attaching FastL4 profile
702936-1 2-Critical   TMM SIGSEGV under specific conditions.
653573-4 2-Critical   ADMd not cleaning up child rsync processes
741993-1 3-Major   The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
741752-1 3-Major   [BADOS] state file is not saved when virtual server reuses a self IP of the device


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
724847 3-Major K95010813 DNS traffic does not get classified for AFM port misuse case



Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745783-3 3-Major   Anti-fraud: remote logging of login attempts


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
684370-1 3-Major   APM now supports VMware Workspace ONE integration with VIDM as ID Provider
683741-1 3-Major   APM now supports VMware Workspace ONE integration with vIDM as ID Provider
635509-1 3-Major   APM does not support Vmware'e Blast UDP



Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
739947-1 CVE-2019-6610 K42465020 TMM may crash while processing APM traffic
737443-5 CVE-2018-5546 K54431371 BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546
737441-5 CVE-2018-5546 K54431371 Disallow hard links to svpn log files
726089-2 CVE-2018-15312 K44462254 Modifications to AVR metrics page
725815-1 CVE-2018-15320 K72442354 vlangroup usage may cause a excessive resource consumption
724339-1 CVE-2018-15314 K04524282 Unexpected TMUI output in AFM
724335-1 CVE-2018-15313 K21042153 Unexpected TMUI output in AFM
722677-4 CVE-2019-6604 K26455071 BIG-IP HSB vulnerability CVE-2019-6604
722387-3 CVE-2019-6596 K97241515 TMM may crash when processing APM DTLS traffic
722091-3 CVE-2018-15319 K64208870 TMM may crash while processing HTTP traffic
717888 CVE-2018-15323 K26583415 TMM may leak memory when a virtual server uses the MQTT profile.
717742-5 CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 K44923228 Oracle Java SE vulnerability CVE-2018-2783
707990-2 CVE-2018-15315 K41704442 Unexpected TMUI output in SSL Certificate Instance page
704184-6 CVE-2018-5529 K52171282 APM MAC Client create files with owner only read write permissions
701253-5 CVE-2018-15318 K16248201 TMM core when using MPTCP
693810-6 CVE-2018-5529 K52171282 CVE-2018-5529: APM Linux Client Vulnerability
741858-1 CVE-2018-15324 K52206731 TMM may crash while processing Portal Access requests
734822-3 CVE-2018-15325 K77313277 TMSH improvements
725801-4 CVE-2017-7889 K80440915 CVE-2017-7889: Kernel Vulnerability
725635-2 CVE-2018-3665 K21344224 CVE-2018-3665: Intel Lazy FPU Vulnerability
724680-4 CVE-2018-0732 K21665601 OpenSSL Vulnerability: CVE-2018-0732
721924-2 CVE-2018-17539 K17264695 BIG-IP ARM BGP vulnerability CVE-2018-17539
719554-2 CVE-2018-8897 K17403481 Linux Kernel Vulnerability: CVE-2018-8897
716900-2 CVE-2019-6594 K91026261 TMM core when using MPTCP
710705-2 CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 K34035645 Multiple Wireshark vulnerabilities
705799-2 CVE-2018-15325 K77313277 TMSH improvements
699453-4 CVE-2018-15327 K20222812 Web UI does not follow current best coding practices
699452-4 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices
712876-2 CVE-2017-8824 K15526101 CVE-2017-8824: Kernel Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
734527-1 3-Major   BGP 'capability graceful-restart' for peer-group not properly advertised when configured
715750-2 3-Major K41515225 The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.


TMOS Fixes

ID Number Severity Solution Article(s) Description
693611-3 1-Blocking K76313256 IKEv2 ike-peer might crash on stats object during peer modification update
743810-1 2-Critical   AWS: Disk resizing in m5/c5 instances fails silently.
743082-1 2-Critical   Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members
739507 2-Critical   Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check
739505 2-Critical   Automatic ISO digital signature checking not required when FIPS license active
739285-1 2-Critical   GUI partially missing when VCMP is provisioned
725696-1 2-Critical   A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
723722-2 2-Critical   MCPD crashes if several thousand files are created between config syncs.
721350-2 2-Critical   The size of the icrd_child process is steadily growing
717785-1 2-Critical   Interface-cos shows no egress stats for CoS configurations
716391-2 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
711683-2 2-Critical   bcm56xxd crash with empty trunk in QinQ VLAN
707003-3 2-Critical   Unexpected syntax error in TMSH AVR
706423-1 2-Critical   tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
703669-2 2-Critical   Eventd restarts on NULL pointer access
703045-1 2-Critical   If using TMSH commands with deprecated attributes in iApp, the upgrade will fail.
700386-2 2-Critical   mcpd may dump core on startup
693996-5 2-Critical K42285625 MCPD sync errors and restart after multiple modifications to file object in chassis
692158-1 2-Critical   iCall and CLI script memory leak when saving configuration
691589-4 2-Critical   When using LDAP client auth, tamd may become stuck
690819-1 2-Critical   Using an iRule module after a 'session lookup' may result in crash
689437-1 2-Critical K49554067 icrd_child cores due to infinite recursion caused by incorrect group name handling
689002-3 2-Critical   Stackoverflow when JSON is deeply nested
658410-2 2-Critical   icrd_child generates a core when calling PUT on ltm/data-group/internal/
652877-5 2-Critical   Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
638091-6 2-Critical   Config sync after changing named pool members can cause mcpd on secondary blades to restart
739126 3-Major   Multiple VE installations may have different sized volumes
733585-3 3-Major   Merged can use %100 of CPU if all stats snapshot files are in the future
727467-1 3-Major   Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
726409-4 3-Major   Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
722682-2 3-Major   Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load
721740-2 3-Major   CPU stats are not correctly recorded when snapshot files have timestamps in the future
720713-2 3-Major   TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
720461-2 3-Major   qkview prompts for password on chassis
718525-1 3-Major   PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
714974-2 3-Major   Platform-migrate of UCS containing QinQ fails on VE
714903-2 3-Major   Errors in chmand
714654-2 3-Major   Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
713813-2 3-Major   Node monitor instances not showing up in GUI
712102-2 3-Major K11430165 customizing or changing the HTTP Profile's IPv6 field hides the field or the row
710232-2 3-Major   platform-migrate fails when LACP trunks are in use
709444-2 3-Major   "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
709192-1 3-Major   GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
707740-4 3-Major   Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
707509-1 3-Major   Initial vCMP guest creations can fail if certain hotfixes are used
707391-2 3-Major   BGP may keep announcing routes after disabling route health injection
706804-1 3-Major   SNMP trap destination configuration of network option is missing "default" keyword
706354-2 3-Major   OPT-0045 optic unable to link
706169-3 3-Major   tmsh memory leak
705456-1 3-Major   Enabling HTTP-to-HTTPS redirection in a vCMP guest can prevent some Host-Guest Management features from working
704755-1 3-Major   EUD_M package could not be installed on 800 platforms
704512-1 3-Major   Automated upload of qkview to iHealth can time out resulting in error
704336-1 3-Major   Updating 3rd party device cert not copied correctly to trusted certificate store
702227-3 3-Major   Memory leak in TMSH load sys config
700757-1 3-Major   vcmpd may crash when it is exiting
700576-1 3-Major   GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"
700426 3-Major K58033284 Switching partitions while viewing objects in GUI can result in empty list
700250-3 3-Major K59327012 qkviews for secondary blade appear to be corrupt
698875-1 3-Major   Qkview Security Hardening
698084-3 3-Major K03776801 IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs
696731-3 3-Major K94062594 The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
693578-2 3-Major   switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
692189-1 3-Major   errdefsd fails to generate a core file on request.
692179-1 3-Major   Potential high memory usage from errdefsd.
691609-1 3-Major   1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address
690890-1 3-Major   Running sod manually can cause issues/failover
689375-1 3-Major K01512833 Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
688406-1 3-Major K14513346 HA-Group Score showing 0
687905-2 3-Major K72040312 OneConnect profile causes CMP redirected connections on the HA standby
687534-1 3-Major   If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
684391-3 3-Major   Existing IPsec tunnels reload. tmipsecd creates a core file.
684218-1 3-Major   vADC 'live-install' Downgrade from v13.1.0 is not possible
681782-6 3-Major   Unicast IP address can be configured in a failover multicast configuration
679347-2 3-Major K44117473 ECP does not work for PFS in IKEv2 child SAs
678488-1 3-Major K59332320 BGP default-originate not announced to peers if several are peering over different VLANs
677485-1 3-Major   Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error
671712-2 3-Major   The values returned for the ltmUserStatProfileStat table are incorrect.
670528-4 3-Major K20251354 Warnings during vCMP host upgrade.
651413-4 3-Major K34042229 tmsh list ltm node does not return an error when node does not exist
642923-6 3-Major   MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
617643-2 3-Major   iControl.ForceSessions enabled results in GUI error on certain pages
551925-4 3-Major   Misdirected UDP traffic with hardware acceleration
464650-6 3-Major   Failure of mcpd with invalid authentication context.
727297-3 4-Minor   GUI TACACS+ remote server list should accept hostname
725612-1 4-Minor   syslog-ng does not send any messages to the remote servers after reconfiguration
719770-2 4-Minor   tmctl -H -V and -l options without values crashed
714749-2 4-Minor   cURL Vulnerability: CVE-2018-1000120
713947-1 4-Minor   stpd repeatedly logs "hal sendMessage failed"
713932-1 4-Minor   Commands are replicated to PostgreSQL even when not in use.
707631-2 4-Minor   The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
707267 4-Minor   REST Framework HTTP header limit size increased to 8 KB
701826 4-Minor   qkview upload to ihealth fails or unable to untar qkview file
691491-5 4-Minor K13841403 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
685582-7 4-Minor   Incorrect output of b64 unit key hash by command f5mku -f
683029-1 4-Minor   Sync of virtual address and self IP traffic groups only happens in one direction
679135-2 4-Minor   IKEv1 and IKEv2 cannot share common local address in tunnels
678388-1 4-Minor K00050055 IKEv1 racoon daemon is not restarted when killed multiple times


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
722594-2 1-Blocking   TCP flow may not work as expected if double tagging is used
737445-2 2-Critical   Use of TCP Verified Accept can disable server-side flow control
727044-2 2-Critical   TMM may crash while processing compressed data
726239-4 2-Critical   interruption of traffic handling as sod daemon restarts TMM
725545-1 2-Critical   Ephemeral listener might not be set up correctly
724906-1 2-Critical   sasp_gwm monitor leaks memory over time
724868-1 2-Critical   dynconfd memory usage increases over time
724213-1 2-Critical K74431483 Modified ssl_profile monitor param not synced correctly
722893-1 2-Critical K30764018 TMM can restart without a stack trace or core file after becoming disconnected from MCPD.
716213-1 2-Critical   BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
713612-1 2-Critical   tmm might restart if the HTTP passthrough on pipeline option is used
710221-2 2-Critical K67352313 Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
673664-1 2-Critical   TMM crashes when sys db Crypto.HwAcceleration is disabled.
635191-2 2-Critical   Under rare circumstances TMM may crash
727222-1 3-Major   206 Partial Content responses from ramcache have malformed Content-Range header
723300-2 3-Major   TMM may crash when tracing iRules containing nameless listeners on internal virtual servers
722363-2 3-Major   Client fails to connect to server when using PVA offload at Established
721261-1 3-Major   v12.x Policy rule names containing slashes are not migrated properly
720293-3 3-Major   HTTP2 IPv4 to IPv6 fails
719600-2 3-Major   TCP::collect iRule with L7 policy present may result in connection reset
717346-2 3-Major K13040347 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
715883 3-Major   Tmm crash due to invalid cookie attribute
715785-2 3-Major   Incorrect encryption error for monitors during sync or upgrade
715756-2 3-Major   Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
715467-2 3-Major   Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
714384-3 3-Major   DHCP traffic may not be forwarded when BWC is configured
707951-2 3-Major   Stalled mirrored flows on HA next-active when OneConnect is used.
704764-3 3-Major   SASP monitor marks members down with non-default route domains
703580-1 3-Major   TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
703266-2 3-Major   Potential MCP memory leak in LTM policy compile code
702450-1 3-Major   The validation error message generated by deleting certain object types referenced by a policy action is incorrect
701690-1 3-Major K53819652 Fragmented ICMP forwarded with incorrect icmp checksum
700696-1 3-Major   SSID does not cache fragmented Client Certificates correctly via iRule
699273-1 3-Major   TMM Core During FTP Monitor Use
695925-1 3-Major   Tmm crash when showing connections for a CMP disabled virtual server
691785-1 3-Major   The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
691224-3 3-Major K59327001 Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
690778-1 3-Major K53531153 Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
688629-1 3-Major K52334096 Deleting data-group in use by iRule does not trigger validation error
685110-1 3-Major K05430133 With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
681757-3 3-Major K32521651 Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
681673-4 3-Major   tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
679613-1 3-Major K23531420 i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
672312-3 3-Major   IP ToS may not be forwarded to serverside with syncookie activated
602708-4 3-Major K84837413 Traffic may not passthrough CoS by default
716922-2 4-Minor   Reduction in PUSH flags when Nagle Enabled
712637-2 4-Minor   Host header persistence not implemented
700433-1 4-Minor K10870739 Memory leak when attaching an LTM policy to a virtual server
697988-3 4-Minor K34554754 During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%
693966-1 4-Minor   TCP sndpack not reset along with other tcp profile stats
688557-1 4-Minor K50462482 Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
495242-4 4-Minor   mcpd log messages: Failed to unpublish LOIPC object


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
718885-3 2-Critical K25348242 Under certain conditions, monitor probes may not be sent at the configured interval
723792-2 3-Major   GTM regex handling of some escape characters renders it invalid
719644-2 3-Major   If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
737500-2 2-Critical   Apply Policy and Upgrade time degradation when there are previous enforced rules
726090-1 2-Critical   No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
724414-2 2-Critical   ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
724032-1 2-Critical   Searching Request Log for value containing backslash does not return expected result
721741-3 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
704143-1 2-Critical   BD memory leak
701856-1 2-Critical   Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
740719-2 3-Major   ASM CSP header parser does not honor unsafe-inline attribute within script-src directive


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
737867-1 3-Major   Scheduled reports are being incorrectly displayed in different partitions


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
739716-2 1-Blocking   APM Subroutine loops without finishing
740777-1 2-Critical   Secondary blades mcp daemon restart when subroutine properties are configured
739674-1 2-Critical   TMM might core in SWG scenario with per-request policy.
722013 2-Critical   MCPD restarts on all secondary blades post config-sync involving APM customization group
713820-1 2-Critical   Pass in IP address to urldb categorization engine
739939-1 3-Major   Ping Access Agent Module leaks memory in TMM.
739190 3-Major   Policies could be exported with not patched /Common partition
738582-1 3-Major   Ping Access Agent Module leaks memory in TMM.
738397-1 3-Major   SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
737355-1 3-Major   HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
737064-2 3-Major   ACCESS::session iRule commands may not work in serverside events
726895 3-Major K02205915 VPE cannot modify subroutine settings
726616-1 3-Major   TMM crashes when a session is terminated
726592-1 3-Major   Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
725867-2 3-Major   ADFS proxy does not fetch configuration for non-floating virtual servers
725412-1 3-Major   APM does not follow current best practices for HTTP headers
724571-1 3-Major   Importing access profile takes a long time
722969-2 3-Major   Access Policy import with 'reuse' enabled instead rewrites shared objects
722423-1 3-Major   Analytics agent always resets when Category Lookup is of type custom only
720757-1 3-Major   Without proper licenses Category Lookup always fails with license error in Allow Ending
713655-2 3-Major   RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
711427-2 3-Major   Edge Browser does not launch F5 VPN App
710884-1 3-Major   Portal Access might omit some valid cookies when rewriting HTTP request.
701800-2 3-Major K29064506 SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
701056-1 3-Major   User is not able to reset their Active Directory password
698984-1 3-Major   Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned
696669-1 3-Major   Users cannot change or reset RSA PIN
696544-1 3-Major   APM end users can not change/reset password when auth agents are included in per-req policy
671323-1 3-Major   Reset PIN Fail if Token input field is not 'password' field
734595-2 4-Minor   sp-connector is not being deleted together with profile
721375-1 4-Minor   Export then import of config with RSA server in it might fail


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
706642-2 2-Critical   wamd may leak memory during configuration changes and cluster events


Service Provider Fixes

ID Number Severity Solution Article(s) Description
709383-2 3-Major   DIAMETER::persist reset non-functional
706750-1 3-Major   Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash.
691048-1 3-Major K34553736 Support DIAMETER Experimental-Result AVP response
688942-5 3-Major   ICAP: Chunk parser performs poorly with very large chunk


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
724532-2 2-Critical   SIG SEGV during IP intelligence category match in TMM
720045-1 2-Critical   IP fragmented UDP DNS request and response packets dropped as DNS Malformed
710755-1 2-Critical   TMM crash when route information becomes stale and the system accesses stale information.
698333-1 2-Critical K43392052 TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)
694849-1 2-Critical   TMM crash when packet sampling is turned for DNS BDOS signatures.
672514-1 2-Critical   Local Traffic/Virtual Server/Security page crashed
630137-2 2-Critical   Dynamic Signatures feature can fill up /config partition impacting system stability
726154-2 3-Major   TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
704528-2 3-Major   tmm may run out of memory during IP shunning
704369-2 3-Major   TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled
696201-1 3-Major   Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation
686376-2 3-Major   Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
707054-1 4-Minor   SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
699454-4 4-Minor   Web UI does not follow current best coding practices


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-3 3-Major   PEM content insertion in a compressed response may truncate some data
721704-1 3-Major   UDP flows are not deleted after subscriber deletion
709670-2 3-Major   iRule triggered from RADIUS occasionally fails to create subscribers.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
721570-1 1-Blocking K20285019 TMM core when trying to log an unknown subscriber
734446-2 2-Critical   TMM crash after changing LSN pool mode from PBA to NAPT
688246-1 2-Critical   An invalid mode in the LSN::persistence command causes TMM crash
708830-2 3-Major   Inbound or hairpin connections may get stuck consuming memory.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
738669-2 3-Major   Login validation may fail for a large request with early server response
737368-1 3-Major   Fingerprint cookie large value may result in tmm core.


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
739277 2-Critical   TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
720585-1 3-Major   Signatures generated by Behavioral DOS algorithm can create false-positive signatures
689540-1 3-Major   The same DOS attack generates new signatures even if there are signatures generated during previous attacks.


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
726303-1 3-Major   Unlock 10 million custom db entry limit


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
726872-2 3-Major   iApp LX directory disappears after upgrade or restoring from UCS



Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v13.1.1 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
693359-1 1-Blocking   AWS M5 and C5 instance families are supported


TMOS Fixes

ID Number Severity Solution Article(s) Description
721364 1-Blocking   BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
716469 1-Blocking   OpenSSL 1.0.1l fails with 512 bit DSA keys
697615-1 1-Blocking K65013424 Neurond may restart indefinitely after boot, with neurond_i2c_config message
675921-2 1-Blocking   Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
723130-1 2-Critical K13996 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
700086-1 2-Critical   AWS C5/M5 Instances do not support BIG-IP VE
696732-3 2-Critical K54431534 tmm may crash in a compression provider
721985 3-Major   PAYG License remains inactive as dossier verification fails.
721512 3-Major   Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.
721342 3-Major   No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
720961-1 3-Major   Upgrading in Intelligence Community AWS environment may fail
720756-1 3-Major   SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720651-2 3-Major   Running Guest Changed to Provisioned Never Stops
720104-1 3-Major   BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
719396-1 3-Major K34339214 DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
717832 3-Major   Remove unneeded files from UCS backup directories
714303-1 3-Major K25057050 X520 virtual functions do not support MAC masquerading
712266-1 3-Major   Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
697616-2 3-Major   Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
680086 3-Major   md5sum check on BMC firmware fails
673996-2 3-Major   Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms
680388-1 4-Minor   f5optics should not show function name in non-debug log messages
653759-1 4-Minor   Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update
720391-2 5-Cosmetic   BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
737550 2-Critical   State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade
701538-2 2-Critical   SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
720460-1 3-Major   Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
694778-1 3-Major   Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
686631-2 3-Major   Deselect a compression provider at the end of a job and reselect a provider for a new job
679494-1 3-Major   Change the default compression strategy to speed
495443-9 3-Major K16621 ECDH negotiation failures logged as critical errors.
679496-2 4-Minor   Add 'comp_req' to the output of 'tmctl compress'


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
717909 2-Critical   tmm can abort on sPVA flush if the HSB flush does not succeed
701637 2-Critical   Crash in bcm56xxd during TMM failover
644822 2-Critical K19245372 FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
702738-1 3-Major K32181540 Tmm might crash activating new blob when changing firewall rules
698182 3-Major   Upgrading from 13.1.1 to newer release might cause config to not be copied over
697516 3-Major   Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled



Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
716992-2 CVE-2018-5539 K75432956 The ASM bd process may crash
710244-3 CVE-2018-5536 K27391542 Memory Leak of access policy execution objects
710140-1 CVE-2018-5527 K20134942 TMM may consume excessive resources when processing SSL Intercept traffic
709688-3 CVE-2017-3144
CVE-2018-5732
CVE-2018-5733
K08306700 dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
695072-2 CVE-2016-8399
CVE-2017-1000111
CVE-2017-1000112
CVE-2017-11176
CVE-2017-14106
CVE-2017-7184
CVE-2017-7541
CVE-2017-7542
CVE-2017-7558
K23030550 CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558
693744-4 CVE-2018-5531 K64721111 CVE-2018-5531: vCMP vulnerability
651741-2 CVE-2017-5970, K60104355 CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop
717900-2 CVE-2018-5528 K27044729 TMM crash while processing APM data
710827-2 CVE-2019-6598 K44603900 TMUI dashboard daemon stability issue
710148-2 CVE-2017-1000111
CVE-2017-1000112
K60250153 CVE-2017-1000111 & CVE-2017-1000112
709256-2 CVE-2017-9074
CVE-2017-7542
K61223103 CVE-2017-9074: Local Linux Kernel Vulnerability
705476-2 CVE-2018-15322 K28003839 Appliance Mode does not follow design best practices
698813-2 CVE-2018-5538 K45435121 When processing DNSX transfers ZoneRunner does not enforce best practices
688625-5 CVE-2017-11628 K75543432 PHP Vulnerability CVE-2017-11628
662850-6 CVE-2015-2716 K50459349 Expat XML library vulnerability CVE-2015-2716
714879-3 CVE-2018-15326 K34652116 APM CRLDP Auth passes all certs


Functional Change Fixes

ID Number Severity Solution Article(s) Description
685020-3 3-Major   Enhancement to SessionDB provides timeout


TMOS Fixes

ID Number Severity Solution Article(s) Description
708956-1 1-Blocking K51206433 During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
719597 2-Critical   HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
715820-1 2-Critical   vCMP in HA configuration with VIPRION chassis might cause unstable data plane
712401-1 2-Critical   Enhanced administrator lock/unlock for Common Criteria compliance
676203-3 2-Critical   Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
665362-2 2-Critical   MCPD might crash if the AOM restarts
581851-6 2-Critical K16234725 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
711249-1 3-Major   NAS-IP-Address added to RADIUS packet unexpectedly
710976-1 3-Major   Network Map might take a long time to load
708484-2 3-Major   Network Map might take a long time to load
707445-3 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
705818-1 3-Major   GUI Network Map Policy with forward Rule to Pool, Pool does not show up
704804-1 3-Major   The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-1 3-Major   NAS-IP-Address is sent with the bytes in reverse order
704247-2 3-Major   BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
701249-1 3-Major   RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
700895-1 3-Major K34944451 GUI Network Map objects in subfolders are not being shown
696260-1 3-Major K53103420 GUI Network Map as Start Screen presents database error
694696-5 3-Major   On multiblade Viprion, creating a new traffic-group causes the device to go Offline
694547-2 3-Major K74203532 TMSH save sys config creates unneeded generate_config processes.
689730-3 3-Major   Software installations from v13.1.0 might fail
687658 3-Major   Monitor operations in transaction will cause it to stay unchecked
686906-2 3-Major   Fragmented IPv6 packets not handled correctly on Virtual Edition
674455-5 3-Major   Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
678254-1 4-Minor   Error logged when restarting Tomcat


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
721571-1 2-Critical   State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade
718071-1 2-Critical   HTTP2 with ASM policy not passing traffic
715747 2-Critical   TMM may restart when running traffic through custom SSLO deployments.
709828-2 2-Critical   fasthttp can crash with Large Receive Offload enabled
707244-3 2-Critical   iRule command clientside and serverside may crash tmm
707207-1 2-Critical   iRuleLx returning undefined value may cause TMM restart
700597-1 2-Critical   Local Traffic Policy on HTTP/2 virtual server no longer matches
700056-1 2-Critical   MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
690756-1 2-Critical   APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated
571651-4 2-Critical   Reset Nitrox3 crypto accelerator queue if it becomes stuck.
713951-5 3-Major   tmm core files produced by nitrox_diag may be missing data
713934-2 3-Major   Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
712819-2 3-Major   'HTTP::hsts preload' iRule command cannot be used
712475-3 3-Major K56479945 DNS zones without servers will prevent DNS Express reading zone data
712437-3 3-Major K20355559 Records containing hyphens (-) will prevent child zone from loading correctly
711281-5 3-Major   nitrox_diag may run out of space on /shared
710996-2 3-Major   VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
709133-2 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
709132-1 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
707961-2 3-Major K50013510 Unable to add policy to virtual server; error = Failed to compile the combined policies
707109-1 3-Major   Memory leak when using C3D
704381-5 3-Major   SSL/TLS handshake failures and terminations are logged at too low a level
702151-1 3-Major   HTTP/2 can garble large headers
700889-3 3-Major K07330445 Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-4 3-Major   Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
699598-2 3-Major   HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
696755 3-Major   HTTP/2 may truncate a response body when served from cache
693308-1 3-Major   SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
689089-1 3-Major   VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
688744-1 3-Major K11793920 LTM Policy does not correctly handle multiple datagroups
686890-1 3-Major   X509_EXTENSION memory blocks leak when C3D forges the certificate.
682944-1 3-Major   key-id missing for installed netHSM key for standby BIG-IP system in high availability (HA) setup
682283-2 3-Major   Malformed HTTP/2 request with invalid Content-Length value is served against RFC
678872-3 3-Major   Inconsistent behavior for virtual-address and selfip on the same ip-address
673399-3 3-Major   HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
653201-2 3-Major   Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
713533-2 4-Minor   list self-ip with queries does not work
708249-2 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
692095-1 4-Minor K65311501 bigd logs monitor status unknown for FQDN Node/Pool Member
678801-4 4-Minor   WS::enabled returned empty string
677958-4 4-Minor   WS::frame prepend and WS::frame append do not insert string in the right place.


Performance Fixes

ID Number Severity Solution Article(s) Description
698992-1 3-Major   Performance degraded


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
713066-1 2-Critical K10620131 Connection failure during DNS lookup to disabled nameserver can crash TMM
707310-2 2-Critical   DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
721895 3-Major   Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
715448-2 3-Major   Providing LB::status with a GTM Pool name in a variable caused validation issues
710032-1 3-Major   'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
706128-2 3-Major   DNSSEC Signed Zone Transfers Can Leak Memory
703545-1 3-Major   DNS::return iRule "loop" checking disabled


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
718152 2-Critical K14591455 ASM GUI request log does not load on cluster
716788-2 2-Critical   TMM may crash while response modifications are being performed within DoSL7 filter
713390-1 2-Critical   ASM Signature Update cannot be performed on hourly billing cloud instance
685230-3 2-Critical   memory leak on a specific server scenario
606983-2 2-Critical   ASM errors during policy import
719459-2 3-Major   Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
719005-1 3-Major   Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation
717756-2 3-Major   High CPU usage from asm_config_server
716940-2 3-Major   Traffic Learning screen graphs shows data for the last day only
715128-1 3-Major   Simple mode Signature edit does not escape semicolon
713282-1 3-Major   Remote logger violation_details field does not appear when virtual server has more than one remote logger
712362-3 3-Major   ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
711405-1 3-Major K14770331 ASM GUI Fails to Display Policy List After Upgrade
710327-1 3-Major   Remote logger message is truncated at NULL character.
707147-1 3-Major   High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-2 3-Major   False positive illegal multipart violation
706665-2 3-Major   ASM policy is modified after pabnagd restart
704643-1 3-Major   Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
702008-1 3-Major   ASM REST: Missing DB Cleanup for some tables
700143-2 3-Major   ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
691897-3 3-Major   Names of the modified cookies do not appear in the event log
687759-1 3-Major   bd crash
686765-2 3-Major   Database cleaning failure may allow MySQL space to fill the disk entirely
674256-2 3-Major K60745057 False positive cookie hijacking violation
675232-6 4-Minor   Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
710315-1 2-Critical   AVR-profile might cause issues when loading a configuration or when using config sync
698226-1 2-Critical   Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly
696642-1 2-Critical   monpd core is sometimes created when the system is under heavy load.
721474-1 3-Major   AVR does not send all SSLO statistics to offbox machine.
715110 3-Major   AVR should report 'resolutions' in module GtmWideip
712118 3-Major   AVR should report on all 'global tags' in external logs
706361 3-Major   IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0
696212-1 3-Major   monpd does not return data for multi-dimension query
648242-2 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports
649161-2 4-Minor K42340304 AVR caching mechanism not working properly


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
720214-1 2-Critical   NTLM Authentication might fail if Strict Update in iApp is modified
720189-1 2-Critical   VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download
719149-2 2-Critical   VDI plugin might hang while processing native RDP connections
716747-2 2-Critical   TMM my crash while processing APM or SWG traffic
715250-1 2-Critical   TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
713156-1 2-Critical   AGC cannot do redeploy in Exchange and ADFS use cases
710116-1 2-Critical   VPN clients experience packet loss/disconnection
694078-1 2-Critical   In rare cases, TMM may crash with high APM traffic
720695-1 3-Major   Export then import of APM access Profile/Policy with advanced customization is failing
719192 3-Major   In VPE Agent VMware View Policy shows no properties
715207-3 3-Major   coapi errors while modifying per-request policy in VPE
714961-1 3-Major   antserver creates large temporary file in /tmp directory
714700-2 3-Major   SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy
713111-1 3-Major   When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.
710305-1 3-Major   When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.
709274-1 3-Major   RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0
699267-2 3-Major   LDAP Query may fail to resolve nested groups
658278-1 3-Major   Network Access configuration with Layered-VS does not work with Edge Client


Service Provider Fixes

ID Number Severity Solution Article(s) Description
703515-3 2-Critical K44933323 MRF SIP LB - Message corruption when using custom persistence key
692310-2 3-Major K69250459 ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
677473-3 2-Critical   MCPD core is generated on multiple add/remove of Mgmt-Rules


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
711570-3 3-Major   PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
663874-2 3-Major K77173309 Off-box HSL logging does not work with PEM in SPAN mode.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
719186-2 3-Major   Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
716318-2 3-Major   Engine/Signatures automatic update check may fail to find/download the latest update


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
714334-1 2-Critical   admd stops responding and generates a core while under stress.
718772-2 3-Major   The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
718685-1 3-Major   The measured number of pending requests is two times higher than actual one
701288-1 3-Major   Server health significantly increases during DoSL7 TPS prevention


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
693694-1 3-Major   tmsh::load within IApp template results in unpredicted behavior



Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
716392-1 1-Blocking   Support for 24 vCMP guests on a single 4450 blade
712429 1-Blocking   Serverside packets excluded from DoS stats
704552 3-Major   Support for ONAP site licensing


TMOS Fixes

ID Number Severity Solution Article(s) Description
707100 2-Critical   Potentially fail to create user in AzureStack
706688 2-Critical   Automatically add additional certificates to BIG-IP system in C2S and IC environments
709936 3-Major   Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
707585-1 3-Major   Use native driver for 82599 NICs instead of UNIC
703869 3-Major   Waagent updated to 2.2.21


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
713273 2-Critical   BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart
715153-1 3-Major   AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
716746 3-Major   Possible tmm restart when disabling single endpoint vector while attack is ongoing
712710 3-Major   TMM may halt and restart when threshold mode is set to stress-based mitigation


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
699103-1 3-Major   tmm continuously restarts after provisioning AFM



Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
709972-6 CVE-2017-12613 K52319810 CVE-2017-12613: APR Vulnerability
707186-1 CVE-2018-5514 K45320419 TMM may crash while processing HTTP/2 traffic
702232-1 CVE-2018-5517 K25573437 TMM may crash while processing FastL4 TCP traffic
693312-1 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
688516-1 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
686305-1 CVE-2018-5534 K64552448 TMM may crash while processing SSL forward proxy traffic
589233-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
714369 CVE-2018-5526 K62201098 ADM may fail when processing HTTP traffic
714350 CVE-2018-5526 K62201098 BADOS mitigation may fail
710314-1 CVE-2018-5537 K94105051 TMM may crash while processing HTML traffic
706176-1 CVE-2018-5512 K51754851 TMM crash can occur when using LRO
706086-3 CVE-2018-5515 K62750376 PAM RADIUS authentication subsystem hardening
703940-2 CVE-2018-5530 K45611803 Malformed HTTP/2 frame consumes excessive system resources
699346-3 CVE-2018-5524 K53931245 NetHSM capacity reduces when handling errors
688011-7 CVE-2018-5520 K02043709 Dig utility does not apply best practices
688009-7 CVE-2018-5519 K46121888 Appliance Mode TMSH hardening
677088-2 CVE-2018-15321 K01067037 BIG-IP tmsh vulnerability CVE-2018-15321
708653-1 CVE-2018-15311 K07550539 TMM may crash while processing TCP traffic
632875-5 CVE-2018-5516 K37442533 Non-Administrator TMSH users no longer allowed to run dig


Functional Change Fixes

ID Number Severity Solution Article(s) Description
708389 3-Major   BADOS monitoring with Grafana requires admin privilege
680850-2 3-Major K48342409 Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.


TMOS Fixes

ID Number Severity Solution Article(s) Description
694897-2 1-Blocking   Unsupported Copper SFP can trigger a crash on i4x00 platforms.
708054-1 2-Critical   Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-1 2-Critical   bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
706087 2-Critical   Entry for SSL key replaced by config-sync causes tmsh load config to fail
703761-2 2-Critical   Disable DSA keys for public-key and host-based authentication in Common Criteria mode
696113-3 2-Critical   Extra IPsec reference added per crypto operation overflows connflow refcount
692683-1 2-Critical   Core with /usr/bin/tmm.debug at qa_device_mgr_uninit
690793-1 2-Critical K25263287 TMM may crash and dump core due to improper connflow tracking
689577-3 2-Critical K45800333 ospf6d may crash when processing specific LSAs
688911-1 2-Critical K94296004 LTM Policy GUI incorrectly shows conditions with datagroups
563661-1 2-Critical   Datastor may crash
704282-2 3-Major   TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
703298-2 3-Major   Licensing and phonehome_upload are not using the sync'd key/certificate
701626-2 3-Major K16465222 GUI resets custom Certificate Key Chain in child client SSL profile
698429-1 3-Major   Misleading log error message: Store Read invalid store addr 0x3800, len 10
693964-1 3-Major   Qkview utility may generate invalid XML in files contained in Qkview
691497-2 3-Major   tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
691210-1 3-Major   Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.
687353-1 3-Major K35595105 Qkview truncates tmstat snapshot files
631316-2 3-Major K62532020 Unable to load config with client-SSL profile error
514703-3 4-Minor   gtm listener cannot be listed across partitions


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
709334-1 2-Critical   Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-1 2-Critical K33319853 TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-1 2-Critical   Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707246-1 2-Critical   TMM would crash if SSL Client profile could not load cert-key-chain successfully
706631-2 2-Critical   A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-2 2-Critical   The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-1 2-Critical   memory corruption can occur when using certain certificates
704435-1 2-Critical   Client connection may hang when NTLM and OneConnect profiles used together
703914-2 2-Critical   TMM SIGSEGV crash in poolmbr_conn_dec.
703191-2 2-Critical   HTTP2 requests may contain invalid headers when sent to servers
701244-1 2-Critical K81742541 An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT
701202-3 2-Critical K35023432 SSL memory corruption
700393-3 2-Critical K53464344 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
697259-2 2-Critical K14023450 Different versioned vCMP guests on the same chassis may crash.
694656-1 2-Critical K05186205 Routing changes may cause TMM to restart
686228-1 2-Critical K23243525 TMM may crash in some circumstances with VLAN failsafe
680074-2 2-Critical   TMM crashes when serverssl cannot provide certificate to backend server.
667770-1 2-Critical K12472293 SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore
648320-5 2-Critical K38159538 Downloading via APM tunnels could experience performance downgrade.
705794-2 3-Major   Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
701147-2 3-Major K36563645 ProxySSL does not work properly with Extended Master Secret and OCSP
700057-4 3-Major   LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
693910-4 3-Major   Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693244-2 3-Major   BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
690042-1 3-Major K43412307 Potential Tcl leak during iRule suspend operation
689561-1 3-Major   HTTPS request hangs when multiple virtual https servers shares the same ip address
686972-4 3-Major   The change of APM log settings will reset the SSL session cache.
685615-4 3-Major K24447043 Incorrect source mac for TCP Reset with vlangroup for host traffic
677525-2 3-Major   Translucent VLAN group may use unexpected source MAC address
663821-1 3-Major K41344010 SNAT Stats may not include port FTP traffic
653976-4 3-Major K00610259 SSL handshake fails if server certificate contains multiple CommonNames
594751-1 3-Major K90535529 LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
710424-2 2-Critical K00874337 Possible SIGSEGV in GTMD when GTM persistence is enabled.
678861-1 2-Critical   DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
710870 2-Critical   Temporary browser challenge failure after installing older ASU
711011-2 3-Major   'API Security' security policy template changes
683241-1 3-Major K70517410 Improve CSRF token handling


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
710947-1 2-Critical   AVR does not send errdef for entity DosIpLogReporting.
710110-1 2-Critical   AVR does not publish DNS statistics to external log when usr-offbox is enabled.
711929-1 3-Major   AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
679221-2 1-Blocking   APMD may generate core file or appears locked up after APM configuration changed
708005-1 2-Critical K12423316 Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
703208-1 2-Critical   PingAccessAgent causes TMM core
702278-2 2-Critical   Potential XSS security exposure on APM logon page.
700522-1 2-Critical   APMD may unexpectedly restart when worker threads are stuck
700090-2 2-Critical   tmm crash during execution of a per-request policy when modified during execution.
699686-1 2-Critical   localdbmgr can occasionally crash during shutdown
697452-1 2-Critical   Websso crashes because of bad argument in logging
712924-1 3-Major   In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
703793-3 3-Major   tmm restarts when using ACCESS::perflow get' in certain events
703171-1 3-Major   High CPU usage for apmd, localdbmgr and oauth processes
702487-3 3-Major   AD/LDAP admins with spaces in names are not supported
684937-3 3-Major K26451305 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-3 3-Major K22904904 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
681415-3 3-Major   Copying of profile with advanced customization or images might fail
678427-1 3-Major K03138339 Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice
675775-4 3-Major   TMM crashes inside dynamic ACL building session db callback
671597-3 3-Major   Import, export, copy and delete is taking too long on 1000 entries policy
673717-3 4-Minor   VPE loading times can be very long


Service Provider Fixes

ID Number Severity Solution Article(s) Description
701889-1 2-Critical   Setting log.ivs.level or log-config filter level to informational causes crash
679114-4 3-Major   Persistence record expires early if an error is returned for a BYE command


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
708888-1 2-Critical K79814103 Some DNS truncated responses may not be processed by BIG-IP
667353 2-Critical   Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
702705-2 2-Critical   Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile
699531-1 2-Critical   Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-1 2-Critical   TMM core may be seen when using Application reporting with flow filter in PEM
711093-1 3-Major   PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-3 3-Major   Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-1 3-Major   Increase PEM HSL reporting buffer size to 4K.
677494-1 3-Major   Flow filter with Periodic content insertion action could leak insert content record
677148-1 3-Major   Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific
676346-2 3-Major   PEM displays incorrect policy action counters when the gate status is disabled.
648802-1 3-Major   Required custom AVPs are not included in an RAA when reporting an error.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
710701-1 3-Major   "Application Layer Encryption" option is not saved in DataSafe GUI
709319-2 3-Major   Post-login client-side alerts are missing username in bigIQ
706835 3-Major   When cloning a profile, URL parameters are not shown
706771-1 3-Major   FPS ajax-mapping property may be set even when it should be blocked
706651-1 3-Major   Cloning URL does not clone "Description" field
706276-1 4-Minor   Unnecessary pop-up appears


Device Management Fixes

ID Number Severity Solution Article(s) Description
708305-2 3-Major   Discover task may get stuck in CHECK_IS_ACTIVE step
705593-5 4-Minor   CVE-2015-7940: Bouncy Castle Java Vulnerability



Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
633441-1 3-Major   Datasync Background Tasks running even without features requiring it


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
708189 4-Minor   OAuth Discovery Auto Pilot is implemented


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
708840 3-Major   13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured



Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
705161-1 CVE-2018-5505 K23520761 BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505
703517 CVE-2018-5505 K23520761 BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505
700556-1 CVE-2018-5504 K11718033 TMM may crash when processing WebSockets data
699012-1 CVE-2018-5502 K43121447 TMM may crash when processing SSL/TLS data
698080-3 CVE-2018-5503 K54562183 TMM may consume excessive resources when processing with PEM
695901-1 CVE-2018-5513 K46940010 TMM may crash when processing ProxySSL data
691504-1 CVE-2018-5503 K54562183 PEM content insertion in a compressed response may cause a crash.
704580-1 CVE-2018-5549 K05018525 apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
701447-1 CVE-2017-5754 K91229003 CVE-2017-5754 (Meltdown)
701445-1 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003 CVE-2017-5753 (Spectre Variant 1)
701359-4 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145
699455-4 CVE-2018-5523 K50254952 SAML export does not follow best practices
699451-3 CVE-2018-5511 K30500703 OAuth reports do not follow best practices
676457-5 CVE-2017-6153 K52167636 TMM may consume excessive resource when processing compressed data
640766-2 CVE-2016-10088
CVE-2016-9576
K05513373 Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576


Functional Change Fixes

ID Number Severity Solution Article(s) Description
686389-1 3-Major   APM does not honor per-farm HTML5 client disabling at the View Connection Server
678524-1 3-Major   Join FF02::2 multicast group when router-advertisement is configured
693007-1 4-Minor   Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC


TMOS Fixes

ID Number Severity Solution Article(s) Description
707226 1-Blocking   DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
700315-2 1-Blocking K26130444 Ctrl+C does not terminate TShark
667148-3 1-Blocking K02500042 Config load or upgrade can fail when loading GTM objects from a non-/Common partition
706998-3 2-Critical   Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication
692890-3 2-Critical   Adding support for BIG-IP 800 in 13.1.x
685458-7 2-Critical K44738140 merged fails merging a table when a table row has incomplete keys defined.
665354-1 2-Critical K31190471 Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
703848-1 3-Major   Possible memory leak when reusing statistics rows in tables
702520-2 3-Major K53330514 Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.
694740-3 3-Major   BIG-IP reboot during a TMM core results in an incomplete core dump
692753-1 3-Major   shutting down trap not sent when shutdown -r or shutdown -h issued from shell
689691-2 3-Major   iStats line length greater than 4032 bytes results in corrupted statistics or merge errors
686029-2 3-Major   A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
669462-2 3-Major   Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
589083-6 3-Major   TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
699281-1 4-Minor   Version format of hypervisor bundle matches Version format of ISO
685475-1 4-Minor K93145012 Unexpected error when applying hotfix


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
706534-1 1-Blocking   L7 connection mirroring may not be fully mirrored on standby BigIP
698424-1 1-Blocking K11906514 Traffic over a QinQ VLAN (double tagged) will not pass
700862-1 2-Critical K15130240 tmm SIGFPE 'valid node'
699298-2 2-Critical   13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.
698461-1 2-Critical   Tmm may crash in fastl4 TCP
692970-2 2-Critical   Using UDP port 67 for purposes other than DHCP might cause TMM to crash
691095-1 2-Critical   CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes
687635-1 2-Critical K58002142 Tmm becomes unresponsive and might restart
687205-2 2-Critical   Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
681175-3 2-Critical K32153360 TMM may crash during routing updates
674576-3 2-Critical   Outage may occur with VIP-VIP configurations
452283-5 2-Critical   An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
440620-1 2-Critical   New connections may be reset when a client reuses the same port as it used for a recently closed connection
704073-1 3-Major K24233427 Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
702439 3-Major K04964898 Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
698916-1 3-Major   TMM crash with HTTP/2 under specific condition
698379-2 3-Major K61238215 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
698000-3 3-Major K04473510 Connections may stop passing traffic after a route update
695707-5 3-Major   BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
691806-1 3-Major K61815412 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
689449-1 3-Major   Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
688571-2 3-Major K40332712 Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
688570-5 3-Major   BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
686307-3 3-Major K10665315 Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065-2 3-Major   RESOLV::lookup iRule command can trigger crash with slow resolver
682104-3 3-Major   HTTP PSM leaks memory when looking up evasion descriptions
680264-2 3-Major   HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
677666-2 3-Major   /var/tmstat/blades/scripts segment grows in size.
664528-2 3-Major K53282793 SSL record can be larger than maximum fragment size (16384 bytes)
251162-1 3-Major K11564 The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
685467-1 4-Minor K12933087 Certain header manipulations in HTTP profile may result in losing connection.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
699135-1 2-Critical   tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
692941-1 2-Critical   GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
691287-1 2-Critical   tmm crashes on iRule with GTM pool command
682335-1 2-Critical   TMM can establish multiple connections to the same gtmd
580537-3 2-Critical   The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-5 2-Critical   Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
705503-3 3-Major   Context leaked from iRule DNS lookup
703702 3-Major   Fixed iControl REST not listing GTM Listeners
700527-3 3-Major   cmp-hash change can cause repeated iRule DNS-lookup hang
699339-3 3-Major K24634702 Geolocation upgrade files fail to replicate to secondary blades
696808-1 3-Major   Disabling a single pool member removes all GTM persistence records
691498-3 3-Major   Connection failure during iRule DNS lookup can crash TMM
690166-1 3-Major   ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
687128-1 3-Major   gtm::host iRule validation for ipv4 and ipv6 addresses
680069-1 3-Major K81834254 zxfrd core during transfer while network failure and DNS server removed from DNS zone config
679149-1 3-Major   TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
667469-3 3-Major K35324588 Higher than expected CPU usage when using DNS Cache
636997-1 4-Minor   big3d may crash
636994-1 4-Minor   big3d may crash
636992-1 4-Minor   big3d may crash
636986-1 4-Minor   big3d may crash
636982-1 4-Minor   big3d may crash


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
705774-1 3-Major   Add a set of disallowed file types to RDP template
703833-1 3-Major   Some bot detected features might not work as expected on Single Page Applications
702946-3 3-Major   Added option to reset staging period for signatures
701841-2 3-Major   Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
701327-2 3-Major   failed configuration deletion may cause unwanted bd exit
700812-1 3-Major   asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
700726-2 3-Major   Search engine list was updated, and fixing case of multiple entries
698919-3 3-Major   Anti virus false positive detection on long XML uploads
697756-1 3-Major   Policy with CSRF URL parameter cannot be imported as binary policy file
697303-1 3-Major   BD crash
696265-5 3-Major K60985582 BD crash
696073-2 3-Major   BD core on a specific scenario
695563-1 3-Major   Improve speed of ASM initialization on first startup
694922-5 3-Major   ASM Auto-Sync Device Group Does Not Sync
693780-1 3-Major   Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices
693663-1 3-Major   Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode
691477-2 3-Major   ASM standby unit showing future date and high version count for ASM Device Group
679384-3 3-Major K85153939 The policy builder is not getting updates about the newly added signatures.
678293-2 3-Major K25066531 Uncleaned policy history files cause /var disk exhaustion
665992-2 3-Major K40510140 Live Update via Proxy No Longer Works
608988-1 3-Major   Error when deleting multiple ASM Policies


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
703233 3-Major   Some filters don't work in Security->Reporting->URL Latencies page


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
707676-1 2-Critical   Memory leak in Machine Certificate Check agent of the apmd process
700724-2 2-Critical   Client connection with large number of HTTP requests may cause tmm to restart
692557-1 2-Critical   When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
690116-1 2-Critical   websso daemon might crash when logging set to debug
689591-2 2-Critical   When pingaccess SDK processes certain POST requests from the client, the TMM may restart
677368-2 2-Critical   Websso crash due to uninitialized member in websso context object while processing a log message
631286-3 2-Critical   TMM Memory leak caused by APM URI cache entries
703429-2 3-Major   Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
702263-1 3-Major   An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading.
702222-1 3-Major   RADIUS and SecurID Auth fails with empty password
701740-1 3-Major   apmd leaks memory when updating Access V2 policy
701737-1 3-Major   apmd may leak memory on destroying Kerberos cache
701736-1 3-Major   Memory leak in Machine Certificate Check agent of the apmd process
701639-1 3-Major   Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.
697636-3 3-Major   ACCESS is not replacing headers while replacing POST body
695953-1 3-Major   Custom URL Filter object is missing after load sys config TMSH command
694624-1 3-Major   SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
693844-1 3-Major K58335157 APMD may restart continuously and cannot come up
692307-3 3-Major   User with 'operator' role may not be able to view some session variables
687937-1 3-Major   RDP URIs generated by APM Webtop are not properly encoded
685862-1 3-Major   BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message
684583-1 3-Major   Buitin Okta Scopes Request object uses client -id and client-secret
684325-1 3-Major   APMD Memory leak when applying a specific access profile
683389-3 3-Major   Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
683297-2 3-Major   Portal Access may use incorrect back-end for resources referenced by CSS
682500-2 3-Major   VDI Profile and Storefront Portal Access resource do not work together
678851-3 3-Major   Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
675866-4 3-Major   WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
671627-3 3-Major K06424790 HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
632646-1 3-Major   APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629334-1 3-Major   Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly
612792-1 3-Major   Support RDP redirection for connections launched from APM Webtop on iOS
612118-2 3-Major   Nexthop explicit proxy is not used for the very first connection to communicate with the backend.
536831-1 3-Major   APM PAM module does not handle local-only users list correctly


Service Provider Fixes

ID Number Severity Solution Article(s) Description
698338-1 2-Critical   Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
689343-2 2-Critical   Diameter persistence entries with bi-directional flag created with 10 sec timeout
685708-4 2-Critical   Routing via iRule to a host without providing a transport from a transport-config created connection cores
700571-4 3-Major   SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-1 3-Major   High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
674747-4 3-Major K30837366 sipdb cannot delete custom bidirectional persistence entries.
656901-3 3-Major   MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
704207-1 2-Critical   DNS query name is not showing up in DNS AVR reporting
692328-1 2-Critical   Tmm core due to incorrect memory allocation
703959 3-Major   Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI
631418-1 3-Major   Packets dropped by HW grey list may not be counted toward AVR.


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
696383-1 2-Critical   PEM Diameter incomplete flow crashes when sweeped
694717-1 2-Critical   Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-1 2-Critical K23164003 TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-1 3-Major   PEM Diameter incomplete flow crashes when TCL resumed
695968-1 3-Major   Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-1 3-Major   CCA without a request type AVP cannot be tracked in PEM.
694318-1 3-Major   PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-1 3-Major   PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-1 3-Major   Potential memory leak if PEM Diameter sessions are not created successfully.
642068-4 3-Major   PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
624231-4 3-Major   No flow control when using content-insertion with compression
680729-1 4-Minor K64307999 DHCP Trace log incorrectly marked as an Error log.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
697363-1 2-Critical   FPS should forward all XFF header values
705559-1 3-Major   FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request
662311-1 3-Major   CS alerts should contain actual client IP address in XFF header


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
671716-1 3-Major   UCS version check was too strict for IPS hitless upgrade



Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
702419 3-Major   Protocol Inspection needs add-on license to work


TMOS Fixes

ID Number Severity Solution Article(s) Description
660239-6 4-Minor   When accessing the dashboard, invalid HTTP headers may be present


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
677919-4 3-Major   Enhanced Data Manipulation AJAX Support



Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
681955-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 K23565223 Apache CVE-2017-9788
673595-9 CVE-2017-3167 CVE-2017-3169 K34125394 Apache CVE-2017-3167
694274-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 K23565223 [RHSA-2017:3195-01] Important: httpd security update - EL6.7
672124-6 CVE-2018-5541 K12403422 Excessive resource usage when BD is processing requests
679861 CVE-2019-6655 K31152411 Weak Access Restrictions on the AVR Reporting Interface
673607-9 CVE-2017-3169 K83043359 Apache CVE-2017-3169
672667-6 CVE-2017-7679 K75429050 CVE-2017-7679: Apache vulnerability
641101-7 CVE-2016-8743 K00373024 httpd security and bug fix update CVE-2016-8743
684033-3 CVE-2017-9798 K70084351 CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
661939-2 CVE-2017-2647 K32115847 Linux kernel vulnerability CVE-2017-2647


Functional Change Fixes

ID Number Severity Solution Article(s) Description
685056 3-Major   VE OVAs is not the supported platform to run VMware guest OS customization
670103-1 3-Major   No way to query logins to BIG-IP in TMUI
681385-2 4-Minor   Forward proxy forged cert lifespan can be configured from days into hours.


TMOS Fixes

ID Number Severity Solution Article(s) Description
700247 2-Critical K60053504 APM Client Software may be missing after doing fresh install of BIG-IP VE
693979 3-Major   Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document
683131-1 3-Major   Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present
682213-1 3-Major K31623549 TLS v1.2 support in IP reputation daemon
669585-1 3-Major   The tmsh sys log filter is unable to display information in uncompressed log files.
668826-1 3-Major   File named /root/.ssh/bigip.a.k.bak is present but should not be
668276-1 3-Major   BIG-IP does not display failed login attempts since last login in GUI
668273-1 3-Major K12541531 Logout button not available in Configuration Utility when using Client Cert LDAP
471237-4 3-Major K12155235 BIG-IP VE instances do not work with an encrypted disk in AWS.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
699624-1 2-Critical   Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade
463097-5 3-Major   Clock advanced messages with large amount of data maintained in DNS Express zones


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
672504-2 2-Critical K52325625 Deleting zones from large databases can take excessive amounts of time.
667542-6 2-Critical   DNS Express does not correctly process multi-message DNS IXFR updates.
645615-6 2-Critical K70543226 zxfrd may fail and restart after multiple failovers between blades in a chassis.
655233-2 3-Major K93338593 DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-2 3-Major K57853542 DNS Express responses missing SOA record in NoData responses if CNAMEs present
646615-2 4-Minor   Improved default storage size for DNS Express database


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
699720-1 2-Critical   ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-5 2-Critical   Rare BD crash in a specific scenario
686108-1 2-Critical   User gets blocking page instead of captcha during brute force attack
684312-1 2-Critical K54140729 During Apply Policy action, bd agent crashes, causing the machine to go Offline
698940-1 3-Major   Add new security policy template for API driven systems - "API Security"
690883-1 3-Major   BIG-IQ: Changing learning mode for elements does not always take effect
686517-2 3-Major   Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
686470-1 3-Major   Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
686452-1 3-Major   File Content Detection Formats are not exported in Policy XML
685964-1 3-Major   cs_qualified_urls bigdb does not cause configured URLs to be qualified.
685771-1 3-Major   Policies cannot be created with SAP, OWA, or SharePoint templates
685207-1 3-Major   DoS client side challenge does not encode the Referer header.
685164-1 3-Major K34646484 In partitions with default route domain != 0 request log is not showing requests
683508-1 3-Major K00152663 WebSockets: umu memory leak of binary frames when remote logger is configured
680353-1 3-Major   Brute force sourced based mitigation is not working as expected
674494-4 3-Major K77993010 BD memory leak on specific configuration and specific traffic
668184-2 3-Major   Huge values are shown in the AVR statistics for ASM violations
694073-3 4-Minor   All signature update details are shown in 'View update history from previous BIG-IP versions' popup
685193-1 4-Minor   If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
697421 3-Major   Monpd core when trying to restart
688813-2 3-Major K23345645 Some ASM tables can massively grow in size.
686510-1 3-Major   If tmm was restarted during an attack, the attack might appear ongoing in GUI
683474 3-Major   The case-sensitive problem during comparison of 2 Virtual Servers
679088-1 3-Major   Avr reporting and analytics does not display statistics of many source regions


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
684852-1 2-Critical   Obfuscator not producing deterministic output
692123 3-Major   GET parameter is grayed out if MobileSafe is not licensed


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
700320 2-Critical   tmm core under stress when BADOS configured and attack signatures enabled
691462-1 3-Major   Bad actors detection might not work when signature mitigation blocks bad traffic
687987 3-Major   Presentation of signatures in human-readable format
687986 3-Major   High CPU consumption during signature generation, not limited number of signatures per virtual server
687984 3-Major   Attacks with randomization of HTTP headers parameters generates too many signatures


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
698396-1 2-Critical   Config load failed after upgrade from 12.1.2 to 13.x or 14.x



Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
686190-1 2-Critical   LRO performance impact with BWC and FastL4 virtual server
667173-1 2-Critical   13.1.0 cannot join a device group with 13.1.0.1
683114-2 3-Major   Need support for 4th element version in Update Check


Performance Fixes

ID Number Severity Solution Article(s) Description
685628-1 1-Blocking   Performance regression on B4450 blade
673832-1 1-Blocking   Performance impact for certain platforms after upgrading to 13.1.0.
696525-1 2-Critical   B2250 blades experience degraded performance.

 

Cumulative fix details for BIG-IP v13.1.3.5 that are included in this release

960437-4 : The BIG-IP system may initially fail to resolve some DNS queries

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure cascades to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSLO, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.


946581 : HTTP RFC enforcement feature can reset the connection and leak the memory.

Component: Local Traffic Manager

Symptoms:
If tmm.http.rfc.enforcement or invalid host detection in http_security profile is enabled, Connections will be reset if they send a URI with more than 2K length and leaks the memory in TMM

Conditions:
tmm.http.rfc.enforcement db variable set
or
invalid host detection in http_security profile is enabled.

Impact:
Connection reset and memory leak

Fix:
LTM now properly validates uri_value allocation.


943889 : Reopening the publisher after a failed publishing attempt

Component: Fraud Protection Services

Symptoms:
TMM crashes repeatedly on SIGSEGV.

Conditions:
This can occur after a HSL disconnect and re-connect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system publishes data to HSL publisher on a second attempt successfully (after a reconnect).


943125-4 : Web-Socket request with JSON payload causing core during the payload parsing

Component: Application Security Manager

Symptoms:
Any web-socket request with JSON payload may cause a core witihin the JSON parser, depending on the used machine memory distribution.

Conditions:
Depends on the memory distribution of the used machine.
Sending web-socket request with JSON payload to the backend server.

Impact:
BD crash while parsing the JSON payload.

Workaround:
N/A

Fix:
No crashes during JSON payload parsing.


941853-3 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.


941089-4 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.


940401-4 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.


935721-3 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291


935293-1 : 'Detected Violation' Field for event logs not showing

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.


933741-5 : Security hardening in FPS GUI

Component: Fraud Protection Services

Symptoms:
FPS GUI does not follow current best practices.

Conditions:
* Provision and license Fraud Protection Service (FPS).

Impact:
FPS GUI does not follow current best practices.

Workaround:
None.

Fix:
FPS GUI now follows current best practices.


933297 : FTP virtual server active data channels do not pass traffic

Component: Local Traffic Manager

Symptoms:
FTP virtual server active mode data channel hangs when processing undisclosed traffic.

Conditions:
FTP virtual Server with active mode data channel is configured.

Impact:
Cannot issue commands to FTP virtual server; traffic disrupted.

Workaround:
Disable global syncookies

Fix:
Properly initialized FTP server TMM objects.


932065-4 : iControl REST framework exception handling hardening

Component: Device Management

Symptoms:
iControl REST framework does not follow best practices for exception handling

Conditions:
iControl REST framework use by an authenticated user.

Impact:
iControl REST framework does not follow best practices for exception handling

Workaround:
None.

Fix:
iControl REST framework now follows best practices for exception handling


928037-4 : APM Hardening

Component: Access Policy Manager

Symptoms:
Under certain conditions APM does not follow current best practices.

Conditions:
APM configured

Impact:
Under certain conditions APM does not follow current best practices.

Workaround:
None.

Fix:
APM now follows current best practices.


924493-5 : VMware EULA has been updated

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.


919553-4 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.


917509-1 : ASM processes some requests longer than usual

Component: Application Security Manager

Symptoms:
ASM processes some requests longer than usual and can cause some latency when passing requests to the backend server.

Conditions:
Content profile parsing is enabled in ASM

Impact:
Latency can be noted when passing requests to the backend server

Workaround:
N/A

Fix:
ASM is processes requests as expected


917005-3 : ISC BIND Vulnerability: CVE-2020-8619

Solution Article: K19807532


915825-5 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.


915689-5 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.


915605-4 : Image install fails if iRulesLX is provisioned and /usr mounted read-write

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume:

Could not access configuration source.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr


915281-6 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.


913441 : Tmm cores while doing Hitless Upgrade while there are active flows

Component: Traffic Classification Engine

Symptoms:
Tmm cores.

Conditions:
Addition of new flows to existing lib while Hitless Upgrade is in progress.

Impact:
Tmm core while doing app detection for new flows. Traffic disrupted while tmm restarts.

Workaround:
Restrict addition of new flows if a Hitless Upgrade is in progress.

Fix:
New flows are no longer added to the classification engine to any of the library if the Hitless Upgrade process is in progress.


912969-5 : iAppsLX Security Hardening

Component: iApp Technology

Symptoms:
Under certain conditions, iAppsLX does not follow current best security practices.

Conditions:
iAppsLX REST access by an authenticated administrative user

Impact:
iAppsLX does not follow current best security practices.

Workaround:
None

Fix:
iAppsLX now follows current best security practices.


912221-3 : CVE-2020-12662 & CVE-2020-12663

Solution Article: K37661551


911761-5 : iControl REST endpoint response includes the request content

Component: Device Management

Symptoms:
Under certain conditions, iControl REST endpoint return the request contents in the response, potentially disclosing sensitive information.

Conditions:
-iControl REST request processed by an authenticated administrative user.
-Undisclosed environmental conditions

Impact:
Potential disclosure of information from REST requests.

Workaround:
None.

Fix:
Responses are now sanitized to suppress disclosure of request data.


910201-5 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.


909837-3 : TMM may consume excessive resources when AFM is provisioned

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources when processing forwarding flows while AFM is provisioned.

Conditions:
- AFM provisioned
- Virtual is CMP-disabled

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
TMM now consumes resources as expected when AFM is provisioned


909757 : HTTP CONNECT method with a delayed payload can cause a connection to be closed

Component: Local Traffic Manager

Symptoms:
If the HTTP CONNECT method is utilized and payload arrives in a later TCP segment, the HTTP connection will be closed.

Conditions:
-- HTTP profile.
-- HTTP CONNECTION with delayed payload.

Impact:
The HTTP connection is incorrectly closed.

Workaround:
None.

Fix:
Traffic containing the HTTP CONNECT method and a delayed payload no longer has its connection closed.


909237-3 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642


909233-3 : DNS Hardening

Solution Article: K97810133


908673-2 : TMM may crash while processing DNS traffic

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, TMM may crash with a SIGABRT while processing DNS traffic.

Conditions:
Undisclosed series of DNS requests.

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes DNS traffic as expected.


908065-5 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.


908021-3 : Management and VLAN MAC addresses are identical

Component: TMOS

Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.

Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.

Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.

Workaround:
None.

Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.


905905-4 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245


905125-4 : Security hardening for APM Webtop

Component: Access Policy Manager

Symptoms:
Under certain conditions, the APM Webtop does not follow current best practices.

Conditions:
-APM access policy is configured with webtop enabled.

Impact:
APM Webtop does not follow current best practices.

Workaround:
None.

Fix:
The APM Webtop now follows current best practices.


904937-5 : Excessive resource consumption in zxfrd

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, zxfrd may consume excessive resources.

Conditions:
-- Provision GTM (Global Traffic DNS).
-- Create one or more zones in the GUI via DNS::Zones::Zones::Zone List.

Impact:
Excessive resources consumption, potentially leading to failover event.

Workaround:
None.

Fix:
zxfrd no longer consumes excessive resources.


903453 : TMM crash following redirect when Proactive Bot Defense is used

Component: Application Security Manager

Symptoms:
TMM may rarely crash when Proactive Bot Defense is enabled.

Conditions:
TMM may rarely crash under specific configurations when Proactive Bot Defense is used.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None.


902485-1 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.


902417-5 : Configuration error caused by Drafts folder in a deleted custom partition

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.


900797-5 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.


900793-3 : APM Brute Force Protection resources do not scale automatically

Solution Article: K32055534

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.


900789-5 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.


900757-5 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


898949-4 : APM may consume excessive resources while processing VPN traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, APM may consume excessive resources while processing VPN traffic

Conditions:
-APM provisioned
-VPN clients connected

Impact:
Excessive resources consumption, potentially leading to a TMM crash and failover event.

Workaround:
None.

Fix:
APM now processes VPN traffic as expected.


898705-2 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.


896217-5 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat


895993-5 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895981-5 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895881-4 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305


895525-5 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


892385-3 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.


891457-5 : NIC driver may fail while transmitting data

Solution Article: K75111593


890277-1 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.


890229-4 : Source port preserve setting is not honored

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when both of the following conditions are met:

-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
    - Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
    - Configuring a VLAN's 'CMP Hash' setting to a non-default value.
    - Using a special variable such as non-default udp.hash or tcp.hash.

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

Fix:
Now source-port preserve setting does best effort to preserve the source port.

Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.

The source-port preserve setting now does best effort to preserve the source port.


889557-3 : jQuery Vulnerability CVE-2019-11358

Solution Article: K20455158


888497-5 : Cacheable HTTP Response

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.


888493-5 : ASM GUI Hardening

Solution Article: K40843345


887089-5 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.


886085-1 : BIG-IP TMM vulnerability CVE-2020-5925

Solution Article: K45421311


885241 : TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event.

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
The 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event (for example, the CLIENTSSL_HANDSHAKE event).

The only affected versions are 13.1.3.2 and 13.1.3.3.

Impact:
The leak initially causes traffic disruption, as TMM reaps flows prematurely in an effort to free up memory. Eventually, TMM crashes, as it is unable to allocate any more memory. When this happens, redundant systems fail over. Traffic disrupted while tmm restarts.

Workaround:
Do not use the 'ACCESS::session remove' iRule command under any event that isn't an ACCESS event.

To restore TMM to a fully functional state after making all necessary configuration changes, or to temporarily work around this issue, you can restart TMM with the following command:

bigstart restart tmm


883717-4 : BD crash on specific server cookie scenario

Solution Article: K37466356


882769-5 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters


882557-5 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance


882273-1 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow

Component: Service Provider

Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.

Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.

Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When server is down BIG-IP keeps creating new connection to it. there is memory leak need to be fixed.


882189-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897

Solution Article: K20346072


882185-4 : BIG-IP Edge Client Windows ActiveX

Solution Article: K20346072


881445-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Solution Article: K69154630


881317-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


881293-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


880361-4 : TMM may crash while processing iRules LX commands

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing iRules LX commands

Conditions:
-iRules LX in use

Impact:
TMM crash, leading to a failover event.

Workaround:
None.

Fix:
TMM now processes iRules LX commands as expected.


879745-5 : TMM may crash while processing Diameter traffic

Solution Article: K82530456


879025-6 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Solution Article: K72752002


876581-5 : JavaScript engine file is empty if the original HTML page cached for too long

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

Fix:
FPS now also removes ETag headers from protected HTML pages.


872673-4 : TMM can crash when processing SCTP traffic

Solution Article: K26464312


871657-3 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.


870957-2 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.


868349-5 : TMM may crash while processing iRules with MQTT commands

Solution Article: K62830532


867013-5 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.


866925-1 : The TMM pages used and available can be viewed in the F5 system stats MIB

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.


866613-2 : Missing MaxMemory Attribute

Component: Application Visibility and Reporting

Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.

Conditions:
This is encountered when viewing the System Monitor report.

Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').

Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.

Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.

Fix:
The MaxMemory attribute is now reported in System Monitor statistics.


866021-4 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.


865225-2 : 100G modules may not work properly in i15000 and i15800 platforms

Component: TMOS

Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.

Conditions:
-- Using OPT-0039 or OPT-0031 modules.

-- Running on i15000 and i15800 platforms.

Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.

Impact:
You might see traffic drop.

Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.

Workaround:
None.


864757-1 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.


863161-5 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.


862597-3 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.


860517-4 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.


860477-6 : SCP hardening

Solution Article: K82518062


859089-3 : TMSH allows SFTP utility access

Solution Article: K00091341


858301-4 : HTTP RFC compliance now checks that the authority matches between the URI and Host header

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
It is possible to have an absolute URI with an authority different from that in the Host header. The HTTP profile by default does not verify that these are the same.

Conditions:
HTTP profile is enabled.
A request contains an absolute URI with an authority different from that in the Host header.

Impact:
HTTP requests with mismatched authority and Host headers are forwarded to back-end servers.

Workaround:
None.

Fix:
The HTTP RFC compliance option now rejects requests with an absolute URI that contains an authority different than that in the Host header.

HTTP PSM's "invalid host" option now checks that the authorities match between the URI and Host header.


858297-4 : HTTP requests with multiple Host headers are rejected if RFC compliance is enabled

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
HTTP requests with multiple Host headers may confuse servers. The HTTP parser currently uses the last header of a given name in a header block, whereas other software may not. This miss-match in parsing may lead to a security hole.

Note that many servers reject such requests. Such servers are not vulnerable to this kind of attack.

Conditions:
HTTP profile enabled.
Multiple Host headers exist in a HTTP request.

Impact:
HTTP requests with multiple host headers may be forwarded to back-end servers.

Workaround:
None.

Fix:
If HTTP RFC compliance is enabled on the HTTP profile, then a request that has multiple Host headers will be rejected.

HTTP PSM can now be configured to reject multiple Host headers.


858289-4 : HTTP parsing restrictions

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
When parsing HTTP the following non-compliant behavior was accepted:
White-space before a colon in a header name.

Conditions:
HTTP profile enabled.

Impact:
Non-compliant HTTP traffic is accepted and forwarded to pool members.

Workaround:
None.

Fix:
HTTP parsing was more lenient than that required by the RFC. HTTP parsing now is more strict.


858285-4 : HTTP parsing of Request URIs with spaces in them has changed

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
An HTTP request URI with a white-space character in it is malformed. The HTTP parser now will handle this as a HTTP/0.9 style request, rather than a HTTP/1.x request.

Conditions:
The uri in an HTTP request has a horizontal tab or space character within it.

Impact:
The detected HTTP version changes. HTTP version 0.9 may be blocked by other security modules. This allows detection and blocking of this kind of malformed HTTP requests.

Workaround:
None.

Fix:
HTTP request URI's with white-space in them are now parsed as HTTP/0.9 style requests. Such requests do not have headers, so only the first line will be emitted to the server.

Other security modules may disallow HTTP/0.9 style requests. In particular, if the HTTP profile RFC compliance option is enabled, then this form of request will be rejected.


858229-2 : XML with sensitive data gets to the ICAP server

Solution Article: K22493037

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.


858197-4 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

Fix:
Remove function call to drop row from table on error path where row was not successfully added.


858025-5 : Proactive Bot Defense does not validate redirected paths

Solution Article: K33440533

Component: Application Security Manager

Symptoms:
Under certain conditions, Proactive Bot Defense may redirect clients to an unvalidated path.

Conditions:
-Proactive Bot Defense enabled.

Impact:
Clients may be redirected to an unvalidated path.

Workaround:
None.

Fix:
Proactive Bot Defense now validates redirected paths as expected.


856961-4 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Solution Article: K17269881


854177-2 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.


853329 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release prevents a condition causing this TMM crash.


852929-2 : AFM WebUI Hardening

Solution Article: K25160703


852445-5 : Big-IP : CVE-2019-6477 BIND Vulnerability

Solution Article: K15840535


852289-6 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector

Solution Article: K23278332

Component: Advanced Firewall Manager

Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.

Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.

Impact:
DNS over TCP is DDoS attack is not mitigated correctly.

Workaround:
Using DNS DoS vector to mitigate the attack.

Fix:
The attack mitigation by sweep and flood vector is accurate.


851857-4 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.


850673-4 : BD sends bad ACKs to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.

-- The policy may be incomplete in the bd causing incorrect enforcement actions.

Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.

Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).

-- A partial policy may exist in bd causing improper enforcement.

Workaround:
-- Unassign and reassign the policy.

-- if unassign/reassign does not help, export and then reimport the policy.

Fix:
Fixed inconsistency scenario between bd and bd_agent.


850277-5 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.


849861 : TMM may crash with FastL4 and HTTP profile using fallback host and iRule command

Component: Local Traffic Manager

Symptoms:
TMM may crash when FastL4 is used with an HTTP profile and an iRule command. Even if TMM does not crash, the incorrect iRule may prevent the connection from working.

Conditions:
-- A virtual server configured to use FastL4 with an HTTP profile with a fallback host.

-- The virtual server has an iRule that performs a pool pick after the connection is established.

Note: Using the pool command after the server-side connection is established is not a valid operation.

Impact:
TMM typically crashes; however, whether or not TMM crashes, the invalid use of the pool command results in connection failure.

Workaround:
Remove the invalid iRule configuration.

Fix:
This issue no longer occurs.


848445-4 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer

Solution Article: K86285055

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer


848405-1 : TMM may consume excessive resources while processing compressed HTTP traffic

Solution Article: K26244025


846917-5 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354


846493 : ASM CAPTCHA is not working the first time when a request contains sensitive parameters

Component: Application Security Manager

Symptoms:
ASM end users are required to type CAPTCHA letters twice to get the login request to be forwarded to the server. In addition, the original login request is not sent to the server, which results in failed logins.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Brute force enabled in the ASM policy.
-- Brute force issues CAPTCHA mitigation.

Impact:
False-positive bad logins.

Workaround:
Remove sensitive parameters from asm policy.

Impact of workaround: This results in sensitive parameters being revealed in the ASM event logs.

Fix:
CAPTCHA mechanism now works correctly along with sensitive parameters.


846441-4 : Flow-control is reset to default for secondary blade's interface

Component: TMOS

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.


846137-5 : The icrd returns incorrect route names in some cases

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.

Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.


845461-1 : MRF DIAMETER: additional details to log event to assist debugging

Component: Service Provider

Symptoms:
There are not enough details in log events when stale pending requests are removed.

Conditions:
An answer message is not received before the configured timeout has been reached.

Impact:
The set of arguments in the log message do not have enough information to debug why the message was not responded to.

Workaround:
None.

Fix:
New details have been added to help debug why the message was not responded to.


842717-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855

Solution Article: K55102004


842625-1 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.


842125-2 : Unable to reconnect outgoing SCTP connections that have previously aborted

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

Fix:
SCTP connections can now be halted and recreated to the same endpoint.


841577-6 : iControl REST hardening

Solution Article: K20606443


841469-3 : Application traffic may fail after an internal interface failure on a VIPRION system.

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.

Fix:
The system now includes the enhancement for the 'standalone chassis which belongs to a pool' use-case, as discussed under the Workaround section.


841333-3 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


839597-2 : Restjavad fails to start if provision.extramb has a large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
  + above ~2700-2800MB for v12.1.0 and earlier.
  + above ~2900-3000MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extramb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad

Fix:
Restjavad memory is now capped at a sensible maximum.
If provision.extramb is set to a value higher than 2500MB it will be considered to be 2500MB for the purposes of restjavad, and a message similar to the one below will be logged in /var/log/ltm, where XXXX is the value of provision.extramb

notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX


839453-2 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354


838709-2 : Enabling DoS stats also enables page-load-time

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.


838685-1 : DoS report exist in per-widget but not under individual virtual

Component: Application Visibility and Reporting

Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.

Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.

Impact:
GUI widgets report errors and cannot show stats.

Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:

1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
   $ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/

2. Change permissions to allow modifying it:
   $ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

3. Change the file to include the fix:
   $ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
   $ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

4. Verify that the fix is as expected:
   $ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php

   (** You should see two lines modified:
       1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
       2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')

5. Revert permissions of the file:
   $ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

6. Log out and log back into the GUI, so that the new version of the file loads.

Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.


838677-5 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354


837773-4 : Restjavad Storage and Configuration Hardening

Solution Article: K12936322


836357-1 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.


834533-4 : Linux kernel vulnerability CVE-2019-15916

Solution Article: K57418558


833685-1 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.


833213-5 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.

Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.


833113-1 : Avrd core when sending large messages via https

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash


833049-3 : Category lookup tool in GUI may not match actual traffic categorization

Component: Access Policy Manager

Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).

Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.

Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.

Workaround:
None.


832885-5 : Self-IP hardening

Solution Article: K05975972


831777-2 : Tmm crash in Ping access use case

Component: Access Policy Manager

Symptoms:
Tmm crashes.

Conditions:
Ping access use case.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Properly handle ping traffic.


831549 : Marketing name does not display properly for BIG-IP i10010 (C127)

Component: TMOS

Symptoms:
The /var/log/ltm log includes error messages about the marketing names errors:
Invalid marketing name.

Conditions:
-- Running BIG-IP software version 13.1.3.1.
-- Using BIG-IP i10010 (C127) platform.

Impact:
This causes errors in the logs, and affects the tmsh and LCD displays. The LCD displays C127 for the Platform Name instead of the actual platform name. The TMSH command, tmsh show sys hw, displays C127 for the Platform Name instead of the actual platform name.

Workaround:
None.

Fix:
This is fixed in version 13.1.3.2.


831325-3 : HTTP PSM detects more issues with Transfer-Encoding headers

Solution Article: K10701310

Component: Local Traffic Manager

Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.

Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.

Impact:
Traffic is not alarmed/blocked as expected.

Workaround:
None.

Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.


831293-2 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.


830401-5 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228


830073-5 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.


829677-4 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker

The fix also includes automatic removal of unused tmp files.


829121-5 : State mirroring default does not require TLS

Solution Article: K65720640


829117-5 : State mirroring default does not require TLS

Solution Article: K17663061


828937-4 : Some systems can experience periodic high IO wait due to AVR data aggregation

Solution Article: K45725467

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).


Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 20000. Set it to 2148 on systems with the number of CPU cores fewer than or equal to 8.


828601-4 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

Fix:
IPv6 routes now prioritize TMM interfaces.


826601-3 : Prevent receive window shrinkage for looped flows that use a SYN cookie

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Set the initial receive window value of the VIP to 3.

Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.


824149-1 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.


823893-4 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649


819397-3 : TMM does not enforce RFC compliance when processing HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.

Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client

Impact:
Pool members may be exposed to non-compliant HTTP requests.

Workaround:
None.

Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

Behavior Change:
A new BigDB variable has been added.

The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.

If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.

If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.


819197-6 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394


819189-5 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441


818853-5 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.


818709-4 : TMSH does not follow current best practices

Solution Article: K36814487


818429-2 : TMM may crash while processing HTTP traffic

Solution Article: K70275209


818213-6 : CVE-2019-10639: KASLR bypass using connectionless protocols

Solution Article: K32804955


818177-1 : CVE-2019-12295 Wireshark Vulnerability

Solution Article: K06725231


816413-4 : CVE-2019-1125: Spectre SWAPGS Gadget

Solution Article: K31085564


816273-4 : L7 Policies may execute CONTAINS operands incorrectly.

Component: Local Traffic Manager

Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.

The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.

Conditions:
Multiple CONTAINS conditions are used on the same virtual server.

Impact:
The wrong policy actions may be triggered.

Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.

Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.


815877-4 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.


815753-4 : TMM leaks memory when explicit SWG is configured with Kerberos authentication

Component: Access Policy Manager

Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.

Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.

Impact:
TMM sweeper enters aggressive mode and reaps connections.

Workaround:
None.


815529-4 : MRF outbound messages are dropped in per-peer mode

Component: Service Provider

Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.

Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.

Impact:
Outbound traffic with the same destination address may be dropped at random.

Workaround:
Change the peer connection mode to 'Per TMM'.

Fix:
Multiple outbound messages to the same destination address are no longer randomly dropped.


815425 : RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x

Component: TMOS

Symptoms:
On RAID supported BIG-IP platforms, upgrade from BIG-IP v12.1.3.5 to BIG-IP v13.1.x, RAID array member state is shown as 'undefined' in below commands, though actual RAID status is 'up'.
- array
- tmsh show sys raid

Conditions:
On RAID supported platforms, clean install of BIG-IP 12.1.x version followed by upgrade to BIG-IP 13.1.x version.

Impact:
RAID information is reported wrongly.

Fix:
RAID information is retrieved and parsed according to the new mdadm supported in BIG-IP 13.1.x version.


814585-5 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


814097-4 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.

Component: Service Provider

Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.

Conditions:
Converting the transport of SIP messages with the Generic Message router.

Impact:
Any code that waits for the SERVER_CONNECTED event will not run.

Fix:
SERVER_CONNECTED event is raised.


814037-1 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.


813945-1 : PB core dump while processing many entities

Component: Application Security Manager

Symptoms:
PB core dump.

Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).

This is a very rarely occurring scenario.

Impact:
PB core dump and restart.

Workaround:
None.

Fix:
PB core dump no longer occurs.


813673-1 : The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT

Component: Local Traffic Manager

Symptoms:
A typical configuration of the HTTP Explicit Proxy includes four virtual servers:
-- Two virtual servers for the Explicit Proxy, one IPv4, one IPv6.
-- Two general-purpose virtual servers: one IPv4, one IPv6.

The general-purpose virtual servers allow handling of CONNECT tunneling over the HTTP-tunnel interface.

Unfortunately, if an IPv6 client tries to CONNECT to an IPv4 destination, it fails, returning a 503 status error.

This is due to the IPv6 general-purpose virtual server not being found when performing the destination lookup.

Conditions:
-- The HTTP explicit proxy is used on an IPv6 address.
-- 'default-connect-handling deny' is configured on the explicit proxy HTTP profile.
-- IPv4 and IPv6 general-purpose virtual servers exist on the HTTP-tunnel interface.
-- The client connects, and uses CONNECT to proxy to an IPv4 address.

Impact:
The client will not be able to CONNECT through the explicit proxy to an IPv4 address.

Workaround:
None.

Fix:
Mismatched IPv6 to IPv4 scenarios are supported with the HTTP Explicit Proxy.


813657 : MRF SIP ALG with SNAT incorrectly detects ingress queue full

Component: Service Provider

Symptoms:
When SIP ALG processes a non-registered subscriber SIP outbound call, the ingress queue counter may underflow. This is interpreted as ingress queue full and the rest of message will be dropped.

Conditions:
SIP ALG processes non registered subscriber SIP outbound calls (nonregister-subscriber-callout option is enabled in SIP session profile).

Impact:
SIP ALG incorrectly detects the ingress queue is full and stops processing the rest of SIP ALG traffic.

Workaround:
None

Fix:
When SIP ALG processes non registered subscriber SIP call, the ingress queue counter is handled correctly.


813561-1 : MCPD crashes when assigning an iRule that uses a proc

Component: Local Traffic Manager

Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.

Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.

Impact:
MCPD will crash, unable to use a desired iRule.

Workaround:
None

Fix:
iRules using proc can be assigned to a Virtual Server without crashing MCPD.


812981-2 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.


812525-5 : HTTP parsing restrictions

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
When parsing HTTP the following non-compliant behavior was accepted:
White-space before a colon in a header name.
Bad characters in HTTP/2 URIs

Conditions:
HTTP profile enabled.

Impact:
Non-compliant HTTP traffic is accepted and forwarded to pool members.

Workaround:
None.

Fix:
HTTP parsing was more lenient than that required by the RFC. HTTP parsing now is more strict.

In addition, version handling of non-HTTP protocols like RTSP/2.0 is now somewhat altered.


812341-1 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.

Component: Application Security Manager

Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.

Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.

Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.

Workaround:
None.

Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.


812237-3 : i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD

Component: TMOS

Symptoms:
"tmsh show sys hardware" will not display a "Name" for the Platform on i100000 series appliances with part number 505-0030.
The LCD will not display the system name.

Conditions:
i10000 series appliances with part number 505-0030 with HDVC (high voltage DC) power supplies.

Impact:
Display only. No functional impact.

The LCD and "tmsh show sys hardware" will not display the product name of i10600 or i10800 as expected.

Workaround:
None

Fix:
Display correct F5 marketing name for i10000 series appliances with high voltage DC power supplies.


811965-3 : Some VDI use cases can cause excessive resource consumption

Component: Access Policy Manager

Symptoms:
Under certain conditions, APM may consume excessive resources while processing VDI traffic.

Conditions:
APM is used as VDI proxy.

Impact:
Excessive resource usage, potentially leading to a failover event.

Workaround:
None.

Fix:
APM now processes VDI traffic as expected.


811789-4 : Device trust UI hardening

Solution Article: K57214921


811745-4 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.

Fix:
Mirror connections no longer disconnect during a failover.


811145-4 : VMware View resources with SAML SSO are not working

Component: Access Policy Manager

Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.

Conditions:
VMware View resource is configured with SAML SSO method.

Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.

Workaround:
None.

Fix:
Can now successfully use VMware View resources with SAML SSO.


811105-3 : MRF SIP-ALG drops SIP 183 and 200 OK messages

Component: Service Provider

Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.

Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address

Impact:
SIP calls are unable to establish media connections.

Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"

Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.


811033-3 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used

Component: Service Provider

Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.

Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.

Impact:
Messages are forwarded to an incorrect endpoint.

Workaround:
None.

Fix:
For all bi-directional persistence records the transport protocol of the connection is not used in the key used to store the record.


810821-4 : Management interface flaps after rebooting the device

Component: TMOS

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.

Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.


810593-4 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade

Solution Article: K10963690

Component: TMOS

Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.

Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.

Workaround:
There is no workaround. You must upgrade the VCMP host to a fixed version, for example, 15.1.0.


810557-9 : ASM ConfigSync Hardening

Solution Article: K05123525


810537-3 : TMM may consume excessive resources while processing iRules

Solution Article: K12234501


810445-3 : PEM: ftp-data not classified or reported

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.

Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.

Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.

Workaround:
None.

Fix:
Ftp-data is now correctly classified and reported. Note that the 'inherit-parent-profile' in the FTP profile must be enabled.


810381-1 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.


809377-4 : AFM ConfigSync Hardening

Solution Article: K05123525


809205-3 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated


809165-4 : TMM may crash will processing connector traffic

Solution Article: K50046200


808525-4 : TMM may crash while processing Diameter traffic

Solution Article: K55812535


808301-1 : TMM may crash while processing IP traffic

Solution Article: K04897373


808281 : OVA/Azure template sets '/var' partition with not enough space

Component: TMOS

Symptoms:
After booting a new BIG-IP Virtual Edition (VE) image from OVA or Azure, you see errors on the console:

Broadcast message from root@localhost.localdomain:
011d0004:3: Disk partition /var has only 19% free.

Conditions:
Installing BIG-IP software via the OVA template or Azure image.

Impact:
System is generally un-usable; applications cannot operate without space in /var. Diskmonitor reports console errors and errors in /var/log/ltm.

Workaround:
Remove unused APM binaries in /var/sam/images.


807821-3 : ICMP echo requests occasionally go unanswered

Component: Local Traffic Manager

Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.

Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.

Impact:
Possible traffic failures.

Workaround:
None.

Fix:
ICMP echo replies are always sent for a valid ICMP echo request.


807477-9 : ConfigSync Hardening

Solution Article: K04280042


807445 : Replaced ISC_TRUE and ISC_FALSE with true and false

Component: Global Traffic Manager (DNS)

Symptoms:
Updated the zrd code to remove references to ISC_TRUE and ISC_FALSE since the software is upgraded BIND to 9.11.8 and those macros do not exist anymore.

Conditions:
BIND version is earlier than 9.11.8.

Impact:
There is no functional impact.

Workaround:
None.

Fix:
Removed references to ISC_TRUE and ISC_FALSE zrd since the software has been upgraded to BIND to 9.11.8 and those macros do not exist anymore.


807177-1 : HTTPS monitoring is not caching SSL sessions correctly

Component: Global Traffic Manager (DNS)

Symptoms:
In situations where a cached SSL session cannot be used, there are conditions where the information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Conditions:
When using GTM HTTPS monitoring.

Impact:
Information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Workaround:
Restart big3d by running the following command:

bigstart restart big3d


807005-3 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.


805837-4 : REST does not follow current design best practices

Solution Article: K22441651


804477-2 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.


804313-4 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None

Fix:
Message sweeper interval value now loads correctly.


804309-3 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument

Component: TMOS

Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:

[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy

Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.

Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.

Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false

tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false


804185-3 : Some WebSafe request signatures may not work as expected

Component: Fraud Protection Services

Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected

Conditions:
There is at least one wildcard URL configured by the request signature update file.

Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).

Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.

Fix:
FPS now correctly handles signature-based wildcard URL's priority.


803825 : WebSSO does not support large NTLM target info length

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.


803813-3 : TMM may experience high latency when processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, TMM may experience higher than usual latency when processing WebSocket traffic.

Conditions:
-- WebSocket traffic.
-- Very long connections or large amounts traffic.
-- Platforms with many CPUs.

Impact:
Increased latency in WebSocket traffic.

Workaround:
None.

Fix:
Fix an issue that could cause a latency with WebSocket traffic.


803809-1 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.


803645-1 : GTMD daemon crashes

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.

Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.

Impact:
The gtmd process restarts and produces a core file.

Workaround:
None.


803477-1 : BaDoS State file load failure when signature protection is off

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.

Conditions:
Restart of admd when signature protection is off.

Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.

Workaround:
Turn on signatures detection.

Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.


802961-1 : The 'any-available' prober selection is not as random as in earlier versions

Component: Global Traffic Manager (DNS)

Symptoms:
Some big3d instances can be periodically busier than other big3d instances.

Conditions:
-- When 'any-available' is selected for either the prober-preference or prober-fallback options.
-- A large number of monitors are defined.

Impact:
When the 'any-available' prober option is used, the selection of big3d probers may not be as random as in BIG-IP software versions prior to v13.0.0.

Workaround:
None.


802685-4 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }


802281-4 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state


801637-1 : Cmp_dest on C2200 platform may give incorrect results

Component: TMOS

Symptoms:
Cmp_dest on C2200 platform may give incorrect results.

Conditions:
Run cmp_dest.

Impact:
Incorrect results from cmp_dest.

Fix:
Cmp_dest now gives correct results.


800453-1 : False positive virus violations

Solution Article: K72252057

Component: Application Security Manager

Symptoms:
False positive ASM virus violations.

Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM.

Impact:
ASM reports a virus when the antivirus reply is timed out. False positive blocking or violation reporting.

Workaround:
Configure the EnableASMByPass internal parameter setting to allow the antivirus server to not reply, so it does not issue a violation when it occurs:

/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm

Note: When the internal parameter is enabled, ASM also bypasses huge HTTP requests (when they come on multiple connections) instead of resetting them.

Fix:
False positive ASM virus violations no longer occur under these conditions.


800305-4 : VDI::cmp_redirect generates flow with random client port

Component: Local Traffic Manager

Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.

Conditions:
-- VDI::cmp_redirect iRule command used

Impact:
Client port is not the same as the original client port.

Fix:
The VDI::cmp_redirect iRule command now uses the same port.


800185-2 : Saving a large encrypted UCS archive may fail and might trigger failover

Component: TMOS

Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:

# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

-- If saving UCS is automated you may find related errors in /var/log/audit:

err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))

-- Other services might be restarted due to lack of memory, which might result in failover.

--System management via config utility or command line may be sluggish while UCS saves.

Conditions:
-- Large encrypted UCS files and low free host memory.

-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.

Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.

The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.

Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.

Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)

If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.

Fix:
Saving a large UCS file no longer fails.


799617-4 : ConfigSync Hardening

Solution Article: K05123525


799589-4 : ConfigSync Hardening

Solution Article: K05123525


799149 : Authentication fails with empty password

Component: Access Policy Manager

Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:

-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.

Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.

Impact:
APM end users cannot change a password/token or access backend resources.

Workaround:
None.

Fix:
Per-request policy auth no longer complains about empty password. If the backend server accepts an empty password, auth should work fine.


798261-4 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server

Component: Access Policy Manager

Symptoms:
The following logs showed up in APM log and user session was terminated.

Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.

The SET command failed because it incorrectly attempted to create session variable in all traffic groups.

Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.

Impact:
User sessions will be terminated

Workaround:
Disable virtual address spanning.

Fix:
N/A


797885-4 : ConfigSync Hardening

Solution Article: K05123525


797829-3 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.


797785-3 : AVR reports no ASM-Anomalies data.

Component: Application Visibility and Reporting

Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\

Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.

Impact:
AVR reports no ASM-Anomalies data.

Workaround:
None.


796993-3 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability

Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.


796601-6 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.


796469-2 : ConfigSync Hardening

Solution Article: K05123525


795797-4 : AFM WebUI Hardening

Solution Article: K21121741


795649-2 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system


795437-2 : Improve handling of TCP traffic for iRules

Solution Article: K06747393


795197-3 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426


794501-4 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
SNMP OIDs relating to interfaces may yield incomplete results.

Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.


794493 : Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true

Component: Local Traffic Manager

Symptoms:
Client SSL profiles may have distinct (different from parent profile) certificate and key files, but the 'inherit-certkeychain' attribute set as 'true', even though the profile should not be inheriting these values from parent, for example:

ltm profile client-ssl example-prof {
    cert example.crt
    cert-key-chain {
        example{
            app-service none
            cert example.crt
            chain none
            key example.key
            passphrase none
        }
    }
    defaults-from intermediate
    inherit-certkeychain true
    key example.key
}

If multiple profiles are configured for SNI and assigned to a virtual server, attempting to modify the parent profile can result in error:

err mcpd[5352]: 0107149e:3: Virtual server /Common/vs_test has more than one clientssl/serverssl profile with same server name.

Conditions:
-- Parent profile other than 'clientssl'
-- Have a child profile created by defining 'cert' and 'key' attributes, rather than specifying a 'cert-key-chain', e.g.:

    tmsh create ltm profile client-ssl example-prof defaults-from intermediate cert example.crt key example.key

Impact:
Not able to modify SSL profile if profiles assigned to virtual server.

If profiles are not configured for SNI, the specified certificate and key on child profiles will be reverted to the values from the parent profile.

Workaround:
Create SSL profiles by specifying cert-key-chain, rather than separately specifying 'cert' and 'key' attributes on SSL profile.

For profiles that are already affected, you can use either of the following workarounds.

Use the GUI:
-- Modify profiles using the GUI and check the 'Custom' checkbox for 'Certificate Key Chain'.

Change the configuration file:
1. Save the configuration.
2. Open bigip.conf for editing.
3. Modify the affected profiles, changing 'inherit-certkeychain true' to 'inherit-certkeychain false'.
4. Load the configuration.

Fix:
SSL profiles created specifying certificates and keys in the profile now have inherit-certkeychain set to false.


794413-9 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


794389-9 : iControl REST endpoint response inconsistency

Solution Article: K89509323


793121-1 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.


793013 : MRF DIAMETER: Implement sweeper for pending request messages queue

Component: Service Provider

Symptoms:
MRF Diameter remembers details for each request message to assist with routing answer messages. If the answer message is not received, this information is not cleaned up.

Conditions:
The server does not respond to a request message with an answer message.

Impact:
For each unresponded request message, memory is leaked. Eventually the system might run of memory and restart.

Workaround:
None.

Fix:
The DIAMETER logic will not delete any stale pending request record if it is older than twice the configured transaction timeout (in diameterrouter profile).


793005-4 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.

Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.


792285-3 : TMM crashes if the queuing message to all HSL pool members fails

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.


792265-1 : Traffic logs does not include the BIG-IQ tags

Component: Application Visibility and Reporting

Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.

Conditions:
When AVR collects traffic data and sending it BIG-IQ.

Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.

Workaround:
None.

Fix:
Traffic logs now include the BIG-IQ tags.


791369-4 : The REST framework may reflect client data in error logs

Solution Article: K01049383


790845-1 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.

Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.


790205-2 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when adding routes to child domains.


789921-4 : TMM may restart while processing VLAN traffic

Solution Article: K03386032


789893-4 : SCP file transfer hardening

Solution Article: K54336216


788773-4 : HTTP/2 Vulnerability: CVE-2019-9515

Solution Article: K50233772


788769-4 : HTTP/2 Vulnerability: CVE-2019-9514

Solution Article: K01988340


788753-1 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.


788577 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.


788557 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.


In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.

Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.


788513-4 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.


788417-3 : Remote Desktop client on macOS may show resource auth token on credentials prompt

Component: Access Policy Manager

Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.

This behavior is observed only with Remote Desktop Client v10.x for macOS.

Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.

Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Workaround:
Apply the following iRule:

Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.

when HTTP_RESPONSE_RELEASE {
    catch {
        set locationUri [HTTP::header Location]
        if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
                $locationUri contains "username=s:f5_apm"} {
            HTTP::header Location \
                [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
        }
    }
}

Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.


788325-4 : Header continuation rule is applied to request/response line

Solution Article: K39794285

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.


788301-3 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.


788269-1 : Adding toggle to disable AVR widgets on device-groups

Component: Application Visibility and Reporting

Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.

It occurs more frequently when manual config sync is enabled.

It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.

Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.

Impact:
Devices go into a non-synced state.

Workaround:
None.

Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.

Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.


788057-1 : MCPD may crash while processing syncookies

Solution Article: K00103216


787901 : While deleting a DoS profile, tmm might core in sPVA

Component: Advanced Firewall Manager

Symptoms:
When trying to delete a DoS profile attached to a virtual server, it is possible that tmm might core and restart.

Conditions:
-- An AFM DoS profile is attached to a virtual server.
-- Some of the DoS attacks are programmed into hardware (HW) through sPVA.
-- That DoS profile is deleted.

Impact:
tmm might generate a core and restart. Traffic disrupted while tmm restarts.

Workaround:
Use software (SW) DoS only.

Fix:
The tmm process no longer generates a core and restarts when deleting a profile that is attached to a virtual server.


787825-3 : Database monitors debug logs have plaintext password printed in the log file

Solution Article: K58243048

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.


787477-1 : Export fails from partitions with '-' as second character

Component: Access Policy Manager

Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.

Conditions:
Partition with '-' as second character in the name.

Impact:
Unable to export policy from given partition

Workaround:
Rename partition without '-' as the second character.

Fix:
Export is working as expected in this scenario.


786981-1 : Pending GTP iRule operation maybe aborted when connection is expired

Component: Service Provider

Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.

Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.

Impact:
GTP iRule may not be completely executed.

Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.

Fix:
When connection is expired, pending iRule operations in GTP iRule events are now completed.


786517-1 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.


784989-4 : TMM may crash with panic message: Assertion 'cookie name exists' failed

Component: Access Policy Manager

Symptoms:
TMM crashes with SIGFPE panic

panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.

Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.

Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.


783817-4 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

The following error messages shows up in TMM log:

-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.


783617-4 : Virtual Server resets connections when all pool members are marked disabled

Component: Local Traffic Manager

Symptoms:
The BIG-IP system immediately responds with a RST against a SYN when all pool members are marked disabled by a monitor.

Conditions:
All the pool members are marked disabled by a monitor or administratively.

Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.

Workaround:
None.


783513-1 : ASU is very slow on device with hundreds of policies due to logging profile handling

Component: Application Security Manager

Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.

Impact:
The ASU process takes hours to complete.

Workaround:
None.


783505 : ASU is very slow on device with hundreds of policies due to table checksums

Component: Application Security Manager

Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.

Impact:
The ASU process takes hours to complete.

Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.


783289-3 : PEM actions not applied in VE bigTCP.

Component: Policy Enforcement Manager

Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.

Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.

Impact:
PEM policies do not get applied.

Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).


783125-4 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
    https://clouddocs.f5.com/api/irules/DNS__drop.html
    https://clouddocs.f5.com/api/irules/UDP__drop.html


783113 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted

Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.


782529-4 : iRules does not follow current design best practices

Solution Article: K30215839


782353-8 : SIP MRF via header shows TCP Transport when TLS is enabled

Component: Service Provider

Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.

Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.

Impact:
The via header is not correct and violates the SIP RFC.

Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:

when SIP_REQUEST_SEND {
    if { [clientside] } {
        SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0

    }
}

Fix:
The via headers show the correct text (e.g., SIP/2.0/TLS) when an SSL Client Profile is enabled on a SIP Message-Routing virtual server.


781829-4 : GTM TCP monitor does not check the RECV string if server response string not ending with \n

Component: Global Traffic Manager (DNS)

Symptoms:
GTM TCP monitor marks resource down.

Conditions:
TCP server respond string not ending with '\n'.

Impact:
Available resources are marked down.

Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.

If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.


781753-1 : WebSocket traffic is transmitted with unknown opcodes

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.

Conditions:
A request logging profile is configured on a WebSocket virtual server.

Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.

-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.

Workaround:
Remove the request logging profile.


781637-4 : ASM brute force counts unnecessary failed logins for NTLM

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings

Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM


781605-1 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
False positive or false negative attack signature match on multipart payload.

Conditions:
Very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

Fix:
Multi part parser issue was fixed.


781581-4 : Monpd uses excessive memory on requests for network_log data

Component: Application Visibility and Reporting

Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:

err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child

Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.

Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.

Workaround:
None.

Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.

Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.


781449-4 : Increase efficiency of sPVA DoS protection on wildcard virtual servers

Solution Article: K14703097


781377-1 : tmrouted may crash while processing Multicast Forwarding Cache messages

Solution Article: K93417064


781225-3 : HTTP profile Response Size stats incorrect for keep-alive connections

Component: Local Traffic Manager

Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.

Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses

Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.

Workaround:
None.

Fix:
The HTTP Response Size statistics are correctly updated using per-response values.


781069-4 : Bot Defense challenge blocks requests with long Referer headers

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix:
Challenges with long Referer headers no longer block legitimate clients.


780817 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

  + VIPRION B4300, B4340, and B44xx blades.
  + BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.


780601-4 : SCP file transfer hardening

Solution Article: K03585731


779857-4 : Misleading GUI error when installing a new version in another partition

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.


779177-4 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Solution Article: K37890841


778869-1 : ACLs and other AFM features (e.g., IPI) may not function as designed

Solution Article: K72423000

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.

Conditions:
AFM provisioned and configured.
TCP mitigations active.

Impact:
AFM features do not function as designed.

Workaround:
None.

Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.


778517-2 : Large number of in-TMM monitors results in delayed processing

Solution Article: K91052217

Component: Local Traffic Manager

Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
-- Monitor target may appear down when responding correctly.
-- Monitor may continue to run after removed from pool / member / node.
-- Increased monitoring load on server.

Workaround:
Disable in-tmm monitors:
  tmsh modify sys db bigd.tmm value disable

Fix:
Large numbers of in-TMM monitors are processed in a timely fashion.


778365-1 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service

Component: Global Traffic Manager (DNS)

Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.

Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.

Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.

Fix:
RTT metrics are collected only when the DNS service is present otherwise zero RTT values are returned.


778077-1 : Virtual to virtual chain can cause TMM to crash

Solution Article: K53183580


778049-6 : Linux Kernel Vulnerability: CVE-2018-13405

Solution Article: K00854051


777737-2 : TMM may consume excessive resources when processing IP traffic

Solution Article: K39225055


777733-1 : DoS profile default values cause config load failure on upgrade

Component: Advanced Firewall Manager

Symptoms:
Upon upgrading from 12.1.x, the config fails to load with an error similar to the following:

01071aa6:3: Dos DNS query data bad actor can not be enabled if per-source detection/limit pps is less than 1% of the Dos vector (a) rate threshold setting for sub-profile (PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP) of Dos profile (/Common/PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP).

Conditions:
-- AFM configured.
-- One or more SIP or DNS vectors are configured with the rate_threshold values set to the default in 12.x.
  + For SIP, the rate_threshold value in 12.x is 30000.
  + For DNS, the rate_threshold value in 12.x is 50000.

Impact:
During upgrade, the BIG-IP system fails to convert these thresholds to the new default value of 'infinite'. After upgrade, the configuration fails to load.

Workaround:
Manually edit the profile to disable bad-actor, or change the DNS and SIP default rate_threshold value to 'infinite', then config can be loaded.

For example, in this affected configuration for DNS:

dns-query-vector {
    a {
        allow-advertisement disabled
        ...
        rate-increase 500
        rate-limit 250000
        rate-threshold 50000 <<---
    }


Change it to this:

dns-query-vector {
    a {
        allow-advertisement disabled
        ...
        rate-increase 500
        rate-limit 250000
        rate-threshold infinite
    }

At that point, the configuration should load successfully.

Fix:
DNS and SIP default rate_threshold value of 50000 and 30000 of 12.1.x are now converted to default value of 'infinite' during upgrade, so the configuration loads as expected.


777261-2 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.


777173-4 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error

Component: Access Policy Manager

Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed

This is result of a license check added for HTTP header transformation.

Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp

Impact:
Administrator is not able to use the iApp to configure Citrix vdi access

Workaround:
Adding LTM module license will resolve the error.

Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.


776229-4 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.

Fix:
No longer blocking access to pool members that use port number 0 (zero) from iRule 'pool' commands.


775621-4 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.

Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.


775105-1 : False positive on bot defense logs

Component: Application Security Manager

Symptoms:
Remote log entries suggest that blocking events have occurred although their DoS profile is not set to block any traffic.

Conditions:
DoS profile is not set to block any traffic.

Impact:
False positives where remote log entries which suggest blocking events have occurred.

Workaround:
None.

Fix:
Bot defense remote logging profile attached to virtual servers and some bot signatures is be set to 'Report'.


775013-4 : TIME EXCEEDED alert has insufficient data for analysis

Component: Fraud Protection Services

Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.

Conditions:
Viewing alert logs for time-exceeded messages.

Impact:
Makes troubleshooting and/or analysis difficult.

Workaround:
None.

Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.


774481-3 : DNS Virtual Server creation problem with Dependency List

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.

Workaround:
You can use either of the following workarounds:

-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.


774445-3 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2

Solution Article: K74921042

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
You can use the following workarounds:

-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.

-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.

-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.

To switch driver:

1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:

    echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl

2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):

    bigstart restart tmm

3. After tmm restarts, confirm the driver in use by examining the output of:

    tmctl -d blade tmm/device_probed

Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.


773693-3 : CVE-2020-5892: APM Client Vulnerability

Solution Article: K15838353


773673-4 : HTTP/2 Vulnerability: CVE-2019-9512

Solution Article: K98053339


773649-4 : APM Client Logging

Solution Article: K23876153


773553-4 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.


773421-2 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.


772233-1 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Component: Global Traffic Manager (DNS)

Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.

The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.

Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.

Impact:
RTT metric is not set at all.

Workaround:
Use collection protocols - ICMP instead.

Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.


771873-3 : TMSH Hardening

Solution Article: K40378764


771173-1 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>


771025-2 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.

Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.


770989-1 : Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.

Component: TMOS

Symptoms:
F5optics installation can fail with RPM database corruption on B4450 blades and iSeries platforms when installing 14.1.x.

Conditions:
-- Using B4450 blades or iSeries platforms.

-- Clean install (i.e., a completely new installation) of 14.1.0 from either an external drive or PXE without taking over license:

image2disk --format=volumes --nosaveconfig --nosavelicense BIGIP-14.1.0-0.0.116.iso

Impact:
-- After 14.1.0 boots up, when you check /shared/lib/rpm RPM database (by running the command: /opt/bin/rpm --dbpath /shared/lib/rpm -qa), you see errors if the RPM database has already been corrupted.

   + rpmdb: /shared/lib/rpm/Name: unexpected file type or format.
   + error: cannot open Name index using db3 - Invalid argument (22).

-- No default f5optics package is reported when running the command: tmsh show net f5optics. No f5optics packages is present in the /shared/f5optics/images/ directory (even the /shared/f5optics/images/ directory is not created).

Due to corruption of '/shared/lib/rpm' RPM database, additional component 'f5optics' installation can fail with RPM error. Other components such as geoip or epsec might also be affected due to corrupted '/shared/lib/rpm' RPM database.

Other symptoms may be that the Link Controller linkcost library (Non-US patch) may be unable to install, showing the error message:
DB_VERSION_MISMATCH: Database environment version mismatch.

Workaround:
Remove the RPM database and manually install the f5_optics RPM package.

Steps
=====
1. Remove corrupted RPM database:
   # rm -rf /shared/lib/rpm/

2. Initialize rpm database and update
   # /opt/bin/rpm --root /shared --dbpath /lib/rpm --initdb
   # /opt/bin/rpm --dbpath /shared/lib/rpm -qa

3. For iSeries platform:
   # /usr/bin/f5optics_install

   For VIPRION platform
   # tmsh install net f5optics slot all


770621-1 : [Portal Access] HTTP 308 redirect does not get rewritten

Component: Access Policy Manager

Symptoms:
Requests with URLs that are not rewritten in web application.

Conditions:
HTTP response from the backend with 308 redirect.

Impact:
HTTP Status Code 308 (Permanent Redirect) is not supported. Unexpected web application operation.

Workaround:
Use a custom iRule to rewrite the request.

Fix:
HTTP Status Code 308 (Permanent Redirect) is now supported; Location header is now rewritten.


770477-3 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.

Fix:
Allow both signaling mechanism in client_hello.


769981-3 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803


769817 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.

Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.


769809-2 : The vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.

Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade


769589-4 : CVE-2019-6974: Linux Kernel Vulnerability

Solution Article: K11186236


769581 : Timeout when sending many large requests iControl Rest requests

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
  https://<$IP_address>/mgmt/shared/appsvcs/declare \
  -H 'Content-Type: application/json' \
  -d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
  https://<$IP_address>/mgmt/shared/appsvcs/task \
  -H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
  https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.

Fix:
Changes to handle the new transaction iControl Rest creation process creation properly when the existing process was killed with a timeout operation.


769309-3 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).


769193-1 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.


769061-4 : Improved details for learning suggestions to enable violation/sub-violation

Component: Application Security Manager

Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.

Conditions:
There are learning suggestions to enable violations/sub-violation in the policy

Impact:
Misleading suggestion details.

Workaround:
None.

Fix:
The misleading word 'Matched' was removed from the title.


768981-4 : VCMP Hypervisor Hardening

Solution Article: K05765031


768761-4 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy

Component: Application Security Manager

Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).

Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.

Impact:
Action description can be difficult to understand.

Workaround:
None.

Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.


768025-1 : SAML requests/responses fail with "failed to find certificate"

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.

Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.

-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.

-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.

Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.


767737-3 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.


767653-2 : Malformed HTTP request can result in endless loop in an iRule script

Solution Article: K23860356


767613-3 : Restjavad can keep partially downloaded files open indefinitely

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain open, the total number of available file handles for the process decreases, and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

Fix:
The restjavad process now internally clears the file handles of such partially downloaded files if they remain untouched for two hours.


767373-3 : CVE-2019-8331: Bootstrap Vulnerability

Solution Article: K24383845


767045 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


767013-4 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.


766577-4 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.


766405-3 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.

Fix:
Device no longer cores.


766169-3 : Replacing all VLAN interfaces resets VLAN MTU to a default value

Component: Local Traffic Manager

Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.

Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.

Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.

Workaround:
There are two workarounds:

-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.

Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.


766017-2 : [APM][LocalDB] Local user database instance name length check inconsistencies

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

Fix:
Tmsh now enforces the length limit for localdb instance names.


765621-1 : POST request being rejected when using OAuth Resource Server mode

Component: Access Policy Manager

Symptoms:
POST request is rejected.

Conditions:
-- Using OAuth Resource Server access type.
-- Client sends a large POST body.

Impact:
The request is rejected.

Workaround:
Increase the tmm.access.maxrequestbodysize sys db variable to be larger than the POST body size.

Fix:
The system now supports larger POST requests in OAuth Resource Server mode.


765533-4 : Sensitive information logged when DEBUG logging enabled

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


764873-4 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only


764665-1 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.

Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.

Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.

Workaround:
None.

Fix:
Corrected issue in setting value for internal flag.


764373-1 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.

Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.


763349-1 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out

Component: Application Visibility and Reporting

Symptoms:
avrd application on BIG-IP crashes; core is generated.

Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.

-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.

Impact:
avrd crashes, and a core is generated.

Workaround:
None.

Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.


763121-1 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.

Component: Advanced Firewall Manager

Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:

Assertion "packet must already have an ethernet header" failed.

Conditions:
This issue occurs when all of the following conditions are met:

- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.

Fix:
TMM no longer crashes when utilizing the AFM Packet Tester tool.


763005-2 : Aggregated Domain Names in DNS statistics are shown as random domain name

Component: Application Visibility and Reporting

Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.

Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.

Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.

Workaround:
None.


763001-2 : Web-socket enforcement might lead to a false negative

Solution Article: K70312000

Component: Application Security Manager

Symptoms:
A request that should be blocked will be passed to server.

Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.

Impact:
Bad requests may be passed to the server

Workaround:
Disable parse parameters flag in json profile

Fix:
Web-socket enforcement now filters requests as expected.


762453 : Hardware cryptography acceleration may fail

Solution Article: K63558580


762205-1 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
  [I] [PROTO_ERR]: unexpected critical payload (type 43)
  Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.

Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.


762073-1 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.

Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.


761993-4 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.

Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.


761941-3 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server

Component: Application Security Manager

Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.

Impact:
Backend app gets CSRT parameter, which might impact its business logic.

Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.

Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server


761921-3 : avrd high CPU utilization due to perpetual connection attempts

Component: Application Security Manager

Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.

Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.

Impact:
avrd consumes a large amount of CPU.

Workaround:
Correct BIG-IQ availability and restart avrd.

Fix:
avrd now waits between connection retries, so this issue does not occur.


761553-4 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic

Component: Application Security Manager

Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:

X requests triggered this suggestion from date:time until date:time.

Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.

-- The format of the time in 'from date:time until date:time' is difficult to parse.

Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.

Impact:
Text might be misleading.

Workaround:
None.

Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic


761549-4 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging

Component: Application Security Manager

Symptoms:
Accept and Stage action is available, even for entities that are in staging already.

Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.

Impact:
Action that is not relevant is shown.

Workaround:
None.

Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging


761345-1 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.

Fix:
Additional config-sync is not required in these conditions.


761300 : Errors in REST token requests may log sensitive data

Solution Article: K61105950

Component: Device Management

Symptoms:
When requests for REST tokens generate a parsing error the logged message may contain sensitive data present in the request, including passwords.

Conditions:
Error in token request parsing. Typically causes include a typo or other JSON syntax error in the POST body of the REST request.

Impact:
Restlogs record sensitive data. Properly formatted requests do not generate this error logging and do not record sensitive data.

Workaround:
None.

Fix:
Sensitive data is now filtered from logging.


761273-1 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.

Component: Traffic Classification Engine

Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.

Conditions:
System rotates log files.

Impact:
Some automated systems might not be able to read log file.

Workaround:
None.

Fix:
Log file preserves text file type after log rotation.


761231-4 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Solution Article: K79240502

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.


761185-4 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550


761144-6 : Broadcast frames may be dropped

Solution Article: K95117754


761112-5 : TMM may consume excessive resources when processing FastL4 traffic

Solution Article: K76328112


761032-4 : TMSH displays TSIG keys

Solution Article: K36328238

Component: Global Traffic Manager (DNS)

Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.

Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.

Impact:
Displaying TSIG keys is a security exposure.

Workaround:
None.

Fix:
TMSH no longer displays TSIG keys when listing configuration.


761030-1 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route

Component: Local Traffic Manager

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.

Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.

Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.

Workaround:
None.

Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.


761014-4 : TMM may crash while processing local traffic

Solution Article: K11447758


760974-1 : TMM SIGABRT while evaluating access policy

Component: Access Policy Manager

Symptoms:
TMM cores while evaluating access policy.

Conditions:
-- Secure Web Gateway is configured and in use.
-- An access policy is being evaluated.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an iRule similar to the following:

when ACCESS_POLICY_COMPLETED {
    set res [ACCESS::session data get "session.policy.result"]

    if {[string compare $res "in_progress"] == 0} {
     log local0.notice "rejecting"
      reject
    }
    log local0.notice "result :$res"
}

Fix:
TMM no longer cores under these conditions.


760961 : TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts

Component: Traffic Classification Engine

Symptoms:
Webroot daemon (wr_urldbd) crashes because of a socket handler issue that occurs when sending the URI categorization request to the BrightCloud server.

Wr_urldbd daemon restarts, and during startup, it loads the downloaded database to the shared memory channel. This shared memory channel is being used by the TMM, which has no information about the wr_urldbd restart, so tmm restarts.

Conditions:
-- Wr_urldbd restarts (which occurs due to an issue in socket handler when sending URL categorization requests to the BrightCloud server).

-- During wr_urldbd startup, the daemon starts loading the downloaded webroot database to the shared memory channel set up between the wr_urldbd and TMM.

-- TMM accesses this shared memory channel to perform a URL category lookup (due to traffic).

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.


760878-2 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.


760771-3 : FastL4-steered traffic might cause SSL resume handshake delay

Component: Local Traffic Manager

Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.

Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.

Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.

Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.

Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.

Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.


760683-2 : RST from non-floating self-ip may use floating self-ip source mac-address

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.

Fix:
The system now uses the correct source mac-address under these conditions.


760679 : Memory corruption when using C3D on certain platforms

Component: Local Traffic Manager

Symptoms:
When using Client Certificate Constrained Delegation (C3D), memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
C3D is enabled on a virtual server.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.


760622-2 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt

Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.


760550-3 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.


760471-4 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.


760439-2 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.


760438-1 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions

Component: Policy Enforcement Manager

Symptoms:
tmm coredump

Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.

Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system now validates session presence before applying the policy.


760408-1 : System Integrity Status: Invalid after BIOS update

Solution Article: K23438711

Component: TMOS

Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.

This issue causes the System Integrity Status to return a value of 'Invalid'.

Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.

Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.

Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.

Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.


760363-2 : Update Alias Address field with default placeholder text

Component: TMOS

Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.

Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.

Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.

Workaround:
Pass empty value or ::

Fix:
Allow monitors to update with default placeholder text for Alias Address


760356-4 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.

Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports


760222-5 : SCP fails unexpected when FIPS mode is enabled

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.

Fix:
This scp issue no longer occurs when FIPS cards are installed.


760130-1 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK

Component: Access Policy Manager

Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200

Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.

Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.

Workaround:
None.

Fix:
When PingAccess encounters an error after sending traffic data to PingAccess SDK, TMM no longer leaks memory.


759735-1 : OSPF ASE route calculation for new external-LSA delayed

Component: TMOS

Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.

Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.

Impact:
Delay of route update from external LSA.

Workaround:
Manually clear ip ospf process.

Fix:
OSPF ASE route calculation from external LSA are happening as normal.


759721-4 : DNS GUI does not follow best practices

Solution Article: K03332436

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS WebUI does not follow best security practices.

Conditions:
DNS services provisioned, enabled, and configured

Impact:
The DNS WebUI does not follow best security practices.

Workaround:
None.

Fix:
The DNS WebUI now follows best security practices.


759638-1 : APM current active and established session counts out of sync after failover

Component: Access Policy Manager

Symptoms:
The 'tmsh show apm license' command shows that the current established session count is much larger than the current active session count. In the extreme case, current established session count can reach the maximum allowed, and the system reports the ERR_TOOBIG error in the apm log.

err tmm3[12351]: 01490581:3: (null):Common:00000000: Access stats encountered error: SessionDB operation failed (key: tmm.license.global_estab_stats.f26de3c7, ret: ERR_TOOBIG).

Conditions:
This counter out-of-sync period happens right after failover and lasts for five minutes.

Impact:
There is no impact to user sessions. Only the connection counts are impacted.

Workaround:
None.


759536-4 : Linux kernel vulnerability: CVE-2019-8912

Solution Article: K31739796


759480-2 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

Component: Local Traffic Manager

Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.

Conditions:
When all of the following conditions are met:

-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.

-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).

-- A CLIENT_CLOSED event is present.

-- The pool member fails in some manner, triggering LB_FAILED

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.


759360 : Apply Policy fails due to policy corruption from previously enforced signature

Component: Application Security Manager

Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.

Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.

Impact:
Apply policy fails.

Workaround:
As a workaround, run the following SQL, and then apply the policy:

----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------


759192-1 : TMM core during display of PEM session under some specific conditions

Component: Policy Enforcement Manager

Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.

Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.

Fix:
TMM core during display of PEM session no longer occurs.


759135-5 : AVR report limits are locked at 1000 transactions

Component: Application Visibility and Reporting

Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.

Conditions:
Using AVR reports for more than 1000 transactions.

Impact:
Unable to create reports with more than 1000 rows.

Workaround:
None.

Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.

For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.

For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000


759077-4 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.

Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.


758992-1 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.

Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.


758961 : During brute force attack, the attempted passwords may be logged

Solution Article: K58243048

Component: Application Security Manager

Symptoms:
Request data potentially included passwords is not masked in the ASM local and remote logger.

Conditions:
A brute force attack is in progress and login traffic is blocked from the suspicious IPs.

Impact:
An exposure of potentially sensitive data to the BIG-IP logger.

Workaround:
N/A

Fix:
Potentially sensitive data from brute force blocked requests is no longer logged.


758872-2 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.


758781-1 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.


758772-4 : DNS Cache RRSET Evictions Stat not increasing

Component: Global Traffic Manager (DNS)

Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.

Conditions:
This occurs when the cache is full enough for records to be evicted.

Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.

Workaround:
None.

Fix:
Fixed an issue preventing the DNS Cache's 'Resource Record Cache' statistic from counting 'Evictions'.


758764-4 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).


758631-2 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.


758599-4 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.


758527-4 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Solution Article: K39604784

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.


758437-4 : SYN w/ data disrupts stat collection in Fast L4

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.

Fix:
Data coupled with the SYN breaks the check for a Fast L4 state change. The connection can still function normally, but statistics collection is reliant on the state change to initialize things properly. The system now ensures the correct state under these conditions, so statistics are measured correctly.


758436-2 : Optimistic ACKs degrade Fast L4 statistics

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.

Fix:
Additional checks prevent analytics from trusting optimistic ACKs.


758336-1 : Incorrect recommendation in Online Help of Proactive Bot Defense

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.


758119-4 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


758065-2 : TMM may consume excessive resources while processing FIX traffic

Solution Article: K82781208


758041-4 : Pool Members may not be updated accurately when multiple identical database monitors configured

Component: Local Traffic Manager

Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.

As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected pool members members may be marked with the correct state.

Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}

Fix:
The system now correctly updates pool members when multiple identical database monitors are configured.


758018-3 : APD/APMD may consume excessive resources

Solution Article: K61705126


757992-1 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Component: Access Policy Manager

Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.

Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.

Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.

Fix:
RADIUS Acct STOP message is now sent as expected.


757827-3 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.

-- DNS queries to resolve these FQDN names occur almost simultaneously.

-- The BIG-IP version in use contains the fix for ID 726319 :: Bug ID 726319: 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses :: https://cdn.f5.com/product/bugtracker/ID726319.html.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected. As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes ('##' is the desired number of seconds between successive DNS queries to resolve the configure FQDN name):

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }

Fix:
When using FQDN nodes and pool members, ephemeral pool members are now created as expected following a configuration-load or BIG-IP reboot operation.

However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:

-- err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
-- err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

These are benign messages that do not affect BIG-IP functionality.


757781-1 : Portal Access: cookie exchange may be broken sometimes

Component: Access Policy Manager

Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.

Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.

Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.

Workaround:
None.

Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.


757722-1 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.

Fix:
All unknown notify types are now logged and then ignored.


757578-4 : RAM cache is not compatible with verify-accept

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.


757464-3 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record

Component: Global Traffic Manager (DNS)

Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.

tmm crash

Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.

Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.

Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.

Fix:
Fixed an issue preventing records from a DNS Validating Resolver's 'Key' sub-cache from being deleted when utilizing the TMSH command:
delete ltm dns cache records key cache


757455-1 : Excessive resource consumption when processing REST requests

Solution Article: K87920510


757442-1 : A missed SYN cookie check causes crash at the standby TMM in HA mirroring system

Component: Local Traffic Manager

Symptoms:
In a high availability (HA) mirroring configuration, an L7 packet SYN cookie check may be skipped on the standby unit and eventually causes TMM to crash.

Conditions:
-- L7 traffic being passed to an HA configuration that is configured for mirroring traffic.
-- Failover occurs.

Impact:
TMM crashes on the standby device. No connections shown on the standby unit even when mirroring isenabled.

Workaround:
Do not use HA mirroring.

Fix:
The system now provides SYN cookie checks for L7 mirrored packets on the standby system.


757441-2 : Specific sequence of packets causes Fast Open to be effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.

Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.


757414 : GUI Network Map slow page load with large configuration

Component: TMOS

Symptoms:
Network Map loads very slowly when displaying large configurations.

Conditions:
Open Network Map page with a large configuration, for example, 2500 or more virtual servers, pools, and pool members.

Impact:
The Network Map page loads too slowly to be usable.

Workaround:
None.

Fix:
Network Map no longer loads very slowly when displaying large configurations.


757391-3 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.

Fix:
tmm no longer crashes under these conditions.


757359-3 : pccd crashes when deleting a nested Address List

Component: Advanced Firewall Manager

Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.

Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.

-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.

Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.

Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.

-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.

Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.


757357 : TMM may crash while processing traffic

Solution Article: K92002212


757306-2 : SNMP MIBS for AFM NAT do not yet exist

Component: Advanced Firewall Manager

Symptoms:
SNMP MIBS for AFM NAT do not yet exist.

Conditions:
This occurs in normal operation.

Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.

Workaround:
None.


757279 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.

Fix:
Firewall manager can now edit firewall policies.


757088-3 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.


757027-3 : BIND Update

Solution Article: K01713115


757026-3 : BIND Update

Solution Article: K25244852


757025-3 : BIND Update

Solution Article: K00040234


757023-4 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656


756774-4 : Aborted DNS queries to a cache may cause a TMM crash

Solution Article: K24401914


756538-1 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.

Solution Article: K15759349


756494-1 : For in-tmm monitoring: multiple instances of the same agent are running on the Standby device

Component: Local Traffic Manager

Symptoms:
The standby device is sending monitor requests at a more frequent interval than what is configured.

Conditions:
-- In-tmm monitoring configured.
-- High availability (HA) configured.

There is no explicit way to reproduce this and it does not occur every time.

Impact:
Multiple instances of in-tmm monitoring may be created and the BIG-IP device may be sending monitoring traffic more frequently than what is configured.

Workaround:
Reboot the BIG-IP system.

Fix:
Fixed an issue causing multiple monitoring instances to be created.


756470-3 : Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM logs 'no reply from big3d: timed out' messages when the configuration results in more runtime monitoring operations than can be supported in a given environment, but the same message also appears in the log for other reasons.

Conditions:
The GTM configuration results in more runtime monitoring operations than can be supported in a given environment.

Impact:
It is not possible to detect when there are more runtime monitoring operations than can be supported in a given environment without enabling debug logging and performing a complex analysis of the resulting log files.

Workaround:
Enable debug logging and conduct a detailed analysis to determine if monitor requests are scheduled at the configured intervals.

Fix:
There is now a warning message that provides a much clearer indication of the condition:

The list processing time (14 seconds) exceeded the interval value. There may be too many monitor instances configured with a 7 second interval.


756458-1 : Linux kernel vulnerability: CVE-2018-18559

Solution Article: K28241423


756450-2 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: Local Traffic Manager

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.

Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.


756402-1 : Re-transmitted IPsec packets can have garbled contents

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.

Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.


756311-1 : High CPU during erroneous deletion

Component: Policy Enforcement Manager

Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.

There might be messages similar to the following in tmm logs:

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557

Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.

Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.

Workaround:
Delete all subscribers from the CLI.


756270-2 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.


756205-3 : TMSTAT offbox statistics are not continuous

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).

Conditions:
BIG-IP systems managed by BIG-IQ,

Impact:
Missing data on device health, such as CPU load and memory occupancy.

Workaround:
None.

Fix:
Functionality restored - BIG-IP systems send all the data as expected.


756153-2 : Add diskmonitor support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.


756102-3 : TMM can crash with core on ABORT signal due to non-responsive AVR code

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.

Conditions:
Non-responsive AVR code. No other special conditions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


756094-3 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.


756088-1 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address

Component: TMOS

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
-- There are multiple virtual servers associated with a virtual address.

-- The virtual-address icmp-echo is set to 'all' or 'any'.

-- The virtual-address route-advertisement is set to 'all' or 'any'.

Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
None.

Fix:
The BIG-IP system now responds correctly to ICMP echo requests and correctly adds/removes dynamic routes to a virtual-address, as appropriate.


756071-1 : MCPD crash

Component: TMOS

Symptoms:
mcpd crashes on out of memory.

Conditions:
MCPD experiences a memory leak under one of the following conditions:

- A tmsh command such as the following is run:
    tmsh reset-stats ltm virtual

- The ASM or AVR module is provisioned.


In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (e.g., millions):

tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40

Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.

Workaround:
None.

Fix:
A memory leak that occurred in the MCPD process has been fixed.


755727-3 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755585-3 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction

Component: Local Traffic Manager

Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.

Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
  * Creates a policy with 'Drafts/' as part of the policy name.
  * Publishes that policy.
  * Attaches that policy to a virtual server, either in the same transaction or a later transaction.

Impact:
mcpd restarts on all secondary blades of a cluster.

Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.


755507-3 : [App Tunnel] 'URI sanitization' error

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.


755475-3 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync

Component: Access Policy Manager

Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.

Conditions:
1. Form a failover device group with two devices.

2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).

3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.

4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.

Impact:
Config is not synced properly to another device in the device group.

Workaround:
- Workaround 1:

Step1. On Standby (where the problem happens): delete the policy in question.

Step2. On Active: modify the access policy and Sync it.

* Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails).


- Workaround 2:
Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:

"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."

Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.

Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.


755197-1 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.

Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.


755018-4 : Egress traffic processing may be stopped on one or more VE trunk interfaces

Component: TMOS

Symptoms:
Trunk interface members might be missing from tmm on BIG-IP Virtual Edition (VE).

Conditions:
-- Using trunks on VE.
-- May happen after a TMM restart, or after interface link states change.

Impact:
No egress traffic processing on one or more interfaces of a VE trunk.

Workaround:
Modify an attribute of the trunk and then return it to its previous value, for example:

    # tmsh modify net trunk <trunk name> link-select-policy maximum-bandwidth
    # tmsh modify net trunk <trunk name> link-select-policy auto

Fix:
Traffic is processed on all trunk interfaces.


755005-3 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.

Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.


754971-1 : OSPF inter-process redistribution might break OSPF route redistribution of various types.

Component: TMOS

Symptoms:
Enabling inter-process OSPF route redistribution might cause overall problems with OSPF route redistribution.

Conditions:
OSPF is configured with inter-process OSPF route redistribution, for example:

 router ospf
          network 0.0.0.0/0 area 0
          redistribute kernel
          redistribute ospf 1234 <--- !

Impact:
Routes might not be redistributed and will not be present in OSPF database. This affects all redistribution types (kernel, static, etc..)

Workaround:
Do not use inter-process OSPF route redistribution.

Fix:
Inter-process OSPF route redistribution is working properly.


754944-3 : AVR reporting UI does not follow best practices

Solution Article: K00432398


754901-3 : Frequent zone update notifications may cause TMM to restart

Component: Global Traffic Manager (DNS)

Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.

Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.

Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Frequent zone update notifications no longer cause TMM to restart.


754658-1 : Improved matching of response messages uses end-to-end ID

Component: Service Provider

Symptoms:
Some responses incorrectly match requests when their hop-by-hop IDs match. This causes the response to be dropped.

Conditions:
Matching hop-by-hop ID.

Impact:
Responses rarely match the wrong request, but when they do, they will be dropped.

Workaround:
None.

Fix:
Responses are now matched to requests using end-to-end ID as well as hop-by-hop ID. There should be no more incorrect matches.


754617-1 : iRule 'DIAMETER::avp read' command does not work with 'source' option

Component: Service Provider

Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.

The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".

Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.

Impact:
'DIAMETER::avp read' does not work with the 'source' option.

Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.


754567 : Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file

Component: TMOS

Symptoms:
Child client SSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file used by the profile.

Conditions:
The issue is seen intermittently when all of the following conditions are met.
-- The client SSL profile is a child client SSL profile profile, i.e., it has a parent client SSL profile.
-- The child and the parent profile are using the same certificate.
-- The certificate file is updated, for example, by using a command similar to the following:
tmsh modify sys file ssl-cert child.crt { source-path file:///config/ssl/ssl.crt/default.crt app-service none cert-validation-options { } issuer-cert none }

Impact:
The child client SSL profile may unexpectedly end up using a different cert-key-chain from its parent profile.

Workaround:
The inherit-certkeychain flag can be set only in the GUI location: Local Traffic :: Profiles : SSL : Client :: child_profile.

In the row 'Configuration: \ Certificate Key Chain', uncheck the checkbox on the right side. That sets inherit-certkeychain to true (or does not customize the cert-key-chain for the child profile). Once the box is unchecked, the Certificate Key Chain field appears greyed out and filled with parent profile's cert-key-chain.

Fix:
The child profile's inherit-certkeychain flag is no longer unexpectedly set to false after updating the certificate file.


754542-4 : TMM may crash when using RADIUS Accounting agent

Component: Access Policy Manager

Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.

Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.


754365-3 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.


754349 : FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4

Component: Local Traffic Manager

Symptoms:
FTP uploads that are offloaded on both sides drop after the idle timeout period, even though data is flowing.

Conditions:
-- FTP virtual server set up with a standard profile and FastL4 offloading.
-- Attempt a file upload to the virtual server where both client and server side of the data channel are offloaded.

Impact:
Dropped connections; data loss.

Workaround:
You can do either of the following:
-- Enable Inherit Parent Profile on the FTP profile.
-- Turn off FastL4 offloading.

Fix:
-- FTP connections to virtual servers no longer drop when both sides of data channel are offloaded via FastL4.
-- The output of the following command displays the correct acceleration state: tmsh show sys conn all-properties.


754346-1 : Access policy was not found while creating configuration snapshot.

Component: Access Policy Manager

Symptoms:
APMD fails to create configuration snapshot with the following error:

--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!

If you attempt to modify the policy in question, the system reports a second error:

-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy

Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.

Impact:
Configuration snapshot is not created, and users cannot log on.

Workaround:
Recreate the access profile when TMM is stable.


754345-3 : WebUI does not follow best security practices

Solution Article: K79902360


754330-1 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected

Component: Application Visibility and Reporting

Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.

Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.

Impact:
Stats for AVR might not be loaded to the database within an expected interval.

Workaround:
None.

Fix:
Monpd now checks whether a new partition is required after each CSV file load. When needed, it creates one and aggregates data in the database to avoid this issue.


754109-3 : ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive

Component: Application Security Manager

Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.

Conditions:
-- ASM provisioned.
-- ASM or Bot-Defense/DoS attached on a virtual server.
-- ASM or Bot/Dos does inline injections, like CSRF/CSHUI.

Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.

Workaround:
You can use either of the following workarounds:

-- Disable csp in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm

-- Disable csp in Bot/DoS using an iRule:
when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}

Fix:
ASM/Bot/DoSL7 no longer modifies the csp header when both source-src and default-src directives are missing.


754103-2 : iRulesLX NodeJS daemon does not follow best security practices

Solution Article: K75532331


754003-1 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate

Solution Article: K73202036

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036

Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036

Impact:
For more information please see: https://support.f5.com/csp/article/K73202036

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K73202036


753975 : TMM may crash while processing HTTP traffic with webacceleration profile

Solution Article: K92411323


753912 : UDP flows may not be swept

Solution Article: K44385170

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.

Fix:
The system now correctly manages all expired flows.


753893-1 : Inconsistent validation for firewall address-list's nested address-list causes load failure

Component: Advanced Firewall Manager

Symptoms:
Inconsistent validation for firewall address-list's nested address-lists causes load failure. The operation validates 'addresses' in the address-list but misses the case of modifying the address-list nested in the address-list. The system posts a message similar to the following:

01071a5a:3: Cannot configure mix of IPv4 and IPv6 address(es) in this object.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Modify an address-list's address-lists to contain mixed IPv4 and IPv6 addresses.
-- Save the configuration.
-- Load the configuration.

Impact:
Missing validation for nested address-list modification allows an invalid configuration to be specified and saved into bigip*.conf, which causes load failure.

Note: This might cause upgrade from v12.1.x to fail when the configuration contains a mix of IPv4 and IPv6 within an address-list.

Workaround:
Edit the bigip*.conf file to remove the mix of IPv4 and IPv6 addresses in the nested address-lists.

Fix:
This release contains validation to nested address-lists to check for overlapping IP addresses in the same address family.


753860-1 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.


753805-1 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.

Component: Local Traffic Manager

Symptoms:
After failover, a longer time than expected for the virtual server to become available.

Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.

Impact:
Virtual server takes longer than expected to become available.

Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.


753796-2 : SNMP does not follow best security practices

Solution Article: K40443301


753790 : Allow 'DIAMETER::persist reset' command in EGRESS events

Component: Service Provider

Symptoms:
The 'DIAMETER::persist reset' command is not allowed in EGRESS events; it is blocked by validation.

Conditions:
In an iRule, attempt to use 'DIAMETER::persist reset' in an EGRESS event for DIAMETER.

Impact:
Unable to reset persistence records on an EGRESS event in DIAMETER through iRules.

Workaround:
None.

Fix:
Fixed iRule validation to allow 'DIAMETER::persist reset' on EGRESS events for DIAMETER.


753776-1 : TMM may consume excessive resources when processing UDP traffic

Solution Article: K07127032


753650 : The BIG-IP system reports frequent kernel page allocation failures.

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades).

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.


753594-3 : In-TMM monitors may have duplicate instances or stop monitoring

Component: Local Traffic Manager

Symptoms:
Most monitored resources (such as pools) report messages similar to the following:

Availability : unknown
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet.
 
A fraction of the monitored resources report the correct status based on the state of the resource.
 
Enabling bigdlog may show instances of messaging containing 'tmm_mid=x:0' (where x can be values like 0, 1, 2 etc.), for example, it is tmm_mid=1:0 in the following example:

[0][11288] 2019-03-08 10:03:04.608: ID 10859 :(_do_ping): post ping, status=UNKNOWN [ tmm?=true td=true tr=false tmm_mid=1:0 addr=::ffff:1.2.37.44:443 mon=/Common/https fd=-1 pend=0 #conn=0 up_intvl=5 dn_intvl=5 timeout=16 time_until_up=0 immed=0 next_ping=[1552068189.684126][2019-03-08 10:03:09] last_ping=[1552068184.684909][2019-03-08 10:03:04] deadline=[1552067610.048558][2019-03-08 09:53:30] on_service_list=True snd_cnt=119 rcv_cnt=0 ]
 

The following error might appear in /var/log/ltm:

-- failed to handle TMA_MSG_DELETE message: MID 0, error TMA_ERR_INVALID_MID(Monitor ID is invalid or unused)

Conditions:
-- Configure In-TMM monitoring with a sufficiently large number of monitored objects.
-- Modify monitors while pool members are in an offline state or perform rapid modification of In-TMM monitors.

Impact:
Some monitors may be executed multiple times per configured interval on a resource, and some monitors may not be executed at all against resources.

Workaround:
Switch to traditional bigd monitoring instead of In-TMM:

tmsh modify sys db bigd.tmm value disable

Fix:
Rapid modification of in-TMM monitors no longer leaves old monitor instances behind.


753514-1 : Large configurations containing LTM Policies load slowly

Component: Local Traffic Manager

Symptoms:
Very slow performance when loading a configuration, for example, at system start up. During this time, the tmsh process shows high CPU usage.

Conditions:
Big IP 13.1.x, 14.x. Large configuration (1 MB or larger) and at least one, but more likely tens or hundreds of LTM policies defined in the configuration.

Impact:
Slow configuration loading, or in cases with very large configurations, full config load may fail after a long wait. Slowness increases with overall configuration size and number of LTM policies defined.

Workaround:
None.

Fix:
Large configurations containing LTM Policies load normally.


753485-2 : AVR global settings are being overridden by HA peers

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by high availability (HA) peers, and thus report incorrectly to BIG-IQ Data Collection Devices (DCDs).

Conditions:
Configuring HA for systems connected to BIG-IQ.

Impact:
Configuration of BIG-IP systems in HA configuration can override each other. This might result in the following behavior:
-- A common symptom is the 'Stats Last Collection Date' shows up as Dec 31, 1969 or Jan 01, 1970, depending the timezone configuration of the device
-- The 'Stats Last Collection Date' shows up as '--'
-- The BIG-IP systems incorrectly identify themselves to BIG-IQ.
-- The BIG-IP systems report to the wrong DCD.
-- The BIG-IP systems report to DCD, even if they are not configured to report at all.
-- The BIG-IP systems do not report at all, even if they are configured to report.

Note: This bug is tightly related to BIG-IQ Bug ID 757423.

Workaround:
None.

Fix:
Synchronization of relevant fields on AVR global settings are disabled, so this issue no longer occurs.


753446-1 : avrd process crash during shutdown if connected to BIG-IQ

Component: Application Visibility and Reporting

Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.

Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.

Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.

Workaround:
N/A

Fix:
Issue is fixed, avrd does not crash during shutdown


753370-1 : RADIUS auth might not be working as configured when there is change in RADIUS auth config name.

Component: Access Policy Manager

Symptoms:
RADIUS auth might not be working as configured when there is change in RADIUS auth config name. You might also see an error:

err apmd[14182]: 01490108:3: /Common/:Common:cc55b9e2: RADIUS module: authentication with 'testuser@example' failed: no response from server (0).

Conditions:
In an LTM pool that uses APM AAA RADIUS to authenticate, change (modify/delete) the name of the RADIUS authentication server in config file.

Impact:
When using tmm.default version, intermittently MCP error messages in tmm logs indicate that the RADIUS server cannot be found, and RADIUS authentication does not work as expected.

Workaround:
None.


753368 : Unable to import access policy with pool

Component: Access Policy Manager

Symptoms:
If your exported policy contains a pool object (e.g., Active Directory (AD) or LDAP Auth object) import of such a policy fails.

Conditions:
-- Exported policy contains a pool.
-- Attempt to import that policy.

Impact:
Unable to import certain configurations.

Workaround:
None.

Fix:
Policies with pools are imported successfully.


753163-2 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Component: Policy Enforcement Manager

Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash

Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.

Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.

Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart

Note: Traffic disrupted while tmm restarts.

Fix:
PEM now initiates the connection with PCRF/OCS under these conditions.


753028-1 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule

Component: Advanced Firewall Manager

Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.

Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.

Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.

Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.

However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.

Fix:
The BIG-IP system (AFM) now correctly forwards ICMP traffic through to the backend when Proxy ARP is enabled on destination addresses in the matching FW NAT rule.


753014-1 : PEM iRule action with RULE_INIT event fails to attach to PEM policy

Component: Policy Enforcement Manager

Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.

Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.

Impact:
PEM fails to update the new iRule action.

Workaround:
Force mcpd to reload the BIG-IP configuration.

To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.


752930-1 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop or mcpd process restarting loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.


752835-3 : Mitigate mcpd out of memory error with auto-sync enabled.

Solution Article: K46971044

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
Mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.


752822-3 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type

Component: Service Provider

Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.

Conditions:
SIP ALG calls that fail translation during ingress.

Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now cleans up SIP ALG calls that fail translation during ingress, so this issue no longer occurs.


752803-2 : CLASSIFICATION_DETECTED running reject can lead to a tmm core

Component: Traffic Classification Engine

Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.

Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes under these conditions.


752782-3 : 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'

Component: Fraud Protection Services

Symptoms:
The 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.

Conditions:
FPS Provisioning and a DataSafe license.

Impact:
The menu name has changed in this release.

Workaround:
None.

Fix:
'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'.


752592-2 : VMware Horizon PCoIP clients may fail to connect shortly after logout

Component: Access Policy Manager

Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.

Conditions:
PCoIP UDP VS has "vdi" profile assigned.

Impact:
User can't open PCoIP remote desktop during short time period (1 minute).

Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }

In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).

Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.


752363 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled

Component: Advanced Firewall Manager

Symptoms:
Client request fails, due to being dropped on the BIG-IP system.

Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.

Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.

Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:

-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}

To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }

Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.


752078 : Header Field Value String Corruption

Component: Local Traffic Manager

Symptoms:
This is specific to HTTP/2.

In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.

Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.

Impact:
A header such as:
x-info: very_long_string that has whitespace characters

may be sent to the client as:
x-info: ery_long_string that has whitespace characters

Workaround:
None.

Fix:
The BIG-IP system no longer removes the prefix characters from very long HTTP/2 header field value strings containing embedded whitespace characters.


752047-2 : iRule running reject in CLASSIFICATION_DETECTED event can cause core

Component: Traffic Classification Engine

Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.

Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
iRule running reject in CLASSIFICATION_DETECTED event no longer causes tmm core.


751869 : Possible tmm crash when using manual mode mitigation in DoS Profile

Component: Advanced Firewall Manager

Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.

Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.

Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm crash and restart no longer occurs when using manual mode mitigation in DoS Profile.


751710-2 : False positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A


751586-5 : Http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.

Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.

Impact:
The traffic is still translated to the destination address to the pool member.

Workaround:
None.

Fix:
Translate-address disabled is working correctly now.


751179-3 : MRF: Race condition may create to many outgoing connections to a peer

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.

Fix:
Only one connection is created under these conditions.


751116-3 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring

Component: Advanced Firewall Manager

Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.

Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.

Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.

Workaround:
None.


751036-3 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Component: Local Traffic Manager

Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.

Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.

Impact:
Virtual server status reports unavailable, even though it should report available.

This causes DNS to continue to mark the virtual server as unavailable.

Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.


751021-3 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.

Fix:
All TMM instances across all blades now properly learn dynamic routes.


751011-1 : ihealth.sh script and qkview locking mechanism not working

Component: TMOS

Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.

Conditions:
Running qkview on one terminal and then ihealth.sh in another.

Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.

Workaround:
Run either qkview or ihealth.sh, not both simultaneously.

Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.


751009-1 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out

Component: TMOS

Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.

Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.

Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.

The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).

Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.

Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.

Edit the /usr/bin/ihealth.sh script to remove the corresponding line.

From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr

Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.

Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.


750922-3 : BD crash when content profile used for login page has no parse parameters set

Component: Application Security Manager

Symptoms:
Bd crashes. No traffic goes through ASM.

Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.

Impact:
No traffic goes through ASM. Bd crashes.

Workaround:
Set the parse parameters setting.

Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.


750843-1 : HTTP data re-ordering when receiving data while iRule parked

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm can reorder or omit HTTP data segments when they are received while processing an iRule which is parked.

Conditions:
- HTTP iRule execution suspended, e.g., waiting for a table command to return.
- Ingress data is processed during this state.

Impact:
Data corruption or loss can occur.

Workaround:
There is no workaround other than not using iRule suspend commands in HTTP_* events.

Fix:
tmm now handles ingress data correctly when in the parked iRule state.


750823-3 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.


750689-1 : Request Log: Accept Request button available when not needed

Component: Application Security Manager

Symptoms:
There are several violations that make requests unlearnable, but the Accept Request Button is still enabled.

Conditions:
This occurs in the following scenarios:

1. Request log has requests with following violations that make requests unlearnable:
 - Threat Campaign detected.
 - Null character found in WebSocket text message.
 - Access from disallowed User/Session/IP/Device ID.
 - Failed to convert character.

2. Subviolations of HTTP protocol compliance fails violation:
 - Unparsable request content.
 - Null in request.
 - Bad HTTP version.

3. Only the following violations are detected:
 - Access from malicious IP address.
 - IP address is blacklisted.
 - CSRF attack detected.
 - Brute Force: Maximum login attempts are exceeded.

Impact:
Accept Request button is available, but pressing it does not change the policy.

Workaround:
None.

Fix:
The Accept Request button is now disabled when there is nothing to be learned from request.


750631-1 : There may be a latency between session termination and deletion of its associated IP address mapping

Component: Access Policy Manager

Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.

Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.

Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy

Fix:
N/A


750586-1 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.

Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.


750496-1 : TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP

Component: Access Policy Manager

Symptoms:
TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP.

Conditions:
Create a basic SSO item.
Create a PRP that has the SSO Assign in it and select the basic SSO item.
Create a PSP that is Start->Allow
Create a VS that uses the PRP, PSP, and an pool.
Delete the SSO item in the UI.
Run traffic through the VS

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not delete the SSO config object referenced by SSO Configuration Select agent in PRP.

Fix:
SSO Configuration Select agent should fail with error code when sso_config cannot be found (i.e. NULL).


750460-3 : Subscriber management configuration GUI

Solution Article: K61002104


750447-1 : GUI VLAN list page loading slowly with 50 records per screen

Component: TMOS

Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.

Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.

Impact:
Cannot use the page.

Workaround:
Use tmsh or guishell tool to see the VLANs.

You can also try using a smaller value for the Records Per Screen option in System :: Preferences.

Fix:
Improved data retrieval and rendering for the VLAN list page.


750356-3 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted

Component: Application Security Manager

Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.

Conditions:
-- Create a new filter.
-- Remove the new filter.

Impact:
The system removes all user-defined filters.

Workaround:
Before you delete a newly created filter, reload the page.

Fix:
Filter removal now completes successfully for all scenarios.


750318-1 : HTTPS monitor does not appear to be using cert from server-ssl profile

Component: TMOS

Symptoms:
An HTTPS monitor using a client certificate configured in the server-ssl profile fails to send the certificate during the SSL handshake.

A tcpdump shows a 0-byte certificate being sent.

Conditions:
-- In-tmm monitoring is disabled (default).
-- The server-ssl profile has been modified but without changing the configured certificate or key.

The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.

Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.

Workaround:
Restart bigd process by running the following command:
bigstart restart bigd

Fix:
mcpd now sends the full profile configuration to bigd upon modification.


750292-4 : TMM may crash when processing TLS traffic

Solution Article: K54167061


750213-2 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Solution Article: K25351434

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.


750200-1 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.


750194-2 : Moderate: net-snmp security update

Component: TMOS

Symptoms:
SNMP crashes due to a specially crafted UDP packet by an authenticated user, resulting in Denial of Service.

Conditions:
SNMP traffic enabled

Impact:
SNMP crashes resulting in a denial of service.

Fix:
Patched net-snmp to properly validate input data.


750187-3 : ASM REST may consume excessive resources

Solution Article: K29149494


750170-1 : SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request

Component: Access Policy Manager

Symptoms:
tmm crashes.

Conditions:
This occurs when BIG-IP handles SAML SLO requests, and SP Configuration is changed by the admin around the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
When SP configuration is changed by the admin, and when BIG-IP handles SLO requests correctly without any BIG-IP tmm core.


749879-4 : Possible interruption while processing VPN traffic

Solution Article: K47527163


749785-1 : nsm can become unresponsive when processing recursive routes

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.

Fix:
nsm now processes recursive route without issues.


749774-3 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749738-2 : After upgrade to 13.1.3.3 or 13.1.3.4, B2250 blades may fail to detect HSB and have restarting chmand

Component: TMOS

Symptoms:
When booting after upgrade, BIG-IP system software may not fully start up, preventing normal service

-- In early boot messages in /var/log/ltm:
   + warning chmand[xxxxx]: 012a0004:4: No FPGA HSB LBB PCI device found.

   + emerg chmand[xxxxx]: 012a0000:0: Dataplane INOPERABLE - No HSBe2_v2 found on the platform (A112)

-- In later ltm logs, chmand may be seen restarting every few seconds with these lines, among others, logged each time it starts:
   + notice chmand[xxxxx]: 012a0005:5: Starting ChassisManager (chmand).
   + info chmand[xxxxx]: 012a0006:6: Found platform 'A112' in /PLATFORM.

-- The chmand process may create core in /var/core when it restarts.

Conditions:
-- Upgrade B2250 (A112) blade to software version 13.1.3.3 or 13.1.3.4.

-- This issue occurs on affected BIG-IP versions running directly on the indicated hardware platforms, or running as a vCMP host on the indicated hardware platforms.

Impact:
No service after upgrade.

Note: This might not occur in every configuration. Some multi-blade configurations might encounter this issue where others do not.

Workaround:
If possible, roll back to a previous version and contact F5 Support to get an engineering hotfix containing a fix for this issue.

Fix:
Upgrading BIG-IP software on B2250 blades completes successfully, when BIG-IP software is running directly on the hardware or is running as a vCMP host.

For vCMP deployments, the vCMP host must be running the fixed BIG-IP software in order to resolve this issue.


749704-3 : GTPv2 Serving-Network field with mixed MNC digits

Component: Service Provider

Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.

Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).

Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.

Workaround:
None.

Fix:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.

Behavior Change:
The iRule command 'GTP::ie get -message $gtp_message 83' that retrieves the Serving-Network now returns the correctly ordered, three-digit values for mobile country codes (MCC) and mobile network codes (MNC) as a two-element list: {{<MCC> <MNC>} <optional data>}, where the first element is another list containing actual MCC and MNC values, while the second element is optional binary data which follows MCC and MNC. It is the same format as used for ULI field decoding.


749689-1 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart

Component: Local Traffic Manager

Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.

Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.

Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.

Workaround:
Restart bigd using the following command:
bigstart restart bigd

Fix:
HTTPS monitor now sends a consistent number of cipher suites in the client hello message during the SSL handshake.


749675-3 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


749603-3 : MRF SIP ALG: Potential to end wrong call when BYE received

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.

Fix:
Entire call-id checked before terminating media flows.


749508-3 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.

Fix:
The system contains improvements for handling OOM conditions properly.


749464 : Race condition while BIG-IQ updates common file

Component: Application Visibility and Reporting

Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.

Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.

Impact:
avrd might read incomplete data, and can even core in some rare cases.

Workaround:
None.

Fix:
This race condition no longer occurs.


749461 : Race condition while modifying analytics global-settings

Component: Application Visibility and Reporting

Symptoms:
Updating the analytics global-settings might cause a core for avrd.

The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses

Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.

Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.

Workaround:
None.

Fix:
This represents a partial fix. See bug 764665 for an additional fix.


749414-2 : Invalid monitor rule instance identifier error

Component: Local Traffic Manager

Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.

Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.

-- Pool members are incorrectly marked down.

Workaround:
You can use either of the following:

-- Failover or failback traffic to the affected device.

-- Run the following command: tmsh load sys config.


749388 : 'table delete' iRule command can cause TMM to crash

Component: TMOS

Symptoms:
TMM SegFaults and restarts.

Conditions:
'table delete' gets called after another iRule command.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.

Fix:
Fixed code to prevent invalid use of internal data structure.


749324-2 : jQuery Vulnerability: CVE-2012-6708

Solution Article: K62532311


749294-2 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.


749222-3 : dname compression offset overflow causes bad compression pointer

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.

Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.

Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.

Workaround:
None.

Fix:
dname compression offset overflow no longer causes bad compression pointer.


749184-4 : Added description of subviolation for the suggestions that enabled/disabled them

Component: Application Security Manager

Symptoms:
Missing description of subviolation for the suggestions that enabled/disabled them.

Conditions:
There are suggestions that enabled/disabled subviolations in the security policy.

Impact:
Cannot determine the subviolation for the suggestions that enabled/disabled them.

Workaround:
Open Description in an additional tab in Learning and Blocking settings screen.

Fix:
Added description of subviolation for the suggestions that enabled/disabled them.


749161-1 : Problem sync policy contains non-ASCII characters

Component: Access Policy Manager

Symptoms:
When access policy contain non-ASCII characters, policy sync either fails or the characters are not sync'ed properly on the target.

Conditions:
-- Using an access profile.

-- Access profile contains non-ASCII characters (code point greater than 0x7f), e.g.,in VPE, add an 'Advanced Resource Assign' agent and specify an expression similar to the following in addition to the resource:

expr { [string tolower [mcget -decode {session.ad.last.attr.memberOf}]] contains [string tolower "CN=Suporte_TransmissãČo,"] || [string tolower [mcget -decodde {session.ad.last.attr.memberOf}]] contains [string tolower "CN=suporte_tx,"]}

-- Start policy sync on the profile.

Impact:
Policy sync fails or does not complete properly for the non-ASCII characters.

Workaround:
None.

Fix:
Policy sync now works properly when the policy contains non-ASCII characters.


749153-1 : Cannot create LTM policy from GUI using iControl

Component: TMOS

Symptoms:
LTM policy cannot be created from GUI using iControl REST.

Conditions:
Using iControl to create an LTM policy.

Impact:
LTM policy cannot be created from the GUI

Workaround:
Create LTM policy using TMSH.

Fix:
Can now create LTM policy from GUI using iControl.


749109-1 : CSRF situation on BIGIP-ASM GUI

Component: Application Security Manager

Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.

Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:

https://BIG-IP/dms/policy/pl_negsig.php?id=*

Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).

Workaround:
None.

Fix:
If the query string parameter has a string value the query is not executed.


749057-3 : VMware Horizon idle timeout is ignored when connecting via APM

Component: Access Policy Manager

Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.

Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.

Impact:
VMware Horizon idle timeout setting for applications has no effect.

Workaround:
None.

Fix:
VMware Horizon idle timeout "For clients that support applications" is now honored when connecting via APM.


748999-1 : invalid inactivity timeout suggestion for cookies

Component: Application Security Manager

Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.

Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed

Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.

Workaround:
Ignore the inactive entity suggestions for cookies

Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.


748976 : DataSafe Logging Settings page is missing when DataSafe license is active

Component: Fraud Protection Services

Symptoms:
DataSafe Logging Settings page is missing when DataSafe license is active

Conditions:
1. DataSafe license is active
2. Logging of Login attempts feature enabled

Impact:
DataSafe Logging Settings page is missing in GUI.

Workaround:
Use tmsh to configure the logging of Login attempts feature.

Fix:
FPS GUI should display Logging Settings page also when DataSafe license is active.


748940-1 : iControl REST cert creation not working for non-Common folder

Component: TMOS

Symptoms:
Certificate creation under a non-Common folder using iControl REST doesn't work.

For example, the user sends the iControl REST message and gets the error message return:

curl -sk -u admin:f5site02 https://10.192.84.16/mgmt/tm/sys/crypto/cert/ -H 'Content-Type: application/json' -X POST -d '{"name":"/my_dir/mmmmm", "common-name":"cn","key":"/my_dir/mmmmm"}' | ~/bin/json-parser-linux64

        {
          "code": 400,
          "message": "Unable to extract key information from \"/config/filestore/files_d/my_dir_d/certificate_key_d/:my_dir:mmmmm_166121_1\"to \"/var/system/tmp/tmsh/87bOS1/ssl.key//my_dir/mmmmm\"",
          "errorStack": [],
          "apiError": 26214401
        }

Conditions:
The user attempts to create an SSL certificate under a non-Common folder using iControl REST.

Impact:
Unable to create an SSL certificate in non-Common folder.

Workaround:
Create the SSL certificate using tmsh.

Fix:
With the fix, certificate can be created under non-Common folder using iControl REST.


748902-7 : Incorrect handling of memory allocations while processing DNSSEC queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.


748851-1 : Bot Detection injection include tags which may cause faulty display of application

Component: Application Security Manager

Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.

Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.

Impact:
Some web applications may be displayed incorrectly.

Workaround:
None

Fix:
There is now an ASM Internal Parameter 'inject_apm_do_not_touch' and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (modify sys db asm.inject_apm_do_not_touch value false) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.

Behavior Change:
This release provides an ASM Internal Parameter 'inject_apm_do_not_touch', and a db variable 'asm.inject_apm_do_not_touch', which can be disabled (the default is enabled) to prevent the <APM_DO_NOT_TOUCH> tag from being injected, thus allowing the application to be displayed correctly.

To disable db variable, run the following command:
modify sys db asm.inject_apm_do_not_touch value false


748813-1 : tmm cores under stress test on virtual server with DoS profile with admd enabled

Component: Anomaly Detection Services

Symptoms:
tmm cores

Conditions:
-- Systems under stress testing.
-- Virtual server with DoS profile with admd enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Turn off Behavioral DOS.

Fix:
This tmm core no longer occurs under these conditions.


748502-3 : TMM may crash when processing iSession traffic

Solution Article: K72335002


748253-3 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.

Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.

Workaround:
To mitigate this issue:

1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).

Fix:
Prevented the standby from sending DWR packets to the active device, so that it no longer expects DWA responses that never arrive.


748206 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position

Component: TMOS

Symptoms:
Browser becomes unresponsive.

Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.

Impact:
Browser becomes unresponsive and must be restarted.

Workaround:
Change the position of the forwarding rule policy.

Fix:
The browser now behaves as expected when loading the network map with a virtual server that contains a forwarding rule policy in the second position.


748205-1 : SSD bay identification incorrect for RAID drive replacement

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.


748187-2 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.


748177-3 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request gets wrong answer.

Workaround:
There is no workaround at this time.

Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.


748121-1 : admd livelock under CPU starvation

Component: Anomaly Detection Services

Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.

The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.

The system posts messages similar to the following:

-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: high availability (HA) daemon_heartbeat ADMD.Publisher0 fails action is restart.

Conditions:
-- High CPU / memory utilization,
-- Very large configuration.

Note: There are no known special configuration requirements to have this occur.

Impact:
admd restarts.
Behavioral DoS does not work.

Workaround:
Reboot the BIG-IP system.

Fix:
admd livelock event no longer occurs in response to CPU starvation in very large configurations.


748081-2 : Memory leak in Behavioral DoS module

Component: Advanced Firewall Manager

Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.

Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
1. Disable BDoS feature.
2. Disable all configured and auto generated BDoS signatures using TMSH command:

# cd dos-common
# modify security dos dos-signature all { state disabled }


748043-3 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP

Component: Service Provider

Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet

Conditions:
SIP Server wants the SIP Response to be coming on a different port.

Impact:
SIP Request will not receive the SIP Response

Workaround:
There is no workaround.

Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server


747968-2 : DNS64 stats not increasing when requests go through DNS cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.

Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.

Impact:
DNS64 stats are not correct.

Workaround:
There is no workaround at this time.


747926 : Rare TMM restart due to NULL pointer access during AFM ACL logging

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes while performing log ACL match logging.

Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"

The problem happens under extremely rare circumstances.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Defensive error handling to avoid the scenario of NULL pointer access.


747922-2 : With AFM enabled, during bootup, there is a small possibility of a tmm crash

Component: Advanced Firewall Manager

Symptoms:
During bootup or re-provisioning, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.

Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up or re-provision the system.

Impact:
Tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The race-condition has been fixed, so this issue no longer occurs.


747909-3 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.

Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.


747907-1 : Persistence records leak while the HA mirror connection is down

Component: Local Traffic Manager

Symptoms:
Memory might leak on the active unit while the high availability (HA) mirror connection is down.

Conditions:
-- The persistence configured that requires its state to be stored stored on the BIG-IP system.
-- Mirroring is configured on the persistence profile or the virtual server.
-- Mirror connection is down, for example, next active is down/offline/unavailable.

Impact:
Memory leak until the HA mirror connection is up. Once mirror connection is up, the system releases the memory.

Workaround:
-- Disable persistence while HA mirror connection is down (e.g., performing maintenance).
-- Disable session mirroring for iRules.
-- Use persistence that does not requires its state to be stored on the BIG-IP system.
-- Restore HA connection.

Fix:
Persistence records no longer leak memory while the HA mirror connection is down.


747905-1 : 'Illegal Query String Length' violation displays wrong length

Component: Application Security Manager

Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.

Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.

Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.

Workaround:
None.


747777-1 : Extractions are learned in manual learning mode

Component: Application Security Manager

Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Conditions:
Direct cause: Policy contains parameters with dynamic type

Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)

Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type

- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode


747725-2 : Kerberos Auth agent may override settings that manually made to krb5.conf

Component: Access Policy Manager

Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent

Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm

Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly

Workaround:
None

Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings


747628-3 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.

Conditions:
-- The server side allows timestamps and the client side does not negotiate them.

-- The client-side MTU is lower than the server-side MTU.

-- There is no ICMP message on the client-side connection.

Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).

Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.


747621-2 : Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used

Component: Access Policy Manager

Symptoms:
Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used, e.g. RADIUS server performs two factor authentication.

Conditions:
1. Native VMware Horizon client is used to connect via APM.
2. RADIUS authentication agent is present in Access Policy.
3. RADIUS server asks for challenge response (e.g. 2FA).

Impact:
Authentication fails. User can't get access to VMware Horizon resources.

Workaround:
None.

Fix:
Fixed issue preventing native VMware Horizon client to authenticate with RADIUS challenge.


747617-1 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
SSL filter will no longer be enabled after connection close.


747592-2 : PHP vulnerability CVE-2018-17082

Component: TMOS

Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.

Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.

Workaround:
No known workaround.

Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.


747585-2 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.

Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.


747560-3 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.

Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.


747550-1 : Error 'This Logout URL already exists!' when updating logout page via GUI

Component: Application Security Manager

Symptoms:
When you try to update the Logout Page, you get an error about the URL existence: Error 'This Logout URL already exists!'

Conditions:
1. Create any Logout page.
2. Try to update it.

Impact:
The properties of the Logout Page cannot be updated.

Workaround:
Delete the logout page and create a new one.

Fix:
This release addresses the issue, so that no error is reported when updating the Logout Page.


747203-4 : Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding

Component: TMOS

Symptoms:
-- SYN/ACK packets arriving on a tunnel fail to be matched to an existing flow followed by a RST issued by the BIG-IP system.
-- The BIG-IP system reports 'no flow found'.
-- MAC addresses can contain random values, or fe:fe:fe:fe:fe:fe.

Conditions:
-- Using IKEv2 with both NAT-T and interface mode.
-- The BIG-IP is configured to use several tmm instances.
-- The combination of IP addresses and port numbers result in distributing legs of processing one flow across several tmm instances.

Impact:
NATT/ESP tunnel flows can end with a RST reset.

Workaround:
None.

Fix:
In the ESP proxy, The system now clears a bit in packet metainformation related to forwarding, so a decrypted packet such as SYN/ACK can reach the last tmm needed.


747192-2 : Small memory leak while creating Access Policy items

Component: Access Policy Manager

Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.

Conditions:
The leak occurs while creating new policy items in Access.

Impact:
After a long uptime interval, mcpd may crash due to lack of memory.

Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.

Fix:
Leak was fixed by clearing the leaked objects.


747187-3 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.


747104-3 : LibSSH: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493


747065-3 : PEM iRule burst of session ADDs leads to missing sessions

Component: Policy Enforcement Manager

Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.

Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.

Impact:
Policies available in the missing session cannot be accessed.

Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.

Fix:
The release handles the issue that prevented the addition of the new subscriber. Now, even after the bursts of iRule additions, no re-additions fail.


746941 : Memory leak in avrd when BIG-IQ fails to receive stats information

Component: Application Visibility and Reporting

Symptoms:
There is an avrd memory leak when it fails to send BIG-IP statistical information to BIG-IQ.

Error messages may appear in the avrd.log file in /var/log/avr:

EXTERNAL_MESSAGES|ERROR|Mar 07 10:10:10.10|10|lib/avrpublisher/infrastructure/avr_http_connection.cpp:0129| (skipped 16 msgs) Can't insert messages to queue - some external log will be lost!

Conditions:
-- BIG-IP is used by BIG-IQ version 6.0.0 or higher.
-- Stats collection is enabled.
-- There is a malfunction in BIG-IQ that prevents it from receiving statistical information that BIG-IP sends (e.g., all data collection devices (DCDs) are down, or there is no network connection between BIG-IP and BIG-IQ systems).

Impact:
The avrd process' memory usage increases over time, leading to avrd restart when usage is too large, and/or avrd usage may starve other control-plane processes of memory. The AVR-related functionality is unavailable while avrd restarts.

Workaround:
Correct connectivity issues between BIG-IP and BIG-IQ.

This correction should be made not only to prevent this memory leak, but for more important functionality, such as visibility and alerts features in BIG-IQ.

Fix:
The avrd process no longer leaks memory under these conditions.


746922-4 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.

Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.

Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.

Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.

Workaround:
Use either of these workaround after a new route in child domain is added.

-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.

-- Recreate a routing object.
  - If a pool member is affected, recreate the pool member.
  - If a SNAT pool list is affected, recreate it.
  - And so on.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.


746877-3 : Omitted check for success of memory allocation for DNSSEC resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSSEC traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.

Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.


746823 : AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members

Component: Application Visibility and Reporting

Symptoms:
In a configuration that AVR is set to send telemetry data to external source (like connection with BIG-IQ), and there is large number of config objects in the system, such as virtual servers and pool-members. AVRD is constantly crashing.

Conditions:
1. AVR is set to send telemetry data to external source (like connection with BIG-IQ).
2. Large number of config objects in the system, such as virtual servers and pool-members.

Impact:
AVRD process is crashing and telemetry data is not collected.

Workaround:
N/A

Fix:
The issue is fixed, AVR can handle any number of virtuals/pool-members when sending its telemetry.


746771-1 : APMD recreates config snapshots for all access profiles every minute

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage increases due to excessive config snapshots being created.

Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.

Fix:
This issue has been fixed.


746768-1 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.

Fix:
Memory growth has been addressed.


746731-3 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 267 0
        }
    }
}

Fix:
This release always clears the Mandatory bit for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.


746710-2 : Use of HTTP::cookie after HTTP:disable causes TMM core

Component: Local Traffic Manager

Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.

Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.

Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.

Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable


746704-1 : Syslog-ng Memory Leak

Component: TMOS

Symptoms:
After a long uptime (almost a year) syslog-ng had consumed 1.1G of virtual memory on BIG-IP.

Conditions:
Memory leak when syslog-ng handles continuous SIGHUP signals.

Impact:
Minimal. This is a leak of virtual memory. If syslog-ng does not read or write to this memory it will not be consume physical memory.

Workaround:
Run this command once a month:
service syslog-ng restart


746348-1 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.


746266-1 : A vCMP guest VLAN MAC mismatch across blades.

Component: TMOS

Symptoms:
The vCMP guests running on blades in a single chassis report different MAC addresses on a single VLAN upon host reboot for the vCMP guest.

Conditions:
This issue may be seen when all of the following conditions are met:

-- One or more blades are turned off completely via AOM.
-- There are two VLANs.
-- You deploy a multi-slot guest with the higher lexicographic VLAN, and assign the lower VLAN to the guest.
-- Reboot the host.

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
None.

Fix:
There is no longer a vCMP guest VLAN MAC mismatch across blades under these conditions.


746146-2 : AVRD can crash with core when disconnecting/reconnecting on HTTPS connection

Component: Application Security Manager

Symptoms:
AVRD crashes repeatedly when the BIG-IP system is configured to work with BIG-IQ.

Conditions:
-- BIG-IP system is connected to BIG-IQ.
-- Disconnecting/reconnecting on HTTPS connection.

Impact:
Statistics collection is unstable : some stats data are lost during avrd crash.

Workaround:
None.

Fix:
Object associated with HTTPS connection was deleted before the last event on this connection arrived. Object deletion is now deferred, so this issue no longer occurs..


746091-3 : TMSH Vulnerability: CVE-2019-19151

Solution Article: K21711352


746077-1 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified

Component: Local Traffic Manager

Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.

Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,

Impact:
RFC 1542 violation

Workaround:
None.

Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.


745923-4 : Connection flow collision can cause packets to be sent with source and/or destination port 0

Component: Local Traffic Manager

Symptoms:
Symptoms vary based on traffic impacted:

Virtual server may reset a connection with the source and/or destination port set to 0 when the client sends an ACK after a 4-way close

UDP traffic to virtual server with UDP profile immediate timeout configured or datagram load-balancing can collide with existing connections and be incorrectly sent with source and/or destination port 0.

Conditions:
-- Conditions to trigger this issue with TCP traffic:
   - 3-way handshake initiated by client to virtual server.
   - Client actively closing the connection - 4-way close.
   - Client continues to send ACK after 4-way close.

-- Conditions to trigger this issue with UDP traffic:
   - UDP profile has timeout immediate configured or datagram load-balancing.
   - UDP packet arrives that matches an expiring but still-present connection.

-- Provisioned for AFM.

Impact:
Virtual server performs an incorrect reset with source or destination port 0, or UDP proxy traffic is sent incorrectly with source and/or destination port 0.

Workaround:
None.

Fix:
Connection flow collision no longer causes packets to be sent from source port 0.


745825-3 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading

Component: TMOS

Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:

audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".

These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.

Conditions:
The audit_forwarder process is starting up and loading the configuration.

Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.

Workaround:
There is no workaround.

Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.


745809 : The /var partition may become 100% full requiring manual intervention to clear space

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open on viprion machine.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition

Workaround:
This workaround is temporary in nature, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:
 bigstart stop restjavad
 rm -rf /var/config/rest/storage*.zip
 rm -rf /var/config/rest/*.tmp
 bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.

Fix:
Zip files in rest root directory will be deleted before createSnapshotStorage() in viprion workflow is called.


745802-3 : Brute Force CAPTCHA response page truncates last digit in the support id

Component: Application Security Manager

Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.

Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.

Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs

Workaround:
There is no workaround at this time.

Fix:
The code is fixed, correct support id is shown in the captcha response page.


745783-3 : Anti-fraud: remote logging of login attempts

Component: Fraud Protection Services

Symptoms:
There is no support for logging of login attempts to a remote service.

Conditions:
Using high speed logging (HSL) to log login attempts.

Impact:
There is no support for logging of login attempts.

Workaround:
None.

Fix:
FPS now uses HSL to report login attempts using configured templates, rate-limit, and publisher to a remote service.

To enable this feature:

# via tmsh only
tmsh modify sys db antifraud.riskengine.reportlogins value enable
 
# via tmsh or GUI
tmsh modify sys db antifraud.internalconfig.string1 value "<login attempt log template>"
tmsh modify sys db antifraud.internalconfig.string2 value "<log-rate-exceeded log template>"
tmsh modify sys db antifraud.internalconfig.number1 value "<log-rate-exceeded threshold>"
tmsh modify security anti-fraud profile <fps profile> risk-engine-publisher <publisher>
 
 
It is recommended that you use encoding when composing an HTTP template. The default encoding level is 0, meaning 'never encode'.

To change encoding level:

tmsh modify sys db antifraud.internalconfig.number2 value <0/1/2>

Behavior Change:
FPS now includes the ability to perform High Speed Logging (HSL) of all login attempts to specific protected URLs. These events can be forwarded to remote services (e.g. SIEM Server), and, when enabled, can help indicate whether applications are under attack.


745733-1 : TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup

Component: Traffic Classification Engine

Symptoms:
TMSH command "tmsh show ltm urcat-query" does not perform cloud lookup when there is no entry in the local database.

Conditions:
- TMSH command "show ltm urlcat-query abc.com" is executed.
- abc.com doesn't have an entry in the local webroot database.

Impact:
- Cloud lookup is not executed for unknown URL entries.

Fix:
Now the "tmsh show ltm ulcat-query" command performs cloud lookup when there is no entry in the local database.


745713-1 : TMM may crash when processing HTTP/2 traffic

Solution Article: K94563344


745663-2 : During traffic forwarding, nexthop data may be missed at large packet split

Component: Local Traffic Manager

Symptoms:
When splitting large packages, nexthop data is used for the first small packet, but missed in subsequent packets.

Conditions:
Forward of host LRO packet (e.g., FTP data-channel).

Impact:
Heavy packet loss, re-transmissions, and delays.

Workaround:
None.

Fix:
Transmission time is now relatively consistent and there is no significant packet loss or delay.


745654-2 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.


745628-3 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.

Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing NOTIFY messages


745600-3 : Tmm crash and core using iRule

Component: Access Policy Manager

Symptoms:
Using iRule function access_session_create_cmd(), while session creation in progress, an internal timer gets set to fire after 1000 msec. In the interim, if the connflow is deleted or removed, an internal inconsistency occurs, so when that timer goes off, tmm restarts and generates a core.

Conditions:
-- Creating access session using iRule.
-- The session connection is deleted or removed.
-- The 1000 msec interval passes, and the timer attempts to fire.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The issue no longer occurs, as the internal inconsistency is now prevented.


745574-3 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.


745533-4 : NodeJS Vulnerability: CVE-2016-5325

Component: Local Traffic Manager

Symptoms:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated.

Conditions:
iRules LX is running at the BIG-IP.

Impact:
A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.

Workaround:
N/A.

Fix:
NodeJS updated to patch for CVE-2016-5325


745531-1 : Puffin Browser gets blocked by Bot Defense

Component: Application Security Manager

Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.

Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled

Impact:
Users of the Puffin Browser cannot access the website

Workaround:
None

Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable


745514-3 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.

Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages


745465-3 : The tcpdump file does not provide the correct extension

Component: TMOS

Symptoms:
The output file from tcpdump generation is named support.tcpdump even though it is a compressed file.

Conditions:
Whenever tcpdump is generated and downloaded.

Impact:
You must rename the file with the correct file extension and then decompress it to access the .dmp files.

Workaround:
Rename the downloaded file from support.tcpdump to <filename>.tar.gz and decompress it.

Fix:
File name changed to support.tcpdump.tar.gz.

Behavior Change:
The tcpdump file has a different name and file extension - support.tcpdump.tar.gz


745404-2 : MRF SIP ALG does not reparse SDP payload if replaced

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
None.

Fix:
The SDP payload is now reparsed if modified or replaced.


745397-3 : Virtual server configured with FIX profile can leak memory.

Component: Service Provider

Symptoms:
System memory increases with each transmitted FIX message. tmm crash.

Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.

Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.

Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.


745387-3 : Resource-admin user roles can no longer get bash access

Solution Article: K07702240


745371-2 : AFM GUI does not follow best security practices

Solution Article: K68151373


745358-3 : ASM GUI does not follow best practices

Solution Article: K14812883


745261-1 : The TMM process may crash in some tunnel cases

Component: TMOS

Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.

Conditions:
There are two scenarios that may lead to this issue:

Scenario 1: DSR
- DSR is deployed.


Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.

Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM process no longer crashes.


745257-3 : Linux kernel vulnerability: CVE-2018-14634

Solution Article: K20934447


745165-3 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195


745103-4 : NodeJS Vulnerability: CVE-2018-7159

Solution Article: K27228191


745027 : AVR is doing extra activity of DNS data collection even when it should not

Component: Application Visibility and Reporting

Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.

Conditions:
DNS Statistics collection or DNS-DoS is configured.

Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.

Workaround:
None.

Fix:
The system no longer performs extra computation that is not needed in this case.


744959-1 : SNMP OID for sysLsnPoolStatTotal not incremented in stats

Component: Carrier-Grade NAT

Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.

Conditions:
This affects all of the global port block allocation (PBA) counters.

Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.

Workaround:
None.

Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.


744949-3 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix

Component: Service Provider

Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.

Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.

Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.

Workaround:
There is no workaround at this time.

Fix:
The FROM header will now contain the client's IP address.


744937-9 : BIG-IP DNS and GTM DNSSEC security exposure

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442

Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442

Impact:
For more information please see: https://support.f5.com/csp/article/K00724442

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:

-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.

These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.

When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.

When using these variables:

-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.


744707-4 : Crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.

Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.


744685-1 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension

Component: Local Traffic Manager

Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension. The BIG-IP system does not enforce this.

Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.

Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.

Workaround:
None.

Fix:
With this fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both 'Basic Constraints: critical' and 'CA:TRUE' in its extension.

Behavior Change:
When authenticating a peer's SSL certificate, the system requires a CA certificate to have the 'Basic Constraints' and 'CA:True' in its extension, like this:

            X509v3 Basic Constraints: critical
                CA:TRUE

If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the handshake if the peer's CA certificate does not satisfy this requirement.


744595-1 : DoS-related reports might not contain some of the activity that took place

Component: Application Visibility and Reporting

Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.

Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.

Impact:
DoS related reports might not contain some of the activity that takes place.

Workaround:
None.

Fix:
Issue was fixed, all telemetry data is collected without errors.


744589-1 : Missing data for Firewall Events Statistics

Component: Application Visibility and Reporting

Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.

When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded

Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.

Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.

Workaround:
There is no workaround at this time.

Fix:
Issue with missing data was fixed.


744556-1 : Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3

Solution Article: K01226413

Component: Access Policy Manager

Symptoms:
Upgrading PingAccess SDK from v1.0.0 to v1.1.3

Conditions:
The SDK is upgraded during system upgrade.

Impact:
BIG-IP APM will internally use PingAccess SDK v1.1.3 when interacting with PingAccess servers.

Workaround:
Not Applicable.

Fix:
Upgraded PingAccess SDK used by BIG-IP APM to the v1.1.3, applicable when BIG-IP APM interacts with PingAccess servers.


744532-2 : Websso fails to decrypt secured session variables

Component: Access Policy Manager

Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:

Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'

Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.

Impact:
Single Sign-On (SSO) won't work correctly.

Workaround:
There is no workaround at this time.


744516-1 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

Fix:
TMM no longer panics regardless of the number of remote picks.


744407-5 : While the client has been closed, iRule function should not try to check on a closed session

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.

Fix:
Command execution of 'access::session exists' is now prevented in the iRule event CLIENT_CLOSED.


744347-2 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.


744331 : OpenSSH hardening

Component: TMOS

Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.

Conditions:
Administrative SSH access enabled.

Impact:
OpenSSH does not follow best practices.

Fix:
The default OpenSSH configuration includes best practices for security hardening.


744280-1 : Enabling or disabling a Distributed Application results in a small memory leak

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.

Fix:
Enabling or disabling a Distributed Application no longer results in a memory leak.


744275-3 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 269 0
        }
    }
}

Fix:
This release always clears the Mandatory bit for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.


744269-2 : dynconfd restarts if FQDN template node deleted while IP address change in progress

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.

Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).

Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.

Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.


744210-1 : DHCPv6 does not have the ability to override the hop limit from the client.

Component: Local Traffic Manager

Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.

Conditions:
DHCPv6 Relay configured on the BIG-IP.

Impact:
Loss of DHCPv6 service.

Workaround:
There is no workaround at this time.

Fix:
Configurable hop limit over-ride capabilities provided for client sent DHCPv6 packets.


744188 : First successful auth iControl REST requests will now be logged in audit and secure log files

Component: TMOS

Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.

Just subsequent REST calls were logged or initial failed REST calls from a client were logged.

Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.

Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.

Workaround:
None.

Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Here's an example of what shows in audit log:

-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Here's an example of what shows in secure log:

-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Subsequent REST calls will continue to be logged normally.

Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Subsequent REST calls will continue to be logged normally.


744117-5 : The HTTP URI is not always parsed correctly

Solution Article: K18263026

Component: Local Traffic Manager

Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.

Conditions:
-- HTTP profile is configured.
-- The URI is inspected.

Impact:
If the URI is used for security checks, then those checks might be bypassed.

Workaround:
None.

Fix:
The HTTP URI is parsed in a more robust manner.


744035-4 : APM Client Vulnerability: CVE-2018-15332

Solution Article: K12130880


743961-3 : Signature Overrides for Content Profiles do not work after signature update

Component: Application Security Manager

Symptoms:
JSON profile signature override does not include legacy signature after Automatic Signature Update (ASU).

Conditions:
Signature override on content profile ASU with major update to targeted sig.

Impact:
-- Unexpected block on a previously white-listed signature.
-- Confusing logging for why the signature was blocked (should indicate it was due to using an old signature version).

Workaround:
-- Create the signature override at higher context, e.g., the URL. Removing the URL context override again keeps it fixed.
-- Enforce new version of sig globally.

Fix:
Signature Overrides for Content Profiles now work after signature update.


743857 : Clientssl accepts non-SSL traffic when cipher-group is configured

Solution Article: K21942600

Component: Local Traffic Manager

Symptoms:
Clientssl accepts Non-SSL traffic even when "Non-SSL Connections" is disabled.

Conditions:
In clientssl profile, Cipher Group is configured and one of the "No SSL/TLS/DTLS" option is enabled.

Impact:
Connections to VIP with clientssl profile are not encrypted.
If SSL client authentication is enabled, plaintext request is successful meaning that client can get access to resources otherwise requiring a valid client certificate.

Workaround:
Use Cipher String instead of Cipher Group when configuring clientssl profile.

Fix:
Properly validate cipher suites in a cipher group before use.


743815-3 : vCMP guest observes connflow reset when a CMP state change occurs.

Component: TMOS

Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.

Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.

Impact:
This might interrupt a long-lived flow and eventually cause an outage.

Workaround:
None.

Fix:
The system now drops the connflow instead of resetting it.


743810-1 : AWS: Disk resizing in m5/c5 instances fails silently.

Component: TMOS

Symptoms:
Resizing the disk in an m5/c5 instance in AWS has no impact on the disk size, and this operation fails silently.

Conditions:
BIG-IP system deployed in AWS with m5/c5 instance type that uses NVME disks instead of the usual native paravirt disks.

Impact:
Disk resizing fails; administrators cannot grow the instance disk in response to their requirements and instance utilization post-deployment.

Workaround:
There is no workaround.

Fix:
AWS: Disk resizing now works as expected.


743803-2 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


743790-3 : BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.

Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.

Impact:
No failover to standby unit after this error condition, causing site outage.

Workaround:
None.

Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.


743437-1 : Portal Access: Issue with long 'data:' URL

Component: Access Policy Manager

Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.

Conditions:
HTML page with very long 'data:' similar to the following example:

    data:image/png;base64,...

Such URLs might be several megabytes long.

Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now Portal Access handles very long 'data:' URLs correctly.


743257-1 : Fix block size insecurity init and assign

Component: Local Traffic Manager

Symptoms:
After an HA failover the block size insecurity checks were creating conditions for an infinite loop. This causes tmm to be killed by sod daemon via SIGABRT.

Conditions:
Rare not reproducible.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
The init and assign of block size insecurity were modified and debug checks added. A possible loop condition in ssl renegotiation was removed.


743150-1 : Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client

Component: Access Policy Manager

Symptoms:
During OAuth token processing for OAuth Client, if the timestamp is set to a value greater than INT32_MAX (2147483647), the BIG-IP system posts an error message, but the error is not descriptive enough to assist in troubleshooting. The error message appears similar to the following:
 err apmd[14229]: 01490290:3: /Internet/Oauth_OpenAM_Preprod:Internet:46ea50d9:/Internet/server_act_oauth_client_ag: OAuth Client: failed for server '/Internet/server1' using 'authorization_code' grant type (client_id=oidc), error: stoi

Conditions:
-- OAuth token processing for OAuth Client.
-- Timestamp value greater than INT32_MAX.

Impact:
The APM end user is not granted access because the the policy does not complete successfully.

Workaround:
None.

Fix:
The maximum allowed timestamp is increased from INT32_MAX (2147483647) to 6249223209600, and now includes more descriptive error messages for better troubleshooting when the BIG-IP system receives invalid timestamps.


743082-1 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members

Component: TMOS

Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.

Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.

Impact:
Configuration fails to load.

Workaround:
Remove stray colon-character from bigip_gtm.conf.

Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.


742829-3 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.


742628-5 : Tmsh session initiation adds increased control plane pressure

Solution Article: K53843889

Component: TMOS

Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.

Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.

Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.

Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:

tmsh modify /auth user ADMINUSERNAME shell bash


742627-2 : SSL session mirroring may cause memory leakage if HA channel is down

Component: Local Traffic Manager

Symptoms:
If SSL session mirroring is enabled, but the HA channel is down, attempts to mirror may result in memory leakage.

Conditions:
- SSL session mirroring enabled
- HA channel is down

Impact:
Memory leakage over time resulting in eventual memory pressure leading to performance degradation and possible TMOS restart.

Workaround:
Ensuring that the HA peer is present and connected will avoid the leakage. Otherwise, no reasonable workaround exists short of disabling SSL session mirroring.

Fix:
SSL session mirroring no longer leaks memory when the HA channel is down.


742237-2 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd

Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.


742226-2 : TMSH platform_check utility does not follow best security practices

Solution Article: K11330536


742184-1 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.

Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.

Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.

Workaround:
Do not add a L7 profile to a fastL4 virtual server.

Fix:
No memory leak in the TMM.


742078-2 : Incoming SYNs are dropped and the connection does not time out.

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.

Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable


742037-3 : FPS live updates do not install when minor version is different

Component: Fraud Protection Services

Symptoms:
Install update file with a different minor version.
For example, install update file versioned 13.1.1 on BIG-IP version 13.1.0.

Conditions:
FPS is licensed and provisioned.

Impact:
FPS engine and signature cannot be updated.

Workaround:
N/A

Fix:
The minor version in update file is now ignored and only the major version is validated.


741993-1 : The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.

Component: Anomaly Detection Services

Symptoms:
The BIG-IP system does not answer the request matching the L7 policy that disabled DOSL7 when BADOS is configured. The connection hangs.

Conditions:
1. Create a DoS profile Behavioral & Stress-based (D)DoS Detection.
2. Create an L7 policy to disable DoS profile (even on all URLs).
3. Attach both to a virtual server.
4. Send a request to the virtual server.

Impact:
Connection hangs.

Workaround:
There is no workaround other than disabling the Behavioral & Stress-based (D)DoS Detection from the DoS profile.

Fix:
The system now correctly handles a disabled DOSL7 policy.


741951-2 : Multiple extensions in SIP NOTIFY request cause message to be dropped.

Component: Service Provider

Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.

Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.

Impact:
NOTIFY message is not forwarded.

Workaround:
None.

Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.


741919 : HTTP response may be dropped following a 100 continue message.

Component: Local Traffic Manager

Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.

Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).

Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.

Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.

Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.

-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable


741902-3 : sod does not validate message length vs. received packet length

Component: TMOS

Symptoms:
sod may crash or produce unexpected behavior.

Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.

Impact:
sod may crash, causing a failover.

Workaround:
None.

Fix:
sod validates the received packet length and does not reference invalid memory.


741858-1 : TMM may crash while processing Portal Access requests

Solution Article: K52206731


741767-2 : ASM Resource :: CPU Utilization statistics are in wrong scale

Component: Application Visibility and Reporting

Symptoms:
Security :: Reporting : ASM Resources : CPU Utilization have the wrong scale for statistics.

Conditions:
Having the 'CPU Utilization' statistics under 'ASM Resources' available.

Impact:
Wrong scale of statistics.

Workaround:
To work around this issue:

1. Edit the following file: /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
2. Remove all division by 100 on 'formula' of each entity.
3. Save the change and restart monpd (bigstart restart monpd).

Fix:
Scale is now fixed and is not pre-divided by 100.


741761-1 : admd might fail the heartbeat, resulting in a core

Component: Anomaly Detection Services

Symptoms:
When the system is under heavy I/O stress, admd might fail the heartbeat (which is required by sod, the failover daemon), so sod kills the admd daemon, resulting in a core.

Conditions:
-- System is under heavy I/O stress.
-- admd fails the heartbeat.

Impact:
The system generates an admd core file. Traffic disrupted while admd restarts.

Workaround:
None.


741752-1 : [BADOS] state file is not saved when virtual server reuses a self IP of the device

Component: Anomaly Detection Services

Symptoms:
BADOS state file is not saved.

Conditions:
Virtual server reuses a self IP of the device.

Impact:
After admd restarts, learned information - baseline and good dataset can disappear.

Workaround:
None.

Fix:
This system now handles this situation without impact, so the state file is saved as expected.


741535-1 : Memory leak when using SAML or Form-based Client-initiated SSO

Component: Access Policy Manager

Symptoms:
With SAML or Form-based Client-initiated SSO configured, BIG-IP system memory usage increases with every HTTP request that is proxied to the backend. The type of memory that increases is tmjail. You can view memory usage using the following command: tmsh sys show memory.

At some point, the BIG-IP system enables connection evictions in order to reduce the memory pressure, which causes service disruptions. You might see the following warning log messages.

-- warning tmm[20537]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory).
-- warning tmm1[20537]: 01010290:4: TCP: Memory pressure activated.
-- err tmm1[20537]: 011e0003:3: Aggressive mode sweeper: /Common/default-eviction-policy (100000000000b) (global memory) 413 Connections killed.

Conditions:
SAML or Form-based Client-initiated SSO is used.

Impact:
Potential service disruption.

Workaround:
No workaround other than not using SAML or Form-based Client-initiated SSO.

Fix:
The memory leak associated with SAML or Form-based Client-initiated SSO no longer occurs.


741449-1 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts

Component: Fraud Protection Services

Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp

currently, these timestamps are not available in the alert details

Conditions:
JAVASCRIPT_THRESHOLD alert is triggered

Impact:
it is impossible to analyze the alert

Workaround:
There is no workaround at this time.

Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert


741423-2 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync

Component: TMOS

Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.

The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.

Conditions:
-- Cluster devices are joined in the trust for high availability (HA) or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.

Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.

Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):

1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.

For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:

tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }

2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.

Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established high availability (HA) or config-sync configurations.


740963-2 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart

Component: Local Traffic Manager

Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.

Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.

Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP retransmit bursts are now handled gracefully.


740777-1 : Secondary blades mcp daemon restart when subroutine properties are configured

Component: Access Policy Manager

Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.

Conditions:
When a subroutine is configured in the access policy.

Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.

Workaround:
There is no workaround other than to not use subroutine in the access policy.

Fix:
You can now use subroutines in the access policy.


740719-2 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive

Component: Application Security Manager

Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.

Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.

Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.

Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:

1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0

2. Restart ASM by running the following command:
bigstart restart asm

Fix:
ASM 'Content-Security-Policy' header parser no longer modifies the 'Content-Security-Policy' header when there is 'script-src' 'unsafe-inline' directive arriving from a backend server. This is correct behavior.


740589-3 : Mcpd crash with core after 'tmsh edit /sys syslog all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));


740490-1 : Configuration changes involving HTTP2 or SPDY may leak memory

Component: Local Traffic Manager

Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.

Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.

Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.

Workaround:
None.

Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.


740413-3 : Sod not logging Failover Condition messages

Component: TMOS

Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.

Conditions:
Failsafe fault.

Impact:
No 'Failover Condition'messages logged in /var/log/ltm.

Workaround:
None.


740345-1 : TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.

Component: TMOS

Symptoms:
TMM generates cores files on the device.

Conditions:
Issue is seen when connection mirroring, session mirroring and OCSP stapling is enabled.

Impact:
If a failover happens when a SSL handshake is in progress,
TMM restarts and a core file is generated on the standby device. Traffic disrupted while tmm restarts.

Workaround:
None.


740228-1 : TMM crash while sending a DHCP Lease Query to a DHCP server

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes while sending a DHCP Lease Query to a DHCP server.


740086 : AVR report ignore partitions for Admin users

Component: Application Visibility and Reporting

Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.

Reports generated for specific partition include data from all partitions.

Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.

Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.

Workaround:
One workaround is to have non-Admin users generate reports.

For non-Admin users, the partition is honored.

Fix:
AVR GUI pages or Scheduled Reports defined for one partition now show all users AVR data from only that partition.


739971-2 : Linux kernel vulnerability: CVE-2018-5391

Solution Article: K74374841


739970-2 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321


739963-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.


739947-1 : TMM may crash while processing APM traffic

Solution Article: K42465020


739945-2 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.


739939-1 : Ping Access Agent Module leaks memory in TMM.

Component: Access Policy Manager

Symptoms:
Whenever a ping access request traverses through apm_ivs (internal virtual server) to the Ping Access Agent (e.g., Cache-Miss), a memory leak occurs.

Conditions:
Ping Access Agent request that is not served from local cache (e.g., in the Cache-Miss case).

Impact:
The slow memory leak might eventually cause TMM to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Ping Access Agent Module no longer leaks memory in TMM.


739927-3 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.


739900-1 : All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates

Component: Application Security Manager

Symptoms:
When a Security Policy is created using new versions of some Application Ready Templates, three new Signature Sets are created that are set to automatically be added to policies subsequently created.

Conditions:
A Security Policy is created using one of the following updated Application Ready Templates:
 * Drupal
 * Joomla
 * SAP Netweaver
 * Sharepoint
 * Wordpress

Impact:
Three new Signature Sets are created with the option 'Assign To Policy By Default' enabled. As a result, the system adds these Signature Sets to subsequently created policies. This may provide enforcement for unexpected or undesired Attack Signatures.

Workaround:
To prevent the newly created signature being added to subsequently created policies, disable 'Assign To Policy By Default'.

You can also remove the signatures from new policies after they have been created.

Fix:
The Application Ready Templates now create the new signatures with the option 'Assign To Policy By Default' disabled, so they are no longer automatically added to subsequently created policies.


739872-2 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover

Component: TMOS

Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.

Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.

Impact:
Unintended failover.

Workaround:
None.

Fix:
HA Group scores are no longer updated when running 'load sys config verify' commands.


739846-3 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.


739744-1 : Import of Policy using Pool with members is failing

Component: Access Policy Manager

Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)

Conditions:
Policy has pool attached to it with resource assign or chained objects

Impact:
Policy is not being imported on the same box

Workaround:
There is no workaround at this time.

Fix:
ng-import is now importing policy correctly.


739716-2 : APM Subroutine loops without finishing

Component: Access Policy Manager

Symptoms:
Some APM subroutines never finish. In authentication use cases, the end-users will continue to see logon pages, even after submitting correct credentials. In SWG confirm-and-continue use cases, the end-users will continue to see confirm boxes, even if they had already clicked "continue".

Conditions:
APM with a subroutine. Reproducibility will vary by platform and deployment.

Impact:
Subroutines never finish. End-users are not able to access resources.

Workaround:
TMM restart does resolve the issue.

Fix:
The memory corruption issue was resolved and the subroutines now correctly finish.


739674-1 : TMM might core in SWG scenario with per-request policy.

Component: Access Policy Manager

Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.

Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not core now when using SWG scenario with per-request policy.


739638-2 : BGP failed to connect with neighbor when pool route is used

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.

Fix:
BGP peering can be properly established through a pool route.


739618-1 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy

Component: Application Security Manager

Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF or MSP license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}

Fix:
Users can now create LTM rule in the BIG-IP Configuration Utility that controls ASM if have AWAF or MSP license.


739507 : Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check

Component: TMOS

Symptoms:
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check.

Console shows messages similar to:
  Starting System Logger Daemon...
  [ OK ] Started System Logger Daemon.
  [ 14.943495] System halted.

Conditions:
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license).
-- System element monitored by FIPS 140-2 integrity check has changed.
-- The device is rebooted.

Impact:
The device halts and cannot be used.

Workaround:
Workaround:
[1] Connect a terminal to the BIG-IP serial console port.
[2] From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.
[3] Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones.
[5] Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running:
   cat /dev/null > /mnt/test/f5_public/fipserr
[6] Reboot.

If the system still halts, repeat from Step [1] above, until this no longer happens.

Fix:
If your device is running a version where ID 739507 is fixed:

[1] Connect a terminal to the BIG-IP serial console port
[2] From the serial console, enter the GRUB menu.
[3] Before the countdown expires, use the Up Arrow and Down Arrow keys to stop the countdown, and select the appropriate boot image.
[4] Press the key 'E' to start the edit options. A new GRUB menu displays.
[5] Use the Up Arrow and Down Arrow keys to navigate to the line that starts with 'linux', or the first line that starts with 'module'.
[6] Add a space, followed by NO_FIPS_INTEGRITY=1 (do not press ENTER).
[7] Press the Ctrl-X sequence or the F10 key to restart the system using the modified options.

The machine boots into the partition containing FIPS 140-2-enabled license.

[8] Examine the content of file /config/f5_public/fipserr to ascertain the cause of the FIPS module startup error.
[9] Fix the problem reported in the aforementioned error file.
[10] Run the test tool /usr/libexec/sys-eicheck.py to ensure that no fatal error is reported, such as:

Integrity Check Result: [ FAIL ]

If fatal errors persist, do not reboot (otherwise the system foes into the halt state, and the steps starting from Step [1] will need to be repeated). Instead, fix the problematic files reported. Rerun the test tool until no error is seen.

Note: You can find information on the sys-eicheck (FIPS) utility in the AskF5 Non-Diagnostic Article K00029945: Using the sys-eicheck (FIPS) utility :: https://support.f5.com/csp/article/K00029945.

[11] Truncate the file /config/f5_public/fipserr:
    cat /dev/null > /config/f5_public/fipserr


739505 : Automatic ISO digital signature checking not required when FIPS license active

Component: TMOS

Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.

The system logs an error message upon an attempt to install or update the BIG-IP system:
 failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)

Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.

Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.

Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.

Fix:
The restriction of requiring automatic signature checking of the ISO is removed. The procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140 to perform the checks on or off the BIG-IP system is still valid, but that checking is optional.


739446-2 : Resetting SSL-socket correctly for AVR connection

Component: Application Visibility and Reporting

Symptoms:
SSL socket is being corrupted.

Conditions:
The conditions under which this occurs have not been fully identified.

Impact:
AVR fails to make an SSL connection and report externally correctly.

Workaround:
None.

Fix:
Resetting the SSL-connection whenever required.


739379-2 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error

Component: Local Traffic Manager

Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.

Conditions:
Two SSL forward proxies connected via virtual command in iRule.

Impact:
Client traffic gets random reset.

Workaround:
None.

Fix:
The search scope of storing parsed SNI is now local to each SSL forward proxy.


739349-1 : LRO segments might be erroneously VLAN-tagged.

Component: Local Traffic Manager

Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.

Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.

Impact:
Egress traffic might sometimes be tagged.

Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>

Fix:
The system now ensures that fragment packet flags are correctly set.


739345 : Reporting invalid signature id after specific signature upgrade

Component: Application Security Manager

Symptoms:
An incorrect/invalid signature id is reported.

Conditions:
The signature was changed in an upgrade.

Impact:
Not able to confirm successful signature update.

Workaround:
When the signature id prefix is 6, replace it with 2 when looking for the actual signature.

Fix:
Fixed a reporting issue with signature ids after upgrade.


739285-1 : GUI partially missing when VCMP is provisioned

Component: TMOS

Symptoms:
GUI may be partially missing.

Conditions:
VCMP must be provisioned.

Impact:
GUI may be partially missing.

Workaround:
Use tmsh or deprovision VCMP.

Fix:
the GUI now works as expected when VCMP is provisioned.


739277 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Component: Anomaly Detection Services

Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:

-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.

Fix:
This release corrects an TMM crash that occurred when the virtual server was deleted during POST data and BADOS was in standard/aggressive mode.


739272-1 : Incorrect zombie counts in PBA stats with long PBA block-lifetimes

Component: Carrier-Grade NAT

Symptoms:
Due to a truncation error, a long Port Block Allocation (PBA) block lifetime can cause the PBA zombie stats to get incremented before the block lifetime expires and even though a zombie block has not been created.

Conditions:
Large Scale NAT (LSN) pool or Firewall NAT source-translation with a Port Block Allocation Block Lifetime greater than 65535.

Impact:
This bug affects only the 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created', and 'Total Zombie Port Blocks Deleted' counters. It does not convert active blocks to zombie blocks before the block lifetime expires.

Workaround:
There is no workaround.

Fix:
The 'Active Zombie Port Blocks', 'Total Zombie Port Blocks Created' counters are now incremented only when the PBA block lifetime expires.


739190 : Policies could be exported with not patched /Common partition

Component: Access Policy Manager

Symptoms:
Policies could be exported with not patched /Common partition and it's heading to profiles that are not being imported.

Conditions:
Policy has objects outside of partition of the policy.

Impact:
Policy cannot be imported on the same system it was exported from.

Workaround:
There is no workaround.

Fix:
Proper naming of partitions has been restored, import is back to working.


739126 : Multiple VE installations may have different sized volumes

Component: TMOS

Symptoms:
When installing a 2nd, 3rd, (or more) version of BIG-IP to a Virtual Edition (VE) instance, the sizes of the non-shared volumes may be smaller than the first. This can be an issue if, for example, /var is smaller and fills up due to UCS archives, data gathered during troubleshooting, etc.

Conditions:
Install an additional version of BIG-IP to an existing VE instance.

Impact:
Disk volumes may run out of space sooner than expected, leading to issues when that space is needed for other operations.

Workaround:
Provision additional disk space to expand the available storage.

Fix:
In this release, the installer handles this condition without issue.


739003-1 : TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms

Component: Local Traffic Manager

Symptoms:
TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms.

Conditions:
-- The virtual server has FastL4 profile assigned.
-- There is an iRule configured.
-- The iRule uses SERVER_CONNECTED event.
-- The pool member is route-able but does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when FastL4 is used on ePVA-capable BIG-IP platforms.


738985-2 : BIND vulnerability: CVE-2018-5740

Component: TMOS

Symptoms:
deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.

Conditions:
"deny-answer-aliases" feature is explicitly enabled

Impact:
Crash of the BIND process and loss of service while the process is restarted

Workaround:
Only servers which have explicitly enabled the "deny-answer-aliases" feature are at risk and disabling the feature prevents exploitation.

Fix:
BIND patched to correct CVE-2018-5740


738945-2 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.


738943-5 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon


738887-3 : BIG-IP SNMPD vulnerability CVE-2019-6608

Component: TMOS

Symptoms:
https://support.f5.com/csp/article/K12139752

Conditions:
https://support.f5.com/csp/article/K12139752

Impact:
https://support.f5.com/csp/article/K12139752

Workaround:
https://support.f5.com/csp/article/K12139752

Fix:
https://support.f5.com/csp/article/K12139752


738881-2 : Qkview does not collect any data under certain conditions that cause a timeout

Component: TMOS

Symptoms:
Qkview enforces a timeout mechanism in various locations for its submodules. In certain conditions, when a timeout occurs, Qkview should still be able to collect what data it can before doing this check.

Conditions:
A particular timeout is encountered during a Qkview operation.

Impact:
Data that might have been collected is not, which might result in missing helpful diagnostic information.

Workaround:
Work around the issue by increasing the qkview timeout, for example:
  qkview -t 720

Fix:
Changed the timeout check to occur after important data collection.


738864-1 : javascript functions in href are learned from response as new URLs

Component: Application Security Manager

Symptoms:
New urls representing javascript functions are learned from response.

Conditions:
Learn from response is turned on and URLs learning set to 'Always'

Impact:
Wrong URLs are created and added to the policy (not really interfering with enforcement but adds redundant noise to the policy)

Workaround:
Either:
- Change URL learning from 'Always' to any of the other learning options (Compact \ Selective \ Never).
- Disable learn from response

Fix:
javacript functions are no longer learned from responses as new URLs.


738669-2 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsin