Applies To:
Show VersionsBIG-IP APM
- 13.1.4
BIG-IP Link Controller
- 13.1.4
BIG-IP Analytics
- 13.1.4
BIG-IP LTM
- 13.1.4
BIG-IP AFM
- 13.1.4
BIG-IP PEM
- 13.1.4
BIG-IP FPS
- 13.1.4
BIG-IP DNS
- 13.1.4
BIG-IP ASM
- 13.1.4
Updated Date: 08/04/2021
Version: 13.1.4.1
Build: 3.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v13.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
794561-4 | CVE-2020-5874 | K46901953 | TMM may crash while processing JWT/OpenID traffic. |
965485-1 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL |
949889-1 | CVE-2019-3900 | K04107324 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() |
842829-5 | CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 | K04367730 | Multiple tcpdump vulnerabilities |
803933-4 | CVE-2018-20843 | K51011533 | Expat XML parser vulnerability CVE-2018-20843 |
797769-3 | CVE-2019-11599 | K51674118 | Linux vulnerability : CVE-2019-11599 |
968733-4 | CVE-2018-1120 | K42202505 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
995629-1 | 2-Critical | Loading UCS files may hang if ASM is provisioned★ | |
967905-1 | 2-Critical | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | |
935433-5 | 2-Critical | iControl SOAP Hardening | |
1000973-1 | 2-Critical | Unanticipated restart of TMM due to heartbeat failure | |
994801-5 | 3-Major | SCP file transfer hardening | |
950017-4 | 3-Major | TMM may crash while processing SCTP traffic | |
937365-5 | 3-Major | LTM UI does not follow best practices | |
906377-5 | 3-Major | iRulesLX hardening | |
756820-1 | 3-Major | Non-UTF8 characters returned from /bin/createmanifest | |
713708 | 3-Major | Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI | |
819053-4 | 4-Minor | CVE-2019-13232 unzip: overlapping of files in ZIP container | |
1004417-2 | 4-Minor | Provisioning error message during boot up★ |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
754143-2 | 2-Critical | K45456231 | TCP connection may hang after finished |
942701-4 | 3-Major | TMM may consume excessive resources while processing HTTP traffic | |
760050-4 | 3-Major | "cwnd too low" warning message seen in logs | |
752530-3 | 3-Major | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | |
752334-3 | 3-Major | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | |
962433-2 | 4-Minor | HTTP::retry for a HEAD request fails to create new connection | |
962177-4 | 4-Minor | Results of POLICY::names and POLICY::rules commands may be incorrect | |
830833-3 | 4-Minor | HTTP PSM blocking resets should have better log messages |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
918597-1 | 2-Critical | Under certain conditions, deleting a topology record can result in a crash. | |
973261-5 | 3-Major | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | |
912001-1 | 3-Major | TMM cores on secondary blades of the Chassis system. | |
863917-4 | 3-Major | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
996381-5 | 2-Critical | ASM attack signature may not match as expected | |
989009-5 | 2-Critical | BD daemon may crash while processing WebSocket traffic | |
980125-5 | 2-Critical | BD Daemon may crash while processing WebSocket traffic | |
968421-5 | 2-Critical | ASM attack signature doesn't matched | |
943913-5 | 2-Critical | ASM attack signature does not match | |
1017645-4 | 2-Critical | False positive http compliance violation | |
950917-3 | 3-Major | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | |
928685-4 | 3-Major | ASM Brute Force mitigation not triggered as expected | |
907337-5 | 3-Major | BD crash on specific scenario | |
888289-4 | 3-Major | Add option to skip percent characters during normalization | |
830341-4 | 3-Major | False positives Mismatched message key on ASM TS cookie | |
792341-4 | 3-Major | Google Analytics shows incorrect stats. |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
932485-1 | 3-Major | Incorrect sum(hits_count) value in aggregate tables | |
913085-5 | 3-Major | Avrd core when avrd process is stopped or restarted |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
889497-1 | 2-Critical | Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage | |
866109-4 | 3-Major | JWK keys frequency does not support fewer than 60 minutes | |
673748-2 | 3-Major | K19534801 | ng_export, ng_import might leave security.configpassword in invalid state |
747234-4 | 4-Minor | Macro policy does not find corresponding access-profile directly | |
685888-1 | 4-Minor | OAuth client stores incorrectly escaped JSON values in session variables |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
868781-3 | 2-Critical | TMM crashes while processing MRF traffic | |
968349-4 | 3-Major | TMM crashes with unspecified message |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
907245-4 | 3-Major | AFM UI Hardening |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
948573-3 | 3-Major | Wr_urldbd list of valid TLDs needs to be updated |
Cumulative fixes from BIG-IP v13.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
882633-5 | CVE-2021-23008 | K51213246 | Active Directory authentication does not follow current best practices |
754855-4 | CVE-2020-27714 | K60344652 | TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile |
932697-1 | CVE-2021-23000 | K34441555 | BIG-IP TMM vulnerability CVE-2021-23000 |
1003557-5 | CVE-2021-23015 | K74151369 | Not following best practices in Guided Configuration Bundle Install worker |
1002561-4 | CVE-2021-23007 | K37451543 | TMM vulnerability CVE-2021-23007 |
838909-6 | CVE-2020-5893 | K97733133 | BIG-IP APM Edge Client vulnerability CVE-2020-5893 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
913829-2 | 3-Major | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | |
794417-2 | 3-Major | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★ | |
719338-4 | 4-Minor | Concurrent management SSH connections are unlimited |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
915305-2 | 2-Critical | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | |
888341-3 | 2-Critical | HA Group failover may fail to complete Active/Standby state transition | |
886693-1 | 2-Critical | System may become unresponsive after upgrading★ | |
785017-4 | 2-Critical | Secondary blades go offline after new primary is elected | |
743975-2 | 2-Critical | TMM crash (SIGFPE) when starting on a vCMP guest | |
967745-4 | 3-Major | Last resort pool error for the modify command for Wide IP | |
922297-4 | 3-Major | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | |
877109-5 | 3-Major | Unspecified input can break intended functionality in iHealth proxy | |
838901-1 | 3-Major | TMM receives invalid rx descriptor from HSB hardware | |
829821-4 | 3-Major | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | |
829317-1 | 3-Major | Memory leak in icrd_child due to concurrent REST usage | |
945109-5 | 4-Minor | Freetype Parser Skip Token Vulnerability CVE-2015-9382 |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
938233-4 | 2-Critical | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization | |
922317-1 | 2-Critical | Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections | |
920265 | 2-Critical | TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option. | |
876801-1 | 2-Critical | Tmm crash: invalid route type | |
718189-2 | 2-Critical | Unspecified IP traffic can cause low-memory conditions | |
926929-1 | 3-Major | RFC Compliance Enforcement lacks configuration availability | |
889601-5 | 3-Major | OCSP revocation not properly checked | |
888517-4 | 3-Major | Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★ | |
858701-4 | 3-Major | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★ | |
809597-1 | 3-Major | Memory leak in icrd_child observed during REST usage | |
784565-4 | 3-Major | VLAN groups are incompatible with fast-forwarded flows | |
763093-1 | 3-Major | LRO packets are not taken into account for ifc_stats (VLAN stats) | |
773253-2 | 4-Minor | The BIG-IP may send VLAN failsafe probes from a disabled blade | |
724746-1 | 4-Minor | Incorrect RST message after 'reject' command | |
693901-4 | 4-Minor | Active FTP data connection may change source port on client-side |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
858973-4 | 3-Major | DNS request matches less specific WideIP when adding new wildcard wideips | |
712335-1 | 4-Minor | GTMD may intermittently crash under unusual conditions. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
980809-4 | 2-Critical | ASM REST Signature Rule Keywords Tool Hardening | |
962341-3 | 2-Critical | BD crash while processing JSON content | |
941621-4 | 3-Major | Brute Force breaks server's Post-Redirect-Get flow | |
929001-5 | 3-Major | ASM form handling improvements | |
846057-1 | 3-Major | UCS backup archive may include unnecessary files | |
673272-5 | 3-Major | Search by "Signature ID is" does not return results for some signature IDs | |
824093-1 | 4-Minor | Parameters payload parser issue |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
981385-5 | 3-Major | AVRD does not send HTTP events to BIG-IQ DCD | |
949593-1 | 3-Major | Unable to load config if AVR widgets were created under '[All]' partition★ | |
933777-3 | 3-Major | Context use and syntax changes clarification |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
990333-3 | 1-Blocking | APM may return unexpected content when processing HTTP requests |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
628645 | 3-Major | Classification signatures fails to update and there are no errors in the GUI★ |
Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
975233-4 | CVE-2021-22992 | K52510511 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 |
973333-2 | CVE-2021-22991 | K56715231 | TMM buffer-overflow vulnerability CVE-2021-22991 |
955145-4 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
954381-4 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
953677-4 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
950077-4 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
981169-4 | CVE-2021-22994 | K66851119 | F5 TMUI XSS vulnerability CVE-2021-22994 |
959121-1 | CVE-2021-23015 | K74151369 | Not following best practices in Guided Configuration Bundle Install worker |
953729-4 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 |
949933-3 | CVE-2021-22980 | K29282483 | BIG-IP APM CTU vulnerability CVE-2021-22980 |
941449-5 | CVE-2021-22993 | K55237223 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 |
931513-4 | CVE-2021-22977 | K14693346 | TMM vulnerability CVE-2021-22977 |
921337-1 | CVE-2021-22976 | K88230177 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 |
916821-5 | CVE-2021-22974 | K68652018 | iControl REST vulnerability CVE-2021-22974 |
834257-5 | CVE-2020-5931 | K25400442 | TMM may crash when processing HTTP traffic |
976925-4 | CVE-2021-23002 | K71891773 | BIG-IP APM VPN vulnerability CVE-2021-23002 |
939845-4 | CVE-2021-23004 | K31025212 | BIG-IP MPTCP vulnerability CVE-2021-23004 |
939841-4 | CVE-2021-23003 | K43470422 | BIG-IP MPTCP vulnerability CVE-2021-23003 |
937637-5 | CVE-2021-23002 | K71891773 | BIG-IP APM VPN vulnerability CVE-2021-23002 |
935401-5 | CVE-2021-23001 | K06440657 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 |
832757-4 | CVE-2017-18551 | K48073202 | Linux kernel vulnerability CVE-2017-18551 |
743105-6 | CVE-2021-22998 | K31934524 | BIG-IP SNAT vulnerability CVE-2021-22998 |
693360-5 | CVE-2020-27721 | K52035247 | A virtual server status changes to yellow while still available |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
742860 | 3-Major | VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
940021-1 | 2-Critical | Syslog-ng hang may lead to unexpected reboot | |
769169-1 | 2-Critical | BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring | |
737322-4 | 2-Critical | tmm may crash at startup if the configuration load fails | |
703039-2 | 2-Critical | Empty results on /tm/sys/config-diff/stats | |
948769-3 | 3-Major | TMM panic with SCTP traffic | |
930741-4 | 3-Major | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | |
927941-2 | 3-Major | IPv6 static route BFD does not come up after OAMD restart | |
913433-4 | 3-Major | On blade failure, some trunked egress traffic is dropped. | |
867181-4 | 3-Major | ixlv: double tagging is not working | |
865241-4 | 3-Major | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | |
843597-4 | 3-Major | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | |
842189-3 | 3-Major | Tunnels removed when going offline are not restored when going back online | |
829193-5 | 3-Major | REST system unavailable due to disk corruption | |
820845-1 | 3-Major | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | |
759596-3 | 3-Major | Tcl errors in iRules 'table' command | |
754132-3 | 3-Major | A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command | |
749007-3 | 3-Major | South Sudan, Sint Maarten, and Curacao country missing in GTM region list | |
744252-3 | 3-Major | BGP route map community value: either component cannot be set to 65535 | |
933461-2 | 4-Minor | BGP multi-path candidate selection does not work properly in all cases. | |
931837-3 | 4-Minor | NTP has predictable timestamps | |
892677-3 | 4-Minor | Loading config file with imish adds the newline character | |
800193 | 4-Minor | Update OpenSSH to version 7 or later for disabling of DSA keys |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726518-4 | 2-Critical | Tmsh show command terminated with CTRL-C can cause TMM to crash. | |
705768-5 | 2-Critical | The dynconfd process may core and restart with multiple DNS name servers configured | |
949145-3 | 3-Major | Improve TCP's response to partial ACKs during loss recovery | |
879413-4 | 3-Major | Statsd fails to start if one or more of its *.info files becomes corrupted | |
860005-4 | 3-Major | Ephemeral nodes/pool members may be created for wrong FQDN name | |
857845-5 | 3-Major | TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule | |
851045-4 | 3-Major | LTM database monitor may hang when monitored DB server goes down | |
814761-3 | 3-Major | PostgreSQL monitor fails on second ping with count != 1 | |
805017-3 | 3-Major | DB monitor marks pool member down if no send/recv strings are configured | |
803233-4 | 3-Major | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | |
772545-1 | 3-Major | Tmm core in SSLO environment | |
759056-1 | 3-Major | stpd memory leak on secondary blades in a multi-blade system | |
747077-1 | 3-Major | Potential crash in TMM when updating pool members | |
745682-2 | 3-Major | Failed to parse X-Forwarded-For header in HTTP requests | |
722707-4 | 3-Major | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | |
720440-1 | 3-Major | Radius monitor marks pool members down after 6 seconds | |
714642-1 | 3-Major | Ephemeral pool-member state on the standby is down | |
705387 | 3-Major | HTTP/2, ALPN and SSL | |
686062-1 | 3-Major | The dynconfd daemon uses UDP ports inefficiently | |
608952-4 | 3-Major | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | |
824365-1 | 4-Minor | Need informative messages for HTTP iRule runtime validation errors | |
822025-4 | 4-Minor | HTTP response not forwarded to client during an early response | |
808409-1 | 4-Minor | Unable to specify if giaddr will be modified in DHCP relay chain | |
801705-2 | 4-Minor | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | |
738032-2 | 4-Minor | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | |
859717-4 | 5-Cosmetic | ICMP-limit-related warning messages in /var/log/ltm |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
918169-3 | 2-Critical | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | |
921625-5 | 3-Major | The certs extend function does not work for GTM/DNS sync group | |
921549-7 | 3-Major | The gtmd process does not receive updates from local big3d. | |
852101-4 | 3-Major | Monitor fails. | |
853585-5 | 4-Minor | REST Wide IP object presents an inconsistent lastResortPool value |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
940249-4 | 2-Critical | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | |
927617-4 | 2-Critical | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | |
825413-1 | 2-Critical | /var/lib/mysql can run out of disk space with ASM provisioned | |
940897-4 | 3-Major | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | |
918933-4 | 3-Major | K88162221 | The BIG-IP ASM system may not properly perform signature checks on cookies |
904053-5 | 3-Major | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | |
742549-1 | 3-Major | Cannot create non-ASCII entities in non-UTF ASM policy using REST | |
767941-2 | 4-Minor | Gracefully handle policy builder errors |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
743826-3 | 3-Major | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
727031-1 | 1-Blocking | TMM restart in B2250 vCMP systems, and ping/monitor failures in non-B2250 vCMP systems. | |
896709-1 | 2-Critical | Add support for Restart Desktop for webtop in VMware VDI | |
976501-4 | 3-Major | Failed to establish VPN connection | |
924929 | 3-Major | Logging improvements for VDI plugin | |
914649-1 | 3-Major | Support USB redirection through VVC (VMware virtual channel) with BlastX | |
760629-2 | 3-Major | Remove Obsolete APM keys in BigDB | |
739570-2 | 3-Major | Unable to install EPSEC package★ | |
554228-7 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
939529-4 | 3-Major | Branch parameter not parsed properly when topmost via header received with comma separated values |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
755854-1 | 3-Major | TMM crash due to missing classification category |
Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
943125-4 | CVE-2021-23010 | K18570111 | ASM bd may crash while processing WebSocket traffic |
935721-3 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 |
933741-5 | CVE-2021-22979 | K63497634 | BIG-IP FPS XSS vulnerability CVE-2021-22979 |
933297 | CVE-2020-5949 | K20984059 | FTP virtual server passive data channels do not pass traffic |
932065-4 | CVE-2021-22978 | K87502622 | iControl REST vulnerability CVE-2021-22978 |
917509-1 | CVE-2020-27718 | K58102101 | BIG-IP ASM vulnerability CVE-2020-27718 |
912221-3 | CVE-2020-12662 CVE-2020-12663 |
K37661551 | CVE-2020-12662 & CVE-2020-12663 |
911761-5 | CVE-2020-5948 | K42696541 | F5 TMUI XSS vulnerability CVE-2020-5948 |
908673-2 | CVE-2020-27717 | K43850230 | TMM may crash while processing DNS traffic |
891457-5 | CVE-2020-5939 | K75111593 | NIC driver may fail while transmitting data |
882189-4 | CVE-2020-5897 | K20346072 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 |
882185-4 | CVE-2020-5897 | K20346072 | BIG-IP Edge Client Windows ActiveX |
881317-3 | CVE-2020-5896 | K15478554 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 |
881293-4 | CVE-2020-5896 | K15478554 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 |
879745-5 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic |
879025-6 | CVE-2020-5913 | K72752002 | When processing TLS traffic, LTM may not enforce certificate chain restrictions |
846917-5 | CVE-2019-10744 | K47105354 | lodash Vulnerability: CVE-2019-10744 |
839453-2 | CVE-2019-10744 | K47105354 | lodash library vulnerability CVE-2019-10744 |
788057-1 | CVE-2020-5921 | K00103216 | MCPD may crash while processing syncookies |
946581 | CVE-2020-27713 | K37960100 | TMM vulnerability CVE-2020-27713 |
928037-4 | CVE-2020-27729 | K15310332 | APM Hardening |
917005-3 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 |
912969-5 | CVE-2020-27727 | K50343630 | iAppsLX REST vulnerability CVE-2020-27727 |
909837-3 | CVE-2020-5950 | K05204103 | TMM may consume excessive resources when AFM is provisioned |
905125-4 | CVE-2020-27726 | K30343902 | Security hardening for APM Webtop |
904937-5 | CVE-2020-27725 | K25595031 | Excessive resource consumption in zxfrd |
898949-4 | CVE-2020-27724 | K04518313 | APM may consume excessive resources while processing VPN traffic |
889557-3 | CVE-2019-11358 | K20455158 | jQuery Vulnerability CVE-2019-11358 |
881445-4 | CVE-2020-5898 | K69154630 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 |
880361-4 | CVE-2021-22973 | K13323323 | iRules LX vulnerability CVE-2021-22973 |
856961-4 | CVE-2018-12207 | K17269881 | INTEL-SA-00201 MCE vulnerability CVE-2018-12207 |
848405-1 | CVE-2020-5933 | K26244025 | TMM may consume excessive resources while processing compressed HTTP traffic |
842717-3 | CVE-2020-5855 | K55102004 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 |
831777-2 | CVE-2020-27723 | K42933418 | Tmm crash in Ping access use case |
816413-4 | CVE-2019-1125 | K31085564 | CVE-2019-1125: Spectre SWAPGS Gadget |
811965-3 | CVE-2020-27722 | K73657294 | Some VDI use cases can cause excessive resource consumption |
778049-6 | CVE-2018-13405 | K00854051 | Linux Kernel Vulnerability: CVE-2018-13405 |
751036-3 | CVE-2020-27721 | K52035247 | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone |
888493-5 | CVE-2020-5928 | K40843345 | ASM GUI Hardening |
852929-2 | CVE-2020-5920 | K25160703 | AFM WebUI Hardening |
818213-6 | CVE-2019-10639 | K32804955 | CVE-2019-10639: KASLR bypass using connectionless protocols |
818177-1 | CVE-2019-12295 | K06725231 | CVE-2019-12295 Wireshark Vulnerability |
773693-3 | CVE-2020-5892 | K15838353 | CVE-2020-5892: APM Client Vulnerability |
682352-2 | CVE-2017-3735 | K21462542 | OpenSSL vulnerability CVE-2017-3735 |
834533-4 | CVE-2019-15916 | K57418558 | Linux kernel vulnerability CVE-2019-15916 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
890229-4 | 3-Major | Source port preserve setting is not honored | |
738330-1 | 3-Major | /mgmt/toc endpoint issue after configuring remote authentication | |
657912-3 | 3-Major | PIM can be configured to use a floating self IP address | |
745465-3 | 4-Minor | The tcpdump file does not provide the correct extension |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
749738-2 | 1-Blocking | After upgrade to 13.1.3.3 or 13.1.3.4, B2250 blades may fail to detect HSB and have restarting chmand★ | |
910201-5 | 2-Critical | OSPF - SPF/IA calculation scheduling might get stuck infinitely | |
896217-5 | 2-Critical | BIG-IP GUI unresponsive | |
860517-4 | 2-Critical | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | |
829677-4 | 2-Critical | .tmp files in /var/config/rest/ may cause /var directory exhaustion | |
812237-3 | 2-Critical | i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD | |
810593-4 | 2-Critical | K10963690 | Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★ |
796601-6 | 2-Critical | Invalid parameter in errdefsd while processing hostname db_variable | |
770989-1 | 2-Critical | Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★ | |
769817 | 2-Critical | BFD fails to propagate sessions state change during blade restart | |
769581 | 2-Critical | Timeout when sending many large iControl Rest requests | |
706521-5 | 2-Critical | K21404407 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password |
649205-1 | 2-Critical | Failure of mcpd during setup of HA communication | |
924493-5 | 3-Major | VMware EULA has been updated | |
915825-5 | 3-Major | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | |
908021-3 | 3-Major | Management and VLAN MAC addresses are identical | |
898705-2 | 3-Major | IPv6 static BFD configuration is truncated or missing | |
888497-5 | 3-Major | Cacheable HTTP Response | |
887089-5 | 3-Major | Upgrade can fail when filenames contain spaces | |
871657-3 | 3-Major | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | |
867013-5 | 3-Major | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | |
858197-4 | 3-Major | Merged crash when memory exhausted | |
846441-4 | 3-Major | Flow-control is reset to default for secondary blade's interface | |
846137-5 | 3-Major | The icrd returns incorrect route names in some cases | |
814585-5 | 3-Major | PPTP profile option not available when creating or modifying virtual servers in GUI | |
810821-4 | 3-Major | Management interface flaps after rebooting the device | |
810381-1 | 3-Major | The SNMP max message size check is being incorrectly applied. | |
808281 | 3-Major | OVA/Azure template sets '/var' partition with not enough space | |
802685-4 | 3-Major | Unable to configure performance HTTP virtual server via GUI | |
802281-4 | 3-Major | Gossip shows active even when devices are missing | |
797829-3 | 3-Major | The BIG-IP system may fail to deploy new or reconfigure existing iApps | |
795649-2 | 3-Major | Loading UCS from one iSeries model to another causes FPGA to fail to load | |
788577 | 3-Major | BFD sessions may be reset after CMP state change | |
783113 | 3-Major | BGP sessions remain down upon new primary slot election | |
767737-3 | 3-Major | Timing issues during startup may make an HA peer stay in the inoperative state | |
755197-1 | 3-Major | UCS creation might fail during frequent config save transactions | |
754971-1 | 3-Major | OSPF inter-process redistribution might break OSPF route redistribution of various types. | |
751021-3 | 3-Major | One or more TMM instances may be left without dynamic routes. | |
750194-2 | 3-Major | Moderate: net-snmp security update | |
746704-1 | 3-Major | Syslog-ng Memory Leak | |
745261-1 | 3-Major | The TMM process may crash in some tunnel cases | |
740589-3 | 3-Major | Mcpd crash with core after 'tmsh edit /sys syslog all-properties' | |
737098-3 | 3-Major | ASM Sync does not work when the configsync IP address is an IPv6 address | |
725985-1 | 3-Major | REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured | |
720569-1 | 3-Major | Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition | |
707320-2 | 3-Major | Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs | |
705655-2 | 3-Major | Virtual address not responding to ICMP when ICMP Echo set to Selective | |
699091-2 | 3-Major | SELinux denies console access for remote users. | |
658716-1 | 3-Major | Failure of mcpd when closing out CMI connection | |
658715-1 | 3-Major | Mcpd crash | |
615934-3 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
605675-2 | 3-Major | Sync requests can be generated faster than they can be handled | |
489572-3 | 3-Major | K60934489 | Sync fails if file object is created and deleted before sync to peer BIG-IP |
902417-5 | 4-Minor | Configuration error caused by Drafts folder in a deleted custom partition★ | |
890277-1 | 4-Minor | Full config sync to a device group operation takes a long time when there are a large number of partitions. | |
864757-1 | 4-Minor | Traps that were disabled are enabled after configuration save | |
831293-2 | 4-Minor | SNMP address-related GET requests slow to respond. | |
804309-3 | 4-Minor | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | |
801637-1 | 4-Minor | Cmp_dest on C2200 platform may give incorrect results | |
779857-4 | 4-Minor | Misleading GUI error when installing a new version in another partition★ | |
692165-1 | 4-Minor | A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token | |
591732-3 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. | |
583084-10 | 4-Minor | K15101680 | iControl produces 404 error while creating records successfully |
714176-4 | 5-Cosmetic | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
941089-4 | 2-Critical | TMM core when using Multipath TCP | |
851857-4 | 2-Critical | HTTP 100 Continue handling does not work when it arrives in multiple packets | |
687603-2 | 2-Critical | K36243347 | tmsh query for dns records may cause tmm to crash |
951033-1 | 3-Major | Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' | |
915689-5 | 3-Major | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | |
915605-4 | 3-Major | K56251674 | Image install fails if iRulesLX is provisioned and /usr mounted read-write★ |
915281-6 | 3-Major | Do not rearm TCP Keep Alive timer under certain conditions | |
909757 | 3-Major | HTTP CONNECT method with a delayed payload can cause a connection to be closed | |
892385-3 | 3-Major | HTTP does not process WebSocket payload when received with server HTTP response | |
862597-3 | 3-Major | Improve MPTCP's SYN/ACK retransmission handling | |
828601-4 | 3-Major | IPv6 Management route is preferred over IPv6 tmm route | |
818853-5 | 3-Major | Duplicate MAC entries in FDB | |
810445-3 | 3-Major | PEM: ftp-data not classified or reported | |
807821-3 | 3-Major | ICMP echo requests occasionally go unanswered | |
790845-1 | 3-Major | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | |
786517-1 | 3-Major | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | |
783617-4 | 3-Major | Virtual server resets connections when all pool members are marked disabled | |
766169-3 | 3-Major | Replacing all VLAN interfaces resets VLAN MTU to a default value | |
758631-2 | 3-Major | ec_point_formats extension might be included in the server hello even if not specified in the client hello | |
758599-4 | 3-Major | IPv6 Management route is preferred over IPv6 tmm route | |
758437-4 | 3-Major | SYN w/ data disrupts stat collection in Fast L4 | |
758436-2 | 3-Major | Optimistic ACKs degrade Fast L4 statistics | |
758041-4 | 3-Major | Pool Members may not be updated accurately when multiple identical database monitors configured | |
745923-4 | 3-Major | Connection flow collision can cause packets to be sent with source and/or destination port 0 | |
745663-2 | 3-Major | During traffic forwarding, nexthop data may be missed at large packet split | |
724824-4 | 3-Major | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | |
710930-1 | 3-Major | Enabling BigDB key bigd.tmm may cause SSL monitors to fail | |
681814-1 | 3-Major | Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded | |
522241-2 | 3-Major | Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete | |
814037-1 | 4-Minor | No virtual server name in Hardware Syncookie activation logs. | |
781225-3 | 4-Minor | HTTP profile Response Size stats incorrect for keep-alive connections | |
726983-4 | 4-Minor | Inserting multi-line HTTP header not handled correctly |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
960749-4 | 1-Blocking | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | |
960437-4 | 2-Critical | The BIG-IP system may initially fail to resolve some DNS queries | |
919553-4 | 2-Critical | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | |
783125-4 | 2-Critical | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | |
781829-4 | 3-Major | GTM TCP monitor does not check the RECV string if server response string not ending with \n | |
760471-4 | 3-Major | GTM iQuery connections may be reset during SSL key renegotiation. | |
758772-4 | 3-Major | DNS Cache RRSET Evictions Stat not increasing | |
757464-3 | 3-Major | DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record | |
708421-2 | 3-Major | K52142743 | DNS::question 'set' options are applied to packet, but not to already parsed dns_msg |
700118-1 | 3-Major | rrset statistics unavailable | |
529896-1 | 3-Major | DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared | |
643455-1 | 4-Minor | Update TTL for equally trusted records only |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
903453 | 2-Critical | TMM crash following redirect when Proactive Bot Defense is used | |
941853-3 | 3-Major | Logging Profiles do not disassociate from virtual server when multiple changes are made | |
900797-5 | 3-Major | Brute Force Protection (BFP) hash table entry cleanup | |
900793-3 | 3-Major | K32055534 | APM Brute Force Protection resources do not scale automatically |
900789-5 | 3-Major | Alert before Brute Force Protection (BFP) hash are fully utilized | |
848445-4 | 3-Major | K86285055 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★ |
833685-1 | 3-Major | Idle async handlers can remain loaded for a long time doing nothing | |
722337-3 | 3-Major | Always show violations in request log when post request is large | |
692279-1 | 3-Major | Request logging is briefly suspended after policy re-assignment | |
424588-1 | 3-Major | iRule command [DOSL7::profile] returns empty value | |
935293-1 | 4-Minor | 'Detected Violation' Field for event logs not showing | |
882769-5 | 4-Minor | Request Log: wrong filter applied when searching by Response contains or Response does not contain |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
722392-2 | 2-Critical | AVR: analytics statistics are displayed even if they are disabled | |
908065-5 | 3-Major | Logrotation for /var/log/avr blocked by files with .1 suffix | |
902485-1 | 3-Major | Incorrect pool member concurrent connection value | |
838685-1 | 3-Major | DoS report exist in per-widget but not under individual virtual | |
721408-4 | 3-Major | Possible to create Analytics overview widgets in '[All]' partition | |
866613-2 | 4-Minor | Missing MaxMemory Attribute |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
833049-3 | 3-Major | Category lookup tool in GUI may not match actual traffic categorization | |
766017-2 | 4-Minor | [APM][LocalDB] Local user database instance name length check inconsistencies★ | |
679751-3 | 4-Minor | Authorization header can cause a connection reset |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
815877-4 | 3-Major | Information Elements with zero-length value are rejected by the GTP parser | |
845461-1 | 5-Cosmetic | MRF DIAMETER: additional details to log event to assist debugging |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
703165-5 | 3-Major | shared memory leakage |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
783289-3 | 2-Critical | PEM actions not applied in VE bigTCP. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
943889 | 2-Critical | Reopening the publisher after a failed publishing attempt | |
876581-5 | 3-Major | JavaScript engine file is empty if the original HTML page cached for too long | |
940401-4 | 5-Cosmetic | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
913441 | 2-Critical | Tmm cores while doing Hitless Upgrade while there are active flows | |
745733-1 | 3-Major | TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup | |
689614-1 | 3-Major | If DNS is not configured and management proxy is setup correctly, Webroot database fails to download |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
767613-3 | 3-Major | Restjavad can keep partially downloaded files open indefinitely |
Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
900757-5 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
895525-5 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
909237-3 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability |
909233-3 | CVE-2020-8616 | K97810133 | DNS Hardening |
905905-4 | CVE-2020-5904 | K31301245 | TMUI CSRF vulnerability CVE-2020-5904 |
895993-5 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
895981-5 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
895881-4 | CVE-2020-5903 | K43638305 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 |
883717-4 | CVE-2020-5914 | K37466356 | BD crash on specific server cookie scenario |
852445-5 | CVE-2019-6477 | K15840535 | Big-IP : CVE-2019-6477 BIND Vulnerability |
841577-6 | CVE-2020-5922 | K20606443 | iControl REST hardening |
838677-5 | CVE-2019-10744 | K47105354 | lodash library vulnerability CVE-2019-10744 |
837773-4 | CVE-2020-5912 | K12936322 | Restjavad Storage and Configuration Hardening |
830401-5 | CVE-2020-5877 | K54200228 | TMM may crash while processing TCP traffic with iRules |
819197-6 | CVE-2019-13135 | K20336394 | BIGIP: CVE-2019-13135 ImageMagick vulnerability |
819189-5 | CVE-2019-13136 | K03512441 | BIGIP: CVE-2019-13136 ImageMagick vulnerability |
818709-4 | CVE-2020-5858 | K36814487 | TMSH does not follow current best practices |
778077-1 | CVE-2019-6680 | K53183580 | Virtual to virtual chain can cause TMM to crash |
767373-3 | CVE-2019-8331 | K24383845 | CVE-2019-8331: Bootstrap Vulnerability |
750292-4 | CVE-2019-6592 | K54167061 | TMM may crash when processing TLS traffic |
886085-1 | CVE-2020-5925 | K45421311 | BIG-IP TMM vulnerability CVE-2020-5925 |
872673-4 | CVE-2020-5918 | K26464312 | TMM can crash when processing SCTP traffic |
868349-5 | CVE-2020-5935 | K62830532 | TMM may crash while processing iRules with MQTT commands |
860477-6 | CVE-2020-5906 | K82518062 | SCP hardening |
859089-3 | CVE-2020-5907 | K00091341 | TMSH allows SFTP utility access |
858025-5 | CVE-2021-22984 | K33440533 | BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 |
832885-5 | CVE-2020-5923 | K05975972 | Self-IP hardening |
829121-5 | CVE-2020-5886 | K65720640 | State mirroring default does not require TLS |
829117-5 | CVE-2020-5885 | K17663061 | State mirroring default does not require TLS |
811789-4 | CVE-2020-5915 | K57214921 | Device trust UI hardening |
789921-4 | CVE-2020-5881 | K03386032 | TMM may restart while processing VLAN traffic |
761112-5 | CVE-2019-6683 | K76328112 | TMM may consume excessive resources when processing FastL4 traffic |
756458-1 | CVE-2018-18559 | K28241423 | Linux kernel vulnerability: CVE-2018-18559 |
745103-4 | CVE-2018-7159 | K27228191 | NodeJS Vulnerability: CVE-2018-7159 |
715969-1 | CVE-2017-5703 | K19855851 | CVE-2017-5703: Unsafe Opcodes exposed in Intel SPI based products |
823893-4 | CVE-2020-5890 | K03318649 | Qkview may fail to completely sanitize LDAP bind credentials |
746091-3 | CVE-2019-19151 | K21711352 | TMSH Vulnerability: CVE-2019-19151 |
717276-5 | CVE-2020-5930 | K20622530 | TMM Route Metrics Hardening |
759536-4 | CVE-2019-8912 | K31739796 | Linux kernel vulnerability: CVE-2019-8912 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
819397-3 | 1-Blocking | K50375550 | TMM does not enforce RFC compliance when processing HTTP traffic |
858229-2 | 3-Major | K22493037 | XML with sensitive data gets to the ICAP server |
691499-1 | 3-Major | GTP::ie primitives in iRule to be certified | |
617929-4 | 3-Major | Support non-default route domains |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
747099-1 | 1-Blocking | AWS Cloud VE instance cannot connect to the metadata server to obtain licensing details. | |
841333-3 | 2-Critical | TMM may crash when tunnel used after returning from offline | |
792285-3 | 2-Critical | TMM crashes if the queuing message to all HSL pool members fails | |
780817 | 2-Critical | TMM can crash on certain vCMP hosts after modifications to VLANs and guests. | |
767013-4 | 2-Critical | Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch | |
762205-1 | 2-Critical | IKEv2 rekey fails to recognize VENDOR_ID payload when it appears | |
882557-5 | 3-Major | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | |
866925-1 | 3-Major | The TMM pages used and available can be viewed in the F5 system stats MIB | |
865225-2 | 3-Major | 100G modules may not work properly in i15000 and i15800 platforms | |
842125-2 | 3-Major | Unable to reconnect outgoing SCTP connections that have previously aborted | |
812981-2 | 3-Major | MCPD: memory leak on standby BIG-IP device | |
807005-3 | 3-Major | Save-on-auto-sync is not working as expected with large configuration objects | |
804477-2 | 3-Major | Add HSB register logging when parts of the device becomes unresponsive | |
800185-2 | 3-Major | Saving a large encrypted UCS archive may fail and might trigger failover | |
762073-1 | 3-Major | Continuous TMM restarts when HSB drops off the PCI bus | |
760439-2 | 3-Major | After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status | |
753860-1 | 3-Major | Virtual server config changes causing incorrect route injection. | |
749153-1 | 3-Major | Cannot create LTM policy from GUI using iControl | |
742628-5 | 3-Major | A tmsh session initiation adds increased control plane pressure | |
739872-2 | 3-Major | The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover | |
738943-5 | 3-Major | imish command hangs when ospfd is enabled | |
738881-2 | 3-Major | Qkview does not collect any data under certain conditions that cause a timeout | |
734846-3 | 3-Major | Redirection to logon summary page does not occur after session timeout | |
701529-1 | 3-Major | Configuration may not load or not accept vlan or tunnel names as "default" or "all" | |
688399-4 | 3-Major | HSB failure results in continuous TMM restarts | |
648621-5 | 3-Major | SCTP: Multihome connections may not expire | |
641450-5 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
625901-2 | 3-Major | SNAT pools allow members in different partitions to be assigned, but this causes a load failure | |
748940-1 | 4-Minor | iControl REST cert creation not working for non-Common folder | |
743815-3 | 4-Minor | vCMP guest observes connflow reset when a CMP state change occurs. | |
726317-4 | 4-Minor | Improved debugging output for mcpd | |
722230-5 | 4-Minor | Cannot delete FQDN template node if another FQDN node resolves to same IP address |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
816273-4 | 1-Blocking | L7 Policies may execute CONTAINS operands incorrectly. | |
715032-5 | 1-Blocking | K73302459 | iRulesLX Hardening |
853329 | 2-Critical | HTTP explicit proxy can crash TMM when used with classification profile | |
841469-3 | 2-Critical | Application traffic may fail after an internal interface failure on a VIPRION system. | |
831325-3 | 2-Critical | K10701310 | HTTP PSM detects more issues with Transfer-Encoding headers |
826601-3 | 2-Critical | Prevent receive window shrinkage for looped flows that use a SYN cookie | |
813561-1 | 2-Critical | MCPD crashes when assigning an iRule that uses a proc | |
812525-5 | 2-Critical | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
757578-4 | 2-Critical | RAM cache is not compatible with verify-accept | |
696908-1 | 2-Critical | Updating iRule causes TMM to crash | |
690291-1 | 2-Critical | tmm crash | |
858301-4 | 3-Major | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
858297-4 | 3-Major | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
858289-4 | 3-Major | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
858285-4 | 3-Major | K27551003 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it |
796993-3 | 3-Major | Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs | |
788753-1 | 3-Major | GATEWAY_ICMP monitor marks node down with wrong error code | |
778517-2 | 3-Major | K91052217 | Large number of in-TMM monitors results in delayed processing |
776229-4 | 3-Major | iRule 'pool' command no longer accepts pool members with ports that have a value of zero | |
761185-4 | 3-Major | K50375550 | Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic |
760679 | 3-Major | Memory corruption when using C3D on certain platforms | |
759480-2 | 3-Major | HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash | |
758872-2 | 3-Major | TMM memory leak | |
756494-1 | 3-Major | For in-tmm monitoring: multiple instances of the same agent are running on the Standby device | |
753805-1 | 3-Major | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | |
716167-1 | 3-Major | The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp | |
686059-2 | 3-Major | FDB entries for existing VLANs may be flushed when creating a new VLAN. | |
751586-5 | 4-Minor | Http2 virtual does not honour translate-address disabled | |
747585-2 | 4-Minor | TCP Analytics supports ANY protocol number | |
594064-5 | 4-Minor | K57004151 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
807177-1 | 2-Critical | HTTPS monitoring is not caching SSL sessions correctly | |
802961-1 | 3-Major | The 'any-available' prober selection is not as random as in earlier versions | |
778365-1 | 3-Major | dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service | |
774481-3 | 3-Major | DNS Virtual Server creation problem with Dependency List | |
756470-3 | 3-Major | Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. | |
746348-1 | 3-Major | On rare occasions, gtmd fails to process probe responses originating from the same system. | |
704198-3 | 3-Major | K29403988 | Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance |
744280-1 | 4-Minor | Enabling or disabling a Distributed Application results in a small memory leak |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
803813-3 | 2-Critical | TMM may experience high latency when processing WebSocket traffic | |
754109-3 | 2-Critical | ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive | |
854177-2 | 3-Major | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | |
850673-4 | 3-Major | BD sends bad ACKs to the bd_agent for configuration | |
846493 | 3-Major | ASM CAPTCHA is not working the first time when a request contains sensitive parameters | |
783505 | 3-Major | ASU is very slow on device with hundreds of policies due to table checksums | |
697269-1 | 3-Major | Request logging is briefly suspended after policy creation | |
689987-3 | 3-Major | Requests are not logged on new virtual servers after UCS load while ASM is running | |
681010-2 | 3-Major | K33572148 | 'Referer' is not masked when 'Query String' contains sensitive parameter |
673522-1 | 3-Major | RST when using Bot Defense profile and surfing to a long URL on related domain | |
629628-1 | 3-Major | Request Events Missing Due to Policy Builder Restart |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
838709-2 | 2-Critical | Enabling DoS stats also enables page-load-time | |
828937-4 | 2-Critical | K45725467 | Some systems can experience periodic high IO wait due to AVR data aggregation |
870957-2 | 3-Major | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | |
863161-5 | 3-Major | Scheduled reports are sent via TLS even if configured as non encrypted | |
833113-1 | 3-Major | Avrd core when sending large messages via https | |
830073-5 | 3-Major | AVRD may core when restarting due to data collection device connection timeout | |
700035-5 | 3-Major | /var/log/avr/monpd.disk.provision not rotate |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
885241 | 2-Critical | TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event. | |
871761-2 | 2-Critical | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | |
747192-2 | 2-Critical | Small memory leak while creating Access Policy items | |
660913-4 | 2-Critical | For ActiveSync client type, browscap info provided is incorrect.★ | |
850277-5 | 3-Major | Memory leak when using OAuth | |
803825 | 3-Major | WebSSO does not support large NTLM target info length | |
744407-5 | 3-Major | While the client has been closed, iRule function should not try to check on a closed session |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
833213-5 | 3-Major | Conditional requests are served incorrectly with AAM policy in webacceleration profile |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
814097-4 | 2-Critical | Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. | |
811105-3 | 2-Critical | MRF SIP-ALG drops SIP 183 and 200 OK messages | |
766405-3 | 2-Critical | MRF SIP ALG with SNAT: Fix for potential crash on next-active device | |
745397-3 | 2-Critical | Virtual server configured with FIX profile can leak memory. | |
882273-1 | 3-Major | MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow | |
866021-4 | 3-Major | Diameter Mirror connection lost on the standby due to "process ingress error" | |
842625-1 | 3-Major | SIP message routing remembers a 'no connection' failure state forever | |
824149-1 | 3-Major | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | |
815529-4 | 3-Major | MRF outbound messages are dropped in per-peer mode | |
811033-3 | 3-Major | MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used | |
804313-4 | 3-Major | MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. | |
803809-1 | 3-Major | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | |
782353-8 | 3-Major | SIP MRF via header shows TCP Transport when TLS is enabled | |
754658-1 | 3-Major | Improved matching of response messages uses end-to-end ID | |
754617-1 | 3-Major | iRule 'DIAMETER::avp read' command does not work with 'source' option | |
746731-3 | 3-Major | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | |
744275-3 | 3-Major | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | |
727288-3 | 3-Major | Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC | |
696348-2 | 3-Major | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | |
676709-3 | 3-Major | K37604585 | Diameter virtual server has different behavior of connection-prime when persistence is on/off |
836357-1 | 4-Minor | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | |
793013 | 4-Minor | MRF DIAMETER: Implement sweeper for pending request messages queue | |
788513-4 | 4-Minor | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | |
786981-1 | 4-Minor | Pending GTP iRule operation maybe aborted when connection is expired | |
753790 | 4-Minor | Allow 'DIAMETER::persist reset' command in EGRESS events | |
711641-1 | 4-Minor | MRF DIAMETER: Add log events to log when stale messages are removed from pending request queue | |
793005-4 | 5-Cosmetic | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
852289-6 | 3-Major | K23278332 | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector |
751116-3 | 3-Major | DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
839597-2 | 3-Major | Restjavad fails to start if provision.extramb has a large value |
Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release
Functional Change Fixes
None
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
803645-1 | 3-Major | GTMD daemon crashes |
Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
818429-2 | CVE-2020-5857 | K70275209 | TMM may crash while processing HTTP traffic |
808301-1 | CVE-2019-6678 | K04897373 | TMM may crash while processing IP traffic |
805837-4 | CVE-2019-6657 | K22441651 | REST does not follow current design best practices |
795437-2 | CVE-2019-6677 | K06747393 | Improve handling of TCP traffic for iRules |
795197-3 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 |
781377-1 | CVE-2019-6681 | K93417064 | tmrouted may crash while processing Multicast Forwarding Cache messages |
780601-4 | CVE-2020-5873 | K03585731 | SCP file transfer hardening |
769589-4 | CVE-2019-6974 | K11186236 | CVE-2019-6974: Linux Kernel Vulnerability |
762453 | CVE-2020-5872 | K63558580 | Hardware cryptography acceleration may fail |
757357 | CVE-2019-6676 | K92002212 | TMM may crash while processing traffic |
636400-1 | CVE-2019-6665 | K26462555 | CPB (BIG-IP->BIGIQ log node) Hardening |
810537-3 | CVE-2020-5883 | K12234501 | TMM may consume excessive resources while processing iRules |
809165-4 | CVE-2020-5854 | K50046200 | TMM may crash will processing connector traffic |
808525-4 | CVE-2019-6686 | K55812535 | TMM may crash while processing Diameter traffic |
795797-4 | CVE-2019-6658 | K21121741 | AFM WebUI Hardening |
788773-4 | CVE-2019-9515 | K50233772 | HTTP/2 Vulnerability: CVE-2019-9515 |
788769-4 | CVE-2019-9514 | K01988340 | HTTP/2 Vulnerability: CVE-2019-9514 |
782529-4 | CVE-2019-6685 | K30215839 | iRules does not follow current design best practices |
781449-4 | CVE-2019-6672 | K14703097 | Increase efficiency of sPVA DoS protection on wildcard virtual servers |
777737-2 | CVE-2019-6671 | K39225055 | TMM may consume excessive resources when processing IP traffic |
773673-4 | CVE-2019-9512 | K98053339 | HTTP/2 Vulnerability: CVE-2019-9512 |
768981-4 | CVE-2019-6670 | K05765031 | VCMP Hypervisor Hardening |
761144-6 | CVE-2019-6684 | K95117754 | Broadcast frames may be dropped |
761014-4 | CVE-2019-6669 | K11447758 | TMM may crash while processing local traffic |
758018-3 | CVE-2019-6661 | K61705126 | APD/APMD may consume excessive resources |
725551-4 | CVE-2019-6682 | K40452417 | ASM may consume excessive resources |
636453-9 | CVE-2016-10009 | K31440025 | OpenSSH vulnerability CVE-2016-10009 |
789893-4 | CVE-2019-6679 | K54336216 | SCP file transfer hardening |
779177-4 | CVE-2019-19150 | K37890841 | Apmd logs "client-session-id" when access-policy debug log level is enabled |
749324-2 | CVE-2012-6708 | K62532311 | jQuery Vulnerability: CVE-2012-6708 |
738236-2 | CVE-2019-6688 | K25607522 | UCS does not follow current best practices |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
724556-2 | 2-Critical | icrd_child spawns more than maximum allowed times (zombie processes) | |
769193-1 | 3-Major | Added support for faster congestion window increase in slow-start for stretch ACKs | |
759135-5 | 3-Major | AVR report limits are locked at 1000 transactions | |
788269-1 | 4-Minor | Adding toggle to disable AVR widgets on device-groups |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
725950 | 1-Blocking | Regcomp() leaks memory if passed an invalid regex. | |
831549 | 2-Critical | Marketing name does not display properly for BIG-IP i10010 (C127) | |
765533-4 | 2-Critical | K58243048 | Sensitive information logged when DEBUG logging enabled |
749388 | 2-Critical | 'table delete' iRule command can cause TMM to crash | |
747203-4 | 2-Critical | Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding | |
686996-1 | 2-Critical | TMM core under heavy load with PEM | |
809205-3 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | |
794501-4 | 3-Major | Duplicate if_indexes and OIDs between interfaces and tunnels | |
793121-1 | 3-Major | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | |
788557 | 3-Major | BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior | |
788301-3 | 3-Major | K58243048 | SNMPv3 Hardening |
777261-2 | 3-Major | When SNMP cannot locate a file it logs messages repeatedly | |
764873-4 | 3-Major | An accelerated flow transmits packets to a dated, down pool member. | |
761993-4 | 3-Major | The nsm process may crash if it detects a nexthop mismatch | |
759735-1 | 3-Major | OSPF ASE route calculation for new external-LSA delayed | |
758781-1 | 3-Major | iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates | |
758527-4 | 3-Major | K39604784 | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode |
758119-4 | 3-Major | K58243048 | qkview may contain sensitive information |
747592-2 | 3-Major | PHP vulnerability CVE-2018-17082 | |
745825-3 | 3-Major | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | |
741902-3 | 3-Major | sod does not validate message length vs. received packet length | |
740413-3 | 3-Major | Sod not logging Failover Condition messages | |
738445-2 | 3-Major | IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup | |
724109-4 | 3-Major | Manual config-sync fails after pool with FQDN pool members is deleted | |
700712-1 | 3-Major | MariaDB binary logging takes up disk space | |
687115-2 | 3-Major | SNMP performance can be impacted by a long list of allowed-addresses | |
683135-2 | 3-Major | Hardware syncookies number for virtual server stats is unrealistically high | |
680917-1 | 3-Major | Invalid monitor rule instance identifier | |
815425 | 4-Minor | RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x★ | |
755018-4 | 4-Minor | Egress traffic processing may be stopped on one or more VE trunk interfaces | |
484683-3 | 4-Minor | Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
800305-4 | 2-Critical | VDI::cmp_redirect generates flow with random client port | |
787825-3 | 2-Critical | K58243048 | Database monitors debug logs have plaintext password printed in the log file |
739927-3 | 2-Critical | Bigd crashes after a specific combination of logging operations | |
693491-1 | 2-Critical | ASM with Web Acceleration Profile can rarely cause TMM to core | |
813673-1 | 3-Major | The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT | |
788325-4 | 3-Major | K39794285 | Header continuation rule is applied to request/response line |
781753-1 | 3-Major | WebSocket traffic is transmitted with unknown opcodes | |
773421-2 | 3-Major | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | |
770477-3 | 3-Major | SSL aborted when client_hello includes both renegotiation info extension and SCSV | |
761030-1 | 3-Major | tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route | |
758992-1 | 3-Major | The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address | |
757827-3 | 3-Major | Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution | |
755727-3 | 3-Major | Ephemeral pool members not created after DNS flap and address record changes | |
749294-2 | 3-Major | TMM cores when query session index is out of boundary | |
747907-1 | 3-Major | Persistence records leak while the HA mirror connection is down | |
743257-1 | 3-Major | Fix block size insecurity init and assign | |
742237-2 | 3-Major | CPU spikes appear wider than actual in graphs | |
739638-2 | 3-Major | BGP failed to connect with neighbor when pool route is used | |
726734-1 | 3-Major | DAGv2 port lookup stringent may fail | |
726176-4 | 3-Major | Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve | |
716952-2 | 3-Major | With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete. | |
704450-3 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
693582-1 | 3-Major | Monitor node log not rotated for certain monitor types | |
689361-1 | 3-Major | Configsync can change the status of a monitored pool member | |
687887-1 | 3-Major | Unexpected result from multiple changes to a monitor-related object in a single transaction | |
676990-2 | 3-Major | No way to enable SNAT of host traffic | |
676557-1 | 3-Major | Binary data marshalled to TCL may be converted to UTF8 | |
636842-3 | 3-Major | K51472519 | A FastL4 virtual server may drop a FIN packet when mirroring is enabled |
601189-3 | 3-Major | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | |
769309-3 | 4-Minor | DB monitor reconnects to server on every probe when count = 0 | |
760683-2 | 4-Minor | RST from non-floating self-ip may use floating self-ip source mac-address | |
754003-1 | 4-Minor | K73202036 | Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate |
747628-3 | 4-Minor | BIG-IP sends spurious ICMP PMTU message to server | |
744210-1 | 4-Minor | DHCPv6 does not have the ability to override the hop limit from the client. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
772233-1 | 3-Major | IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. | |
761032-4 | 3-Major | K36328238 | TMSH displays TSIG keys |
699512-1 | 3-Major | UDP packet may be dropped when queued in parallel with another packet | |
672491-5 | 3-Major | K10990182 | net resolver uses internal IP as source if matching wildcard forwarding virtual server |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
813945-1 | 2-Critical | PB core dump while processing many entities | |
775105-1 | 2-Critical | False positive on bot defense logs | |
812341-1 | 3-Major | Patch or Delete commands take a long time to complete when modifying an ASM signature set. | |
800453-1 | 3-Major | K72252057 | False positive virus violations |
783513-1 | 3-Major | ASU is very slow on device with hundreds of policies due to logging profile handling | |
739618-1 | 3-Major | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | |
727107-2 | 3-Major | Request Logs are not stored locally due to shmem pipe blockage |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
756102-3 | 2-Critical | TMM can crash with core on ABORT signal due to non-responsive AVR code | |
797785-3 | 3-Major | AVR reports no ASM-Anomalies data. | |
792265-1 | 3-Major | Traffic logs does not include the BIG-IQ tags | |
781581-4 | 3-Major | Monpd uses excessive memory on requests for network_log data | |
703196-5 | 3-Major | Reports for AVR are missing data | |
696191-1 | 3-Major | AVR-related disk partitions can get full during upgrade★ |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
811145-4 | 2-Critical | VMware View resources with SAML SSO are not working | |
784989-4 | 2-Critical | TMM may crash with panic message: Assertion 'cookie name exists' failed | |
777173-4 | 2-Critical | Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error | |
725505-2 | 2-Critical | SNAT settings in network resource are not applied after FastL4 profile is updated | |
618641-1 | 2-Critical | In rare cases VDI plugin might leak memory or crash while processing client connections | |
815753-4 | 3-Major | TMM leaks memory when explicit SWG is configured with Kerberos authentication | |
799149 | 3-Major | Authentication fails with empty password | |
798261-4 | 3-Major | APMD fails to create session variables if spanning is enabled on SWG transparent virtual server | |
788417-3 | 3-Major | Remote Desktop client on macOS may show resource auth token on credentials prompt | |
787477-1 | 3-Major | Export fails from partitions with '-' as second character | |
768025-1 | 3-Major | SAML requests/responses fail with "failed to find certificate" | |
766577-4 | 3-Major | APMD fails to send response to client and it already closed connection. | |
725040-3 | 3-Major | Auto-update fails for F5 Helper Applications on Linux | |
723278-1 | 3-Major | Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6 | |
697590-4 | 3-Major | APM iRule ACCESS::session remove fails outside of Access events | |
653210-1 | 3-Major | Rare resets during the login process | |
643935-2 | 3-Major | Rewriting may cause an infinite loop while processing some objects | |
719589-3 | 4-Minor | GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic | |
684414-2 | 4-Minor | Retrieving too many groups is causing out of memory errors in TMUI and VPE |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
813657 | 3-Major | MRF SIP ALG with SNAT incorrectly detects ingress queue full | |
811745-4 | 3-Major | Failover between clustered DIAMETER devices can cause mirror connections to be disconnected |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
787901 | 2-Critical | While deleting a DoS profile, tmm might core in sPVA | |
778869-1 | 2-Critical | K72423000 | ACLs and other AFM features (e.g., IPI) may not function as designed |
747922-2 | 2-Critical | With AFM enabled, during bootup, there is a small possibility of a tmm crash | |
761345-1 | 3-Major | Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode | |
738284-4 | 3-Major | Creating or deleting rule list results in warning message: Schema object encode failed | |
679722-1 | 3-Major | Configuration sync failure involving self IP references |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753014-1 | 3-Major | PEM iRule action with RULE_INIT event fails to attach to PEM policy | |
747065-3 | 3-Major | PEM iRule burst of session ADDs leads to missing sessions |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
804185-3 | 3-Major | Some WebSafe request signatures may not work as expected |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
803477-1 | 3-Major | BaDoS State file load failure when signature protection is off | |
767045 | 4-Minor | TMM cores while applying policy | |
711708-1 | 4-Minor | Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation' |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
674795-2 | 4-Minor | tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours. |
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
688627-1 | 3-Major | OPT-0043 40G optical transceiver cannot be unbundled into 4x10G |
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
809377-4 | CVE-2019-6649 | K05123525 | AFM ConfigSync Hardening |
771873-3 | CVE-2019-6642 | K40378764 | TMSH Hardening |
767653-2 | CVE-2019-6660 | K23860356 | Malformed HTTP request can result in endless loop in an iRule script |
758065-2 | CVE-2019-6667 | K82781208 | TMM may consume excessive resources while processing FIX traffic |
757023-4 | CVE-2018-5743 | K74009656 | BIND vulnerability CVE-2018-5743 |
756538-1 | CVE-2019-6645 | K15759349 | Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. |
754103-2 | CVE-2019-6644 | K75532331 | iRulesLX NodeJS daemon does not follow best security practices |
739971-2 | CVE-2018-5391 | K74374841 | Linux kernel vulnerability: CVE-2018-5391 |
726393-4 | CVE-2019-6643 | K36228121 | DHCPRELAY6 can lead to a tmm crash |
715923-1 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may terminate connections unexpectedly |
757455-1 | CVE-2019-6647 | K87920510 | Excessive resource consumption when processing REST requests |
773649-4 | CVE-2019-6656 | K23876153 | APM Client Logging |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
749704-3 | 4-Minor | GTPv2 Serving-Network field with mixed MNC digits |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
774445-3 | 1-Blocking | K74921042 | BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 |
769809-2 | 2-Critical | The vCMP guests 'INOPERATIVE' after upgrade | |
760408-1 | 2-Critical | K23438711 | System Integrity Status: Invalid after BIOS update★ |
757722-1 | 2-Critical | Unknown notify message types unsupported in IKEv2 | |
756402-1 | 2-Critical | Re-transmitted IPsec packets can have garbled contents | |
756071-1 | 2-Critical | MCPD crash | |
753650 | 2-Critical | The BIG-IP system reports frequent kernel page allocation failures. | |
748205-1 | 2-Critical | SSD bay identification incorrect for RAID drive replacement★ | |
734539-3 | 2-Critical | The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads | |
708968-2 | 2-Critical | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | |
671741-3 | 2-Critical | LCD on iSeries devices can lock at red 'loading' screen. | |
648270-3 | 2-Critical | mcpd can crash if viewing a fast-growing log file through the GUI | |
756153-2 | 3-Major | Add diskmonitor support for MySQL /var/lib/mysql | |
749785-1 | 3-Major | nsm can become unresponsive when processing recursive routes | |
746266-1 | 3-Major | A vCMP guest VLAN MAC mismatch across blades. | |
735565-1 | 3-Major | BGP neighbor peer-group config element not persisting | |
723553-1 | 3-Major | BIG-IP installations on RAID systems (old style) may not boot★ | |
720610 | 3-Major | Updatecheck logs bogus 'Update Server unavailable' on every run | |
716166-4 | 3-Major | Dynamic routing not added when conflicting self IPs exist | |
709544-2 | 3-Major | VCMP guests in HA configuration become Active/Active during upgrade★ | |
705037-2 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
702310-1 | 3-Major | The ':l' and ':h' options are not available on the tmm interface in tcpdump | |
693388-2 | 3-Major | Log additional HSB registers when device becomes unresponsive | |
667618-1 | 3-Major | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | |
620954-5 | 3-Major | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | |
721526-2 | 4-Minor | tcpdump fails to write verbose packet data to file | |
691171-1 | 4-Minor | static and dynamically learned blackhole route from ZebOS cannot be deleted |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
759968 | 1-Blocking | Distinct vCMP guests are able to cluster with each other. | |
757441-2 | 2-Critical | Specific sequence of packets causes Fast Open to be effectively disabled | |
757391-3 | 2-Critical | Datagroup iRule command class can lead to memory corruption | |
756450-2 | 2-Critical | Traffic using route entry that's more specific than existing blackhole route can cause core | |
755585-3 | 2-Critical | mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction | |
746710-2 | 2-Critical | Use of HTTP::cookie after HTTP:disable causes TMM core | |
742184-1 | 2-Critical | TMM memory leak | |
740228-1 | 2-Critical | TMM crash while sending a DHCP Lease Query to a DHCP server | |
724214-3 | 2-Critical | TMM core when using Multipath TCP | |
667779-1 | 2-Critical | iRule commands may cause the TMM to crash in very rare situations. | |
794493 | 3-Major | Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true | |
790205-2 | 3-Major | Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core | |
760771-3 | 3-Major | FastL4-steered traffic might cause SSL resume handshake delay | |
760550-3 | 3-Major | Retransmitted TCP packet has FIN bit set | |
757442-1 | 3-Major | A missed SYN cookie check causes crash at the standby TMM in HA mirroring system | |
754349 | 3-Major | FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4 | |
753594-3 | 3-Major | In-TMM monitors may have duplicate instances or stop monitoring | |
753514-1 | 3-Major | Large configurations containing LTM Policies load slowly | |
749414-2 | 3-Major | Invalid monitor rule instance identifier error | |
746922-4 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
726001-1 | 3-Major | Rapid datagroup updates can cause type corruption | |
720219 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
719304-2 | 3-Major | Inconsistent node ICMP monitor operation for IPv6 nodes | |
712919-1 | 3-Major | K54802336 | Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. |
705112-2 | 3-Major | DHCP server flows are not re-established after expiration | |
675367-2 | 3-Major | K95393925 | The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication |
604811-2 | 3-Major | Under certain conditions TMM may crash while processing OneConnect traffic | |
273104-1 | 3-Major | Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
759721-4 | 3-Major | K03332436 | DNS GUI does not follow best practices |
754901-3 | 3-Major | Frequent zone update notifications may cause TMM to restart | |
750213-2 | 3-Major | K25351434 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. |
726412-2 | 4-Minor | Virtual server drop down missing objects on pool creation |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
781637-4 | 3-Major | ASM brute force counts unnecessary failed logins for NTLM | |
781605-1 | 3-Major | Fix RFC issue with the multipart parser | |
781069-4 | 3-Major | Bot Defense challenge blocks requests with long Referer headers | |
773553-4 | 3-Major | ASM JSON parser false positive. | |
769981-3 | 3-Major | bd crashes in a specific scenario | |
764373-1 | 3-Major | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | |
763001-2 | 3-Major | K70312000 | Web-socket enforcement might lead to a false negative |
761941-3 | 3-Major | ASM does not remove CSRT token query parameter before forwarding a request to the backend server | |
761231-4 | 3-Major | K79240502 | Bot Defense Search Engines getting blocked after configuring DNS correctly |
739900-1 | 3-Major | All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates | |
713051 | 3-Major | PB generates a suggestion to add a disallowed filtetype with empty name. | |
686763-1 | 3-Major | asm_start is consuming too much memory | |
686500-1 | 3-Major | Adding user defined signature on device with many policies is very slow | |
675673-1 | 3-Major | Policy history files should be limited by settings in a configuration file. | |
768761-4 | 4-Minor | Improved accept action description for suggestions to disable signature/enable metacharacter in policy | |
761553-4 | 4-Minor | Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic | |
761549-4 | 4-Minor | Traffic Learning: Accept and Stage action is shown only in case entity is not in staging | |
750689-1 | 4-Minor | Request Log: Accept Request button available when not needed | |
749184-4 | 4-Minor | Added description of subviolation for the suggestions that enabled/disabled them | |
747560-3 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities | |
695878-4 | 4-Minor | Signature enforcement issue on specific requests | |
613728-2 | 4-Minor | Import/Activate Security policy with 'Replace policy associated with virtual server' option fails | |
769061-4 | 5-Cosmetic | Improved details for learning suggestions to enable violation/sub-violation |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
753485-2 | 2-Critical | K50285521 | AVR global settings are being overridden by high availability (HA) peers |
771025-2 | 3-Major | AVR send domain names as an aggregate | |
688544-1 | 3-Major | SWG reports on BIG-IQ show same series as 'Allowed' and 'Blocked' at the same time |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
760130-1 | 2-Critical | [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK | |
753370-1 | 2-Critical | RADIUS auth might not be working as configured when there is change in RADIUS auth config name. | |
745600-3 | 2-Critical | Tmm crash and core using iRule | |
741535-1 | 2-Critical | Memory leak when using SAML or Form-based Client-initiated SSO | |
723402-2 | 2-Critical | Apmd crashes running command: tmsh restart sys service all | |
686282-2 | 2-Critical | APMD intermittently crash when processing access policies | |
783817-4 | 3-Major | UI becomes unresponsive when accessing Access active session information | |
775621-4 | 3-Major | urldb memory grows past the expected ~3.5GB | |
765621-1 | 3-Major | POST request being rejected when using OAuth Resource Server mode | |
760974-1 | 3-Major | TMM SIGABRT while evaluating access policy | |
759638-1 | 3-Major | APM current active and established session counts out of sync after failover | |
754542-4 | 3-Major | TMM may crash when using RADIUS Accounting agent | |
750823-3 | 3-Major | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | |
750631-1 | 3-Major | There may be a latency between session termination and deletion of its associated IP address mapping | |
750170-1 | 3-Major | SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request | |
749161-1 | 3-Major | Problem sync policy contains non-ASCII characters | |
747725-2 | 3-Major | Kerberos Auth agent may override settings that manually made to krb5.conf | |
744532-2 | 3-Major | Websso fails to decrypt secured session variables | |
600985-3 | 3-Major | Network access tunnel data stalls | |
770621-1 | 4-Minor | [Portal Access] HTTP 308 redirect does not get rewritten | |
737603-1 | 4-Minor | Apmd leaks memory when executing per-session policy via iRule |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
759077-4 | 3-Major | MRF SIP filter queue sizes not configurable | |
748253-3 | 3-Major | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | |
745628-3 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | |
745514-3 | 3-Major | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | |
745404-2 | 3-Major | MRF SIP ALG does not reparse SDP payload if replaced | |
701680-2 | 3-Major | MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds | |
747909-3 | 4-Minor | GTPv2 MEI and Serving-Network fields decoded incorrectly |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
763121-1 | 2-Critical | Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. | |
757359-3 | 2-Critical | pccd crashes when deleting a nested Address List | |
752363 | 2-Critical | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | |
777733-1 | 3-Major | DoS profile default values cause config load failure on upgrade | |
771173-1 | 3-Major | FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★ | |
757306-2 | 3-Major | SNMP MIBS for AFM NAT do not yet exist |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726665-2 | 2-Critical | tmm core dump due to SEGFAULT | |
760438-1 | 3-Major | PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions | |
759192-1 | 3-Major | TMM core during display of PEM session under some specific conditions | |
756311-1 | 3-Major | High CPU during erroneous deletion | |
753163-2 | 3-Major | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
775013-4 | 3-Major | TIME EXCEEDED alert has insufficient data for analysis |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
752803-2 | 2-Critical | CLASSIFICATION_DETECTED running reject can lead to a tmm core |
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
807477-9 | CVE-2019-6650 | K04280042 | ConfigSync Hardening |
797885-4 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
796469-2 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
810557-9 | CVE-2019-6649 | K05123525 | ASM ConfigSync Hardening |
799617-4 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
799589-4 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
794389-9 | CVE-2019-6651 | K89509323 | iControl REST endpoint response inconsistency |
794413-9 | CVE-2019-6471 | K10092301 | BIND vulnerability CVE-2019-6471 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
744937-9 | 3-Major | K00724442 | BIG-IP DNS and GTM DNSSEC security exposure |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
760622-2 | 3-Major | Allow Device Certificate renewal from BIG-IP Configuration Utility | |
760363-2 | 3-Major | Update Alias Address field with default placeholder text |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
807445 | 3-Major | Replaced ISC_TRUE and ISC_FALSE with true and false |
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
757025-3 | CVE-2018-5744 | K00040234 | BIND Update |
756774-4 | CVE-2019-6612 | K24401914 | Aborted DNS queries to a cache may cause a TMM crash |
754944-3 | CVE-2019-6626 | K00432398 | AVR reporting UI does not follow best practices |
754345-3 | CVE-2019-6625 | K79902360 | WebUI does not follow best security practices |
753975 | CVE-2019-6666 | K92411323 | TMM may crash while processing HTTP traffic with webacceleration profile |
753776-1 | CVE-2019-6624 | K07127032 | TMM may consume excessive resources when processing UDP traffic |
749879-4 | CVE-2019-6611 | K47527163 | Possible interruption while processing VPN traffic |
748502-3 | CVE-2019-6623 | K72335002 | TMM may crash when processing iSession traffic |
737731-2 | CVE-2019-6622 | K44885536 | iControl REST input sanitization |
737574-2 | CVE-2019-6621 | K20541896 | iControl REST input sanitization★ |
737565-2 | CVE-2019-6620 | K20445457 | iControl REST input sanitization |
726327-2 | CVE-2018-12120 | K37111863 | NodeJS debugger accepts connections from any host |
791369-4 | CVE-2019-6662 | K01049383 | The REST framework may reflect client data in error logs |
757027-3 | CVE-2019-6465 | K01713115 | BIND Update |
757026-3 | CVE-2018-5745 | K25244852 | BIND Update |
753796-2 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices |
750460-3 | CVE-2019-6639 | K61002104 | Subscriber management configuration GUI |
750187-3 | CVE-2019-6637 | K29149494 | ASM REST may consume excessive resources |
745713-1 | CVE-2019-6619 | K94563344 | TMM may crash when processing HTTP/2 traffic |
745387-3 | CVE-2019-6618 | K07702240 | Resource-admin user roles can no longer get bash access |
745371-2 | CVE-2019-6636 | K68151373 | AFM GUI does not follow best security practices |
745257-3 | CVE-2018-14634 | K20934447 | Linux kernel vulnerability: CVE-2018-14634 |
745165-3 | CVE-2019-6617 | K38941195 | Users without Advanced Shell Access are not allowed SFTP access |
742226-2 | CVE-2019-6635 | K11330536 | TMSH platform_check utility does not follow best security practices |
710857-2 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage |
703835-2 | CVE-2019-6616 | K82814400 | When using SCP into BIG-IP systems, you must specify the target filename |
702472-3 | CVE-2019-6615 | K87659521 | Appliance Mode Security Hardening |
702469-3 | CVE-2019-6633 | K73522927 | Appliance mode hardening in scp |
698376-3 | CVE-2019-6614 | K46524395 | Non-admin users have limited bash commands and can only write to certain directories |
673842-4 | CVE-2019-6632 | K01413496 | VCMP does not follow best security practices |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
752835-3 | 2-Critical | K46971044 | Mitigate mcpd out of memory error with auto-sync enabled. |
750586-1 | 2-Critical | HSL may incorrectly handle pending TCP connections with elongated handshake time. | |
707013 | 2-Critical | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | |
699515-1 | 2-Critical | nsm cores during update of nexthop for ECMP recursive route | |
621260-4 | 2-Critical | mcpd core on iControl REST reference to non-existing pool | |
760222-5 | 3-Major | SCP fails unexpected when FIPS mode is enabled | |
757414 | 3-Major | GUI Network Map slow page load with large configuration | |
756088-1 | 3-Major | The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address | |
754567 | 3-Major | Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file | |
751011-1 | 3-Major | ihealth.sh script and qkview locking mechanism not working | |
750447-1 | 3-Major | GUI VLAN list page loading slowly with 50 records per screen | |
750318-1 | 3-Major | HTTPS monitor does not appear to be using cert from server-ssl profile | |
748187-2 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
740345-1 | 3-Major | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | |
725791-4 | 3-Major | K44895409 | Potential HW/HSB issue detected |
723794-3 | 3-Major | PTI (Meltdown) mitigation should be disabled on AMD-based platforms | |
722380-2 | 3-Major | The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. | |
721805 | 3-Major | Traffic Policy edit to datagroup errors on adding ASM disable action | |
720819-2 | 3-Major | Certain platforms may take longer than expected to detect and recover from HSB lock-ups | |
720269-2 | 3-Major | TACACS audit logging may append garbage characters to the end of log strings | |
714626-2 | 3-Major | When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect. | |
701898-1 | 3-Major | Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups | |
698619-2 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
681009-1 | 3-Major | Large configurations can cause memory exhaustion during live-install★ | |
581921-3 | 3-Major | K22327083 | Required files under /etc/ssh are not moved during a UCS restore |
697766-1 | 4-Minor | Cisco IOS XR ISIS routers may report 'Authentication TLV not found' | |
687368-1 | 4-Minor | The Configuration utility may calculate and display an incorrect HA Group Score | |
686111-1 | 4-Minor | K89363245 | Searching and Reseting Audit Logs not working as expected |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753912 | 2-Critical | K44385170 | UDP flows may not be swept |
752930-1 | 2-Critical | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | |
745533-4 | 2-Critical | NodeJS Vulnerability: CVE-2016-5325 | |
680564-1 | 2-Critical | "MCP Message:" seen on boot up with Best License | |
756270-2 | 3-Major | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | |
750843-1 | 3-Major | HTTP data re-ordering when receiving data while iRule parked | |
750200-1 | 3-Major | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | |
749689-1 | 3-Major | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | |
747968-2 | 3-Major | DNS64 stats not increasing when requests go through DNS cache resolver | |
747617-1 | 3-Major | TMM core when processing invalid timer | |
742078-2 | 3-Major | Incoming SYNs are dropped and the connection does not time out. | |
738523-2 | 3-Major | SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages | |
727292-1 | 3-Major | SSL in proxy shutdown case does not deliver server TCP FIN | |
712664-2 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
710564 | 3-Major | DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 | |
709952-1 | 3-Major | Disallow DHCP relay traffic to traverse between route domains | |
699979-2 | 3-Major | Support for Safenet Client Software v7.x | |
698437-1 | 3-Major | Internal capacity increase | |
688553-3 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
599567-3 | 3-Major | APM assumes SNAT automap, does not use SNAT pool | |
746077-1 | 4-Minor | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | |
664618-1 | 4-Minor | Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' | |
658382-2 | 5-Cosmetic | Large numbers of ERR_UNKNOWN appearing in the logs |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
735832-1 | 2-Critical | RAM Cache traffic fails on B2150 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
756094-3 | 2-Critical | DNS express in restart loop, 'Error writing scratch database' in ltm log | |
749508-3 | 3-Major | LDNS and DNSSEC: Various OOM conditions need to be handled properly | |
749222-3 | 3-Major | dname compression offset overflow causes bad compression pointer | |
748902-7 | 3-Major | Incorrect handling of memory allocations while processing DNSSEC queries | |
746877-3 | 3-Major | Omitted check for success of memory allocation for DNSSEC resource record | |
737332-3 | 3-Major | It is possible for DNSX to serve partial zone information for a short period of time | |
748177-3 | 4-Minor | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
759360 | 2-Critical | Apply Policy fails due to policy corruption from previously enforced signature | |
758961 | 2-Critical | K58243048 | During brute force attack, the attempted passwords may be logged |
723790-1 | 2-Critical | Idle asm_config_server handlers consumes a lot of memory | |
760878-2 | 3-Major | Incorrect enforcement of explicit global parameters | |
755005-3 | 3-Major | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | |
754365-3 | 3-Major | Updated flags for countries that changed their flags since 2010 | |
751710-2 | 3-Major | False positive cookie hijacking violation | |
749109-1 | 3-Major | CSRF situation on BIGIP-ASM GUI | |
746146-2 | 3-Major | AVRD can crash with core when disconnecting/reconnecting on HTTPS connection | |
739945-2 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
738647-2 | 3-Major | Add the login detection criteria of 'status code is not X' | |
721399-2 | 3-Major | Signature Set cannot be modified to Accuracy = 'All' after another value | |
717525-1 | 3-Major | Behavior for classification in manual learning mode | |
691945-1 | 3-Major | Security Policy Configuration Changes When Disabling Learning | |
761921-3 | 4-Minor | avrd high CPU utilization due to perpetual connection attempts | |
758336-1 | 4-Minor | Incorrect recommendation in Online Help of Proactive Bot Defense |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
763349-1 | 2-Critical | AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out | |
756205-3 | 2-Critical | TMSTAT offbox statistics are not continuous | |
764665-1 | 3-Major | AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change | |
763005-2 | 3-Major | Aggregated Domain Names in DNS statistics are shown as random domain name | |
760356-4 | 3-Major | Users with Application Security Administrator role cannot delete Scheduled Reports | |
753446-1 | 3-Major | avrd process crash during shutdown if connected to BIG-IQ | |
738614-2 | 3-Major | 'Internal error' appears on Goodput GUI page | |
738197-2 | 3-Major | IP address from XFF header is not taken into account when there are trailing spaces after IP address | |
737863-1 | 3-Major | Advanced Filters for Captured Transactions not working on Multi-Blade Platforms | |
718655 | 3-Major | DNS profile measurement unit name is incorrect. | |
700322-2 | 3-Major | Upgrade may fail on a multi blade system when there are scheduled reports in configuration★ | |
754330-1 | 4-Minor | Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
752592-2 | 2-Critical | VMware Horizon PCoIP clients may fail to connect shortly after logout | |
704587-2 | 2-Critical | Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules | |
660826-3 | 2-Critical | BIG-IQ Deployment fails with customization-templates | |
758764-4 | 3-Major | APMD Core when CRLDP Auth fails to download revoked certificate | |
757992-1 | 3-Major | RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup | |
757781-1 | 3-Major | Portal Access: cookie exchange may be broken sometimes | |
755507-3 | 3-Major | [App Tunnel] 'URI sanitization' error | |
755475-3 | 3-Major | Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync | |
749057-3 | 3-Major | VMware Horizon idle timeout is ignored when connecting via APM | |
738430-1 | 3-Major | APM is not able to do compliance check on iOS devices running F5 Access VPN client | |
734291-2 | 3-Major | Logon page modification fails to sync to standby | |
696835-1 | 3-Major | Secondary Authentication or SSO fail after changing AD or LDAP password | |
695985-2 | 3-Major | Access HUD filter has URL length limit (4096 bytes) | |
656784-1 | 3-Major | K98510679 | Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
704555-2 | 2-Critical | Core occurs if DIAMETER::persist reset is called if no persistence key is set. | |
752822-3 | 3-Major | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | |
751179-3 | 3-Major | MRF: Race condition may create to many outgoing connections to a peer | |
749603-3 | 3-Major | MRF SIP ALG: Potential to end wrong call when BYE received | |
748043-3 | 3-Major | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | |
747187-3 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
744949-3 | 3-Major | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
751869 | 2-Critical | Possible tmm crash when using manual mode mitigation in DoS Profile | |
757279 | 3-Major | LDAP authenticated Firewall Manager role cannot edit firewall policies | |
753893-1 | 3-Major | Inconsistent validation for firewall address-list's nested address-list causes load failure | |
748081-2 | 3-Major | Memory leak in Behavioral DoS module | |
710262-1 | 3-Major | Firewall is not updated when adding new rules |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
739272-1 | 3-Major | Incorrect zombie counts in PBA stats with long PBA block-lifetimes |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
752782-3 | 3-Major | 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
760961 | 2-Critical | TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts | |
757088-3 | 2-Critical | TMM clock advances and cluster failover happens during webroot db nightly updates | |
752047-2 | 2-Critical | iRule running reject in CLASSIFICATION_DETECTED event can cause core | |
761273-1 | 3-Major | wr_urldbd creates sparse log files by writing from the previous position after logrotate. |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
761300 | 3-Major | K61105950 | Errors in REST token requests may log sensitive data |
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
744035-4 | CVE-2018-15332 | K12130880 | APM Client Vulnerability: CVE-2018-15332 |
739970-2 | CVE-2018-5390 | K95343321 | Linux kernel vulnerability: CVE-2018-5390 |
738119-2 | CVE-2019-6589 | K23566124 | SIP routing UI does not follow best practices |
745358-3 | CVE-2019-6607 | K14812883 | ASM GUI does not follow best practices |
737910-2 | CVE-2019-6609 | K18535734 | Security hardening on the following platforms |
737442-2 | CVE-2019-6591 | K32840424 | Error in APM Hosted Content when set to public access |
658557-3 | CVE-2019-6606 | K35209601 | The snmpd daemon may leak memory when processing requests. |
530775-3 | CVE-2019-6600 | K23734425 | Login page may generate unexpected HTML output |
701785-2 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
744685-1 | 2-Critical | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | |
744188 | 2-Critical | First successful auth iControl REST requests will now be logged in audit and secure log files | |
748851-1 | 3-Major | Bot Detection injection include tags which may cause faulty display of application | |
725878-2 | 3-Major | AVR does not collect all of APM TMStats | |
700827-4 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
667257-4 | 3-Major | CPU Usage Reaches 100% With High FastL4 Traffic |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
682837-2 | 1-Blocking | Compression watchdog period too brief. | |
744331 | 2-Critical | OpenSSH hardening | |
743790-3 | 2-Critical | BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus | |
741423-2 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
738887-3 | 2-Critical | BIG-IP SNMPD vulnerability CVE-2019-6608 | |
726487-2 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
723298-2 | 2-Critical | BIND upgrade to version 9.11.4 | |
713380 | 2-Critical | K23331143 | Multiple B4450 blades in the same chassis run into inconsistent DAG state |
712738-1 | 2-Critical | fpdd may core dump when the system is going down | |
710277-1 | 2-Critical | IKEv2 further child_sa validity checks | |
697424-1 | 2-Critical | iControl-REST crashes on /example for firewall address-lists | |
688148-3 | 2-Critical | IKEv1 racoon daemon SEGV during phase-two SA list iteration | |
680556-1 | 2-Critical | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | |
677937-3 | 2-Critical | K41517253 | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets |
668041-2 | 2-Critical | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ |
751009-1 | 3-Major | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | |
748206 | 3-Major | Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position | |
745809 | 3-Major | The /var partition may become 100% full, requiring manual intervention to clear space | |
743803-2 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
737536-1 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
737437-2 | 3-Major | IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages | |
737397-3 | 3-Major | User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP | |
724143-1 | 3-Major | IKEv2 connflow expiration upon ike-peer change | |
723579-4 | 3-Major | OSPF routes missing | |
722691 | 3-Major | Available datagroup list does not contain datagroups with the correct type. | |
721016 | 3-Major | vcmpd fails updating VLAN information on vcmp guest | |
720110-2 | 3-Major | 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. | |
718817-2 | 3-Major | Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. | |
718405-1 | 3-Major | RSA signature PAYLOAD_AUTH mismatch with certificates | |
718397-1 | 3-Major | IKEv2: racoon2 appends spurious trailing null byte to ID payloads | |
710666-1 | 3-Major | VE with interface(s) marked down may report high cpu usage | |
706104-3 | 3-Major | Dynamically advertised route may flap | |
705442-1 | 3-Major | GUI Network Map objects search on Virtual Server IP Address and Port does not work | |
698947-2 | 3-Major | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | |
693884-1 | 3-Major | ospfd core on secondary blade during network unstability | |
693106-1 | 3-Major | IKEv1 newest established phase-one SAs should be found first in a search | |
686926-2 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
686124-1 | 3-Major | K83576240 | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs |
680838-2 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
678925-1 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
678380-2 | 3-Major | K26023811 | Deleting an IKEv1 peer in current use could SEGV on race conditions. |
676897-3 | 3-Major | K25082113 | IPsec keeps failing to reconnect |
676092-3 | 3-Major | IPsec keeps failing to reconnect | |
674145-1 | 3-Major | chmand error log message missing data | |
670197-1 | 3-Major | IPsec: ASSERT 'BIG-IP_conn tag' failed | |
652502-2 | 3-Major | snmpd returns 'No Such Object available' for ltm OIDs | |
639619-5 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
598085-1 | 3-Major | Expected telemetry is not transmitted by sFlow on the standby-mode unit. | |
491560-2 | 3-Major | Using proxy for IP intelligence updates | |
738985-2 | 4-Minor | BIND vulnerability: CVE-2018-5740 | |
689491 | 4-Minor | cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled | |
689211-3 | 4-Minor | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | |
680856-2 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
713491-2 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
744269-2 | 2-Critical | dynconfd restarts if FQDN template node deleted while IP address change in progress | |
744117-5 | 2-Critical | K18263026 | The HTTP URI is not always parsed correctly |
743857 | 2-Critical | K21942600 | Clientssl accepts non-SSL traffic when cipher-group is configured |
742627-2 | 2-Critical | SSL session mirroring may cause memory leakage if HA channel is down | |
741919 | 2-Critical | HTTP response may be dropped following a 100 continue message. | |
740963-2 | 2-Critical | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | |
740490-1 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
739003-1 | 2-Critical | TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms | |
738945-2 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
738046-2 | 2-Critical | SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby | |
737758-2 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
734276-2 | 2-Critical | TMM may leak memory when SSL certificates with VDI or EAM in use | |
727206 | 2-Critical | Memory corruption when using SSL Forward Proxy on certain platforms | |
720136-1 | 2-Critical | Upgrade may fail on mcpd when external netHSM is used | |
718210-2 | 2-Critical | Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused | |
716714-1 | 2-Critical | OCSP should be configured to avoid TMM crash. | |
702792-1 | 2-Critical | K82327396 | Upgrade creates Server SSL profiles with invalid cipher strings★ |
685254-2 | 2-Critical | K14013100 | RAM Cache Exceeding Watchdog Timeout in Header Field Search |
513310-5 | 2-Critical | TMM might core when a profile is changed. | |
849861 | 3-Major | TMM may crash with FastL4 and HTTP profile using fallback host and iRule command | |
752078 | 3-Major | Header Field Value String Corruption | |
739963-2 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
739379-2 | 3-Major | Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error | |
739349-1 | 3-Major | LRO segments might be erroneously VLAN-tagged. | |
738521-1 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
726319-2 | 3-Major | 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses | |
724564-1 | 3-Major | A FastL4 connection can fail with loose-init and hash persistence enabled | |
724327-1 | 3-Major | Changes to a cipher rule do not immediately have an effect | |
721621-1 | 3-Major | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | |
720799-2 | 3-Major | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | |
717896-2 | 3-Major | Monitor instances deleted in peer unit after sync | |
717100-3 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
716716-2 | 3-Major | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | |
714559-2 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
713690-3 | 3-Major | IPv6 cache route metrics are locked | |
711981-5 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
710028-2 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
708068-2 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
707691-4 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
706102-2 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
701678-2 | 3-Major | Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded | |
685519-1 | 3-Major | Mirrored connections ignore the handshake timeout | |
683697-1 | 3-Major | K00647240 | SASP monitor may use the same UID for multiple HA device group members |
674591-3 | 3-Major | K37975308 | Packets with payload smaller than MSS are being marked to be TSOed |
504522-1 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value | |
719247-2 | 4-Minor | K10845686 | HTTP::path and HTTP::query iRule functions cannot be set to a blank string |
618884-6 | 4-Minor | Behavior when using VLAN-Group and STP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
739846-3 | 2-Critical | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | |
749774-3 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675-3 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records | |
744707-4 | 3-Major | Crash related to DNSSEC key rollover | |
726255-2 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
723288-2 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
710246-2 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
702457-2 | 3-Major | DNS Cache connections remain open indefinitely | |
717113-2 | 4-Minor | It is possible to add the same GSLB Pool monitor multiple times |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
750922-3 | 2-Critical | BD crash when content profile used for login page has no parse parameters set | |
726537-1 | 2-Critical | Rare TMM crash when Single Page Application is enabled on DoSL7 | |
576123-4 | 2-Critical | K23221623 | ASM policies are created as inactive policies on the peer device |
750356-3 | 3-Major | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | |
747777-1 | 3-Major | Extractions are learned in manual learning mode | |
747550-1 | 3-Major | Error 'This Logout URL already exists!' when updating logout page via GUI | |
745802-3 | 3-Major | Brute Force CAPTCHA response page truncates last digit in the support id | |
744347-2 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
743961-3 | 3-Major | Signature Overrides for Content Profiles do not work after signature update | |
738864-1 | 3-Major | javascript functions in href are learned from response as new URLs | |
738211-3 | 3-Major | pabnagd core when centralized learning is turned on | |
734228-1 | 3-Major | False-positive illegal-length violation can appear | |
726377-1 | 3-Major | False-positive cookie hijacking violation | |
721752-2 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
705925-1 | 3-Major | Websocket Message Type not displayed in Request Log | |
701792-2 | 3-Major | JS Injection into cached HTML response causes TCP RST on the fictive URLs | |
696333-1 | 3-Major | Threat campaign filter does not return campaign if filter contains quotation marks | |
690215-2 | 3-Major | Missing requests in request log | |
676416-4 | 3-Major | BD restart when switching FTP profiles | |
676223-4 | 3-Major | Internal parameter in order not to sign allowed cookies | |
663535-2 | 3-Major | Sending ASM cookies with "secure" attribute even without client-ssl profile | |
605649-2 | 3-Major | K28782793 | The cbrd daemon runs at 100% CPU utilization |
748999-1 | 4-Minor | invalid inactivity timeout suggestion for cookies | |
747905-1 | 4-Minor | 'Illegal Query String Length' violation displays wrong length | |
745531-1 | 4-Minor | Puffin Browser gets blocked by Bot Defense | |
739345 | 4-Minor | Reporting invalid signature id after specific signature upgrade | |
685743-5 | 4-Minor | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
665470-3 | 4-Minor | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
746941 | 2-Critical | Memory leak in avrd when BIG-IQ fails to receive stats information | |
739446-2 | 2-Critical | Resetting SSL-socket correctly for AVR connection | |
737813-1 | 2-Critical | BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address | |
749464 | 3-Major | Race condition while BIG-IQ updates common file | |
749461 | 3-Major | Race condition while modifying analytics global-settings | |
746823 | 3-Major | AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members | |
745027 | 3-Major | AVR is doing extra activity of DNS data collection even when it should not | |
744595-1 | 3-Major | DoS-related reports might not contain some of the activity that took place | |
744589-1 | 3-Major | Missing data for Firewall Events Statistics | |
741767-2 | 3-Major | ASM Resource :: CPU Utilization statistics are in wrong scale | |
740086 | 3-Major | AVR report ignore partitions for Admin users | |
716782-2 | 3-Major | AVR should add new field to the events it sends: Microtimestamp |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753368 | 1-Blocking | Unable to import access policy with pool | |
747621-2 | 2-Critical | Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used | |
744556-1 | 2-Critical | K01226413 | Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3 |
714716-2 | 2-Critical | K10248311 | Apmd logs password for acp messages when in debug mode |
754346-1 | 3-Major | Access policy was not found while creating configuration snapshot. | |
750496-1 | 3-Major | TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP | |
746771-1 | 3-Major | APMD recreates config snapshots for all access profiles every minute | |
746768-1 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
745654-2 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
745574-3 | 3-Major | URL is not removed from custom category when deleted | |
743437-1 | 3-Major | Portal Access: Issue with long 'data:' URL | |
743150-1 | 3-Major | Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client | |
739744-1 | 3-Major | Import of Policy using Pool with members is failing | |
719079-1 | 3-Major | Portal Access: same-origin AJAX request may fail under some conditions. | |
718136-2 | 3-Major | 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
742829-3 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | |
741951-2 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. | |
699431-3 | 3-Major | Possible memory leak in MRF under low memory |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
747104-3 | 1-Blocking | K52868493 | LibSSH: CVE-2018-10933 |
753028-1 | 3-Major | AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule | |
747926 | 3-Major | Rare TMM restart due to NULL pointer access during AFM ACL logging |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
744516-1 | 2-Critical | TMM panics after a large number of LSN remote picks | |
744959-1 | 3-Major | SNMP OID for sysLsnPoolStatTotal not incremented in stats | |
727212-1 | 3-Major | Subscriber-id query using full length IPv6 address fails. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
748976 | 3-Major | DataSafe Logging Settings page is missing when DataSafe license is active | |
742037-3 | 3-Major | FPS live updates do not install when minor version is different | |
741449-1 | 4-Minor | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | |
726039 | 5-Cosmetic | Information is not updated after installing FPS live update via GUI |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
748813-1 | 2-Critical | tmm cores under stress test on virtual server with DoS profile with admd enabled | |
748121-1 | 2-Critical | admd livelock under CPU starvation | |
741761-1 | 2-Critical | admd might fail the heartbeat, resulting in a core | |
704236-1 | 2-Critical | TMM crash when attaching FastL4 profile | |
702936-1 | 2-Critical | TMM SIGSEGV under specific conditions. | |
653573-4 | 2-Critical | ADMd not cleaning up child rsync processes | |
741993-1 | 3-Major | The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. | |
741752-1 | 3-Major | [BADOS] state file is not saved when virtual server reuses a self IP of the device |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
724847 | 3-Major | K95010813 | DNS traffic does not get classified for AFM port misuse case |
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
745783-3 | 3-Major | Anti-fraud: remote logging of login attempts |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
684370-1 | 3-Major | APM now supports VMware Workspace ONE integration with VIDM as ID Provider | |
683741-1 | 3-Major | APM now supports VMware Workspace ONE integration with vIDM as ID Provider | |
635509-1 | 3-Major | APM does not support Vmware'e Blast UDP |
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
739947-1 | CVE-2019-6610 | K42465020 | TMM may crash while processing APM traffic |
737443-5 | CVE-2018-5546 | K54431371 | BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546 |
737441-5 | CVE-2018-5546 | K54431371 | Disallow hard links to svpn log files |
726089-2 | CVE-2018-15312 | K44462254 | Modifications to AVR metrics page |
725815-1 | CVE-2018-15320 | K72442354 | vlangroup usage may cause a excessive resource consumption |
724339-1 | CVE-2018-15314 | K04524282 | Unexpected TMUI output in AFM |
724335-1 | CVE-2018-15313 | K21042153 | Unexpected TMUI output in AFM |
722677-4 | CVE-2019-6604 | K26455071 | BIG-IP HSB vulnerability CVE-2019-6604 |
722387-3 | CVE-2019-6596 | K97241515 | TMM may crash when processing APM DTLS traffic |
722091-3 | CVE-2018-15319 | K64208870 | TMM may crash while processing HTTP traffic |
717888 | CVE-2018-15323 | K26583415 | TMM may leak memory when a virtual server uses the MQTT profile. |
717742-5 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
707990-2 | CVE-2018-15315 | K41704442 | Unexpected TMUI output in SSL Certificate Instance page |
704184-6 | CVE-2018-5529 | K52171282 | APM MAC Client create files with owner only read write permissions |
701253-5 | CVE-2018-15318 | K16248201 | TMM core when using MPTCP |
693810-6 | CVE-2018-5529 | K52171282 | CVE-2018-5529: APM Linux Client Vulnerability |
741858-1 | CVE-2018-15324 | K52206731 | TMM may crash while processing Portal Access requests |
734822-3 | CVE-2018-15325 | K77313277 | TMSH improvements |
725801-4 | CVE-2017-7889 | K80440915 | CVE-2017-7889: Kernel Vulnerability |
725635-2 | CVE-2018-3665 | K21344224 | CVE-2018-3665: Intel Lazy FPU Vulnerability |
724680-4 | CVE-2018-0732 | K21665601 | OpenSSL Vulnerability: CVE-2018-0732 |
721924-2 | CVE-2018-17539 | K17264695 | BIG-IP ARM BGP vulnerability CVE-2018-17539 |
719554-2 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
716900-2 | CVE-2019-6594 | K91026261 | TMM core when using MPTCP |
710705-2 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
705799-2 | CVE-2018-15325 | K77313277 | TMSH improvements |
699453-4 | CVE-2018-15327 | K20222812 | Web UI does not follow current best coding practices |
699452-4 | CVE-2019-6597 | K29280193 | Web UI does not follow current best coding practices |
712876-2 | CVE-2017-8824 | K15526101 | CVE-2017-8824: Kernel Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
734527-1 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
715750-2 | 3-Major | K41515225 | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
693611-3 | 1-Blocking | K76313256 | IKEv2 ike-peer might crash on stats object during peer modification update |
743810-1 | 2-Critical | AWS: Disk resizing in m5/c5 instances fails silently. | |
743082-1 | 2-Critical | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★ | |
739507 | 2-Critical | Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check | |
739505 | 2-Critical | Automatic ISO digital signature checking not required when FIPS license active★ | |
739285-1 | 2-Critical | GUI partially missing when VCMP is provisioned | |
725696-1 | 2-Critical | A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted | |
723722-2 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
721350-2 | 2-Critical | The size of the icrd_child process is steadily growing | |
717785-1 | 2-Critical | Interface-cos shows no egress stats for CoS configurations | |
716391-2 | 2-Critical | K76031538 | High priority for MySQL on 2 core vCMP may lead to control plane process starvation |
711683-2 | 2-Critical | bcm56xxd crash with empty trunk in QinQ VLAN | |
707003-3 | 2-Critical | Unexpected syntax error in TMSH AVR | |
706423-1 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
703669-2 | 2-Critical | Eventd restarts on NULL pointer access | |
703045-1 | 2-Critical | If using TMSH commands with deprecated attributes in iApp, the upgrade will fail. | |
700386-2 | 2-Critical | mcpd may dump core on startup | |
693996-5 | 2-Critical | K42285625 | MCPD sync errors and restart after multiple modifications to file object in chassis |
692158-1 | 2-Critical | iCall and CLI script memory leak when saving configuration | |
691589-4 | 2-Critical | When using LDAP client auth, tamd may become stuck | |
690819-1 | 2-Critical | Using an iRule module after a 'session lookup' may result in crash | |
689437-1 | 2-Critical | K49554067 | icrd_child cores due to infinite recursion caused by incorrect group name handling |
689002-3 | 2-Critical | Stackoverflow when JSON is deeply nested | |
658410-2 | 2-Critical | icrd_child generates a core when calling PUT on ltm/data-group/internal/ | |
652877-5 | 2-Critical | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
638091-6 | 2-Critical | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
739126 | 3-Major | Multiple VE installations may have different sized volumes | |
733585-3 | 3-Major | Merged can use %100 of CPU if all stats snapshot files are in the future | |
727467-1 | 3-Major | Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. | |
726409-4 | 3-Major | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 | |
722682-2 | 3-Major | Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★ | |
721740-2 | 3-Major | CPU stats are not correctly recorded when snapshot files have timestamps in the future | |
720713-2 | 3-Major | TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail | |
720461-2 | 3-Major | qkview prompts for password on chassis | |
718525-1 | 3-Major | PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting | |
714974-2 | 3-Major | Platform-migrate of UCS containing QinQ fails on VE★ | |
714903-2 | 3-Major | Errors in chmand | |
714654-2 | 3-Major | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | |
713813-2 | 3-Major | Node monitor instances not showing up in GUI | |
712102-2 | 3-Major | K11430165 | customizing or changing the HTTP Profile's IPv6 field hides the field or the row |
710232-2 | 3-Major | platform-migrate fails when LACP trunks are in use | |
709444-2 | 3-Major | "NTP not configured on device" warning seen when NTP symmetric key authentication is configured | |
709192-1 | 3-Major | GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart | |
707740-4 | 3-Major | Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination | |
707509-1 | 3-Major | Initial vCMP guest creations can fail if certain hotfixes are used | |
707391-2 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
706804-1 | 3-Major | SNMP trap destination configuration of network option is missing "default" keyword | |
706354-2 | 3-Major | OPT-0045 optic unable to link | |
706169-3 | 3-Major | tmsh memory leak | |
705456-1 | 3-Major | Enabling HTTP-to-HTTPS redirection in a vCMP guest can prevent some Host-Guest Management features from working | |
704755-1 | 3-Major | EUD_M package could not be installed on 800 platforms | |
704512-1 | 3-Major | Automated upload of qkview to iHealth can time out resulting in error | |
704336-1 | 3-Major | Updating 3rd party device cert not copied correctly to trusted certificate store | |
702227-3 | 3-Major | Memory leak in TMSH load sys config | |
700757-1 | 3-Major | vcmpd may crash when it is exiting | |
700576-1 | 3-Major | GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore" | |
700426 | 3-Major | K58033284 | Switching partitions while viewing objects in GUI can result in empty list |
700250-3 | 3-Major | K59327012 | qkviews for secondary blade appear to be corrupt |
698875-1 | 3-Major | Qkview Security Hardening | |
698084-3 | 3-Major | K03776801 | IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs |
696731-3 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
693578-2 | 3-Major | switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0 | |
692189-1 | 3-Major | errdefsd fails to generate a core file on request. | |
692179-1 | 3-Major | Potential high memory usage from errdefsd. | |
691609-1 | 3-Major | 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address★ | |
690890-1 | 3-Major | Running sod manually can cause issues/failover | |
689375-1 | 3-Major | K01512833 | Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled |
688406-1 | 3-Major | K14513346 | HA-Group Score showing 0 |
687905-2 | 3-Major | K72040312 | OneConnect profile causes CMP redirected connections on the HA standby |
687534-1 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
684391-3 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
684218-1 | 3-Major | vADC 'live-install' Downgrade from v13.1.0 is not possible | |
681782-6 | 3-Major | Unicast IP address can be configured in a failover multicast configuration | |
679347-2 | 3-Major | K44117473 | ECP does not work for PFS in IKEv2 child SAs |
678488-1 | 3-Major | K59332320 | BGP default-originate not announced to peers if several are peering over different VLANs |
677485-1 | 3-Major | Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error | |
671712-2 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
670528-4 | 3-Major | K20251354 | Warnings during vCMP host upgrade. |
651413-4 | 3-Major | K34042229 | tmsh list ltm node does not return an error when node does not exist |
642923-6 | 3-Major | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system | |
617643-2 | 3-Major | iControl.ForceSessions enabled results in GUI error on certain pages | |
551925-4 | 3-Major | Misdirected UDP traffic with hardware acceleration | |
464650-6 | 3-Major | Failure of mcpd with invalid authentication context. | |
727297-3 | 4-Minor | GUI TACACS+ remote server list should accept hostname | |
725612-1 | 4-Minor | syslog-ng does not send any messages to the remote servers after reconfiguration | |
719770-2 | 4-Minor | tmctl -H -V and -l options without values crashed | |
714749-2 | 4-Minor | cURL Vulnerability: CVE-2018-1000120 | |
713947-1 | 4-Minor | stpd repeatedly logs "hal sendMessage failed" | |
713932-1 | 4-Minor | Commands are replicated to PostgreSQL even when not in use. | |
707631-2 | 4-Minor | The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI | |
707267 | 4-Minor | REST Framework HTTP header limit size increased to 8 KB | |
701826 | 4-Minor | qkview upload to ihealth fails or unable to untar qkview file | |
691491-5 | 4-Minor | K13841403 | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces |
685582-7 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
683029-1 | 4-Minor | Sync of virtual address and self IP traffic groups only happens in one direction | |
679135-2 | 4-Minor | IKEv1 and IKEv2 cannot share common local address in tunnels | |
678388-1 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
550526-2 | 4-Minor | K84370515 | Some time zones prevent configuring trust with a peer device using the GUI. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
722594-2 | 1-Blocking | TCP flow may not work as expected if double tagging is used | |
737445-2 | 2-Critical | Use of TCP Verified Accept can disable server-side flow control | |
727044-2 | 2-Critical | TMM may crash while processing compressed data | |
726239-4 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
725545-1 | 2-Critical | Ephemeral listener might not be set up correctly | |
724906-1 | 2-Critical | sasp_gwm monitor leaks memory over time | |
724868-1 | 2-Critical | dynconfd memory usage increases over time | |
724213-1 | 2-Critical | K74431483 | Modified ssl_profile monitor param not synced correctly |
722893-1 | 2-Critical | K30764018 | TMM can restart without a stack trace or core file after becoming disconnected from MCPD. |
716213-1 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
713612-1 | 2-Critical | tmm might restart if the HTTP passthrough on pipeline option is used | |
710221-2 | 2-Critical | K67352313 | Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled |
673664-1 | 2-Critical | TMM crashes when sys db Crypto.HwAcceleration is disabled.★ | |
635191-2 | 2-Critical | Under rare circumstances TMM may crash | |
727222-1 | 3-Major | 206 Partial Content responses from ramcache have malformed Content-Range header | |
723300-2 | 3-Major | TMM may crash when tracing iRules containing nameless listeners on internal virtual servers | |
722363-2 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
721261-1 | 3-Major | v12.x Policy rule names containing slashes are not migrated properly | |
720293-3 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
719600-2 | 3-Major | TCP::collect iRule with L7 policy present may result in connection reset | |
717346-2 | 3-Major | K13040347 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total |
715883 | 3-Major | Tmm crash due to invalid cookie attribute | |
715785-2 | 3-Major | Incorrect encryption error for monitors during sync or upgrade | |
715756-2 | 3-Major | Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only | |
715467-2 | 3-Major | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | |
714384-3 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
707951-2 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
704764-3 | 3-Major | SASP monitor marks members down with non-default route domains | |
703580-1 | 3-Major | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | |
703266-2 | 3-Major | Potential MCP memory leak in LTM policy compile code | |
702450-1 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
701690-1 | 3-Major | K53819652 | Fragmented ICMP forwarded with incorrect icmp checksum |
700696-1 | 3-Major | SSID does not cache fragmented Client Certificates correctly via iRule | |
699273-1 | 3-Major | TMM Core During FTP Monitor Use | |
695925-1 | 3-Major | Tmm crash when showing connections for a CMP disabled virtual server | |
691785-1 | 3-Major | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | |
691224-3 | 3-Major | K59327001 | Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled |
690778-1 | 3-Major | K53531153 | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule |
688629-1 | 3-Major | K52334096 | Deleting data-group in use by iRule does not trigger validation error |
685110-1 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
681757-3 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
681673-4 | 3-Major | tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results | |
679613-1 | 3-Major | K23531420 | i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' |
672312-3 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
602708-4 | 3-Major | K84837413 | Traffic may not passthrough CoS by default |
716922-2 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
712637-2 | 4-Minor | Host header persistence not implemented | |
700433-1 | 4-Minor | K10870739 | Memory leak when attaching an LTM policy to a virtual server |
697988-3 | 4-Minor | K34554754 | During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100% |
693966-1 | 4-Minor | TCP sndpack not reset along with other tcp profile stats | |
688557-1 | 4-Minor | K50462482 | Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' |
495242-4 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
718885-3 | 2-Critical | K25348242 | Under certain conditions, monitor probes may not be sent at the configured interval |
723792-2 | 3-Major | GTM regex handling of some escape characters renders it invalid | |
719644-2 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
737500-2 | 2-Critical | Apply Policy and Upgrade time degradation when there are previous enforced rules | |
726090-1 | 2-Critical | No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense | |
724414-2 | 2-Critical | ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled | |
724032-1 | 2-Critical | Searching Request Log for value containing backslash does not return expected result | |
721741-3 | 2-Critical | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | |
704143-1 | 2-Critical | BD memory leak | |
701856-1 | 2-Critical | Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart | |
740719-2 | 3-Major | ASM CSP header parser does not honor unsafe-inline attribute within script-src directive |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
737867-1 | 3-Major | Scheduled reports are being incorrectly displayed in different partitions |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
739716-2 | 1-Blocking | APM Subroutine loops without finishing | |
740777-1 | 2-Critical | Secondary blades mcp daemon restart when subroutine properties are configured | |
739674-1 | 2-Critical | TMM might core in SWG scenario with per-request policy. | |
722013 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
713820-1 | 2-Critical | Pass in IP address to urldb categorization engine | |
739939-1 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
739190 | 3-Major | Policies could be exported with not patched /Common partition | |
738582-1 | 3-Major | Ping Access Agent Module leaks memory in TMM. | |
738397-1 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
737355-1 | 3-Major | HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files | |
737064-2 | 3-Major | ACCESS::session iRule commands may not work in serverside events | |
726895 | 3-Major | K02205915 | VPE cannot modify subroutine settings |
726616-1 | 3-Major | TMM crashes when a session is terminated | |
726592-1 | 3-Major | Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop | |
725867-2 | 3-Major | ADFS proxy does not fetch configuration for non-floating virtual servers | |
725412-1 | 3-Major | APM does not follow current best practices for HTTP headers | |
724571-1 | 3-Major | Importing access profile takes a long time | |
722969-2 | 3-Major | Access Policy import with 'reuse' enabled instead rewrites shared objects | |
722423-1 | 3-Major | Analytics agent always resets when Category Lookup is of type custom only | |
720757-1 | 3-Major | Without proper licenses Category Lookup always fails with license error in Allow Ending | |
713655-2 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
711427-2 | 3-Major | Edge Browser does not launch F5 VPN App | |
710884-1 | 3-Major | Portal Access might omit some valid cookies when rewriting HTTP request. | |
701800-2 | 3-Major | K29064506 | SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x |
701056-1 | 3-Major | User is not able to reset their Active Directory password | |
698984-1 | 3-Major | Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned | |
696669-1 | 3-Major | Users cannot change or reset RSA PIN | |
696544-1 | 3-Major | APM end users can not change/reset password when auth agents are included in per-req policy | |
671323-1 | 3-Major | Reset PIN Fail if Token input field is not 'password' field | |
734595-2 | 4-Minor | sp-connector is not being deleted together with profile | |
721375-1 | 4-Minor | Export then import of config with RSA server in it might fail |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
706642-2 | 2-Critical | wamd may leak memory during configuration changes and cluster events |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
709383-2 | 3-Major | DIAMETER::persist reset non-functional | |
706750-1 | 3-Major | Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash. | |
691048-1 | 3-Major | K34553736 | Support DIAMETER Experimental-Result AVP response |
688942-5 | 3-Major | ICAP: Chunk parser performs poorly with very large chunk |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
724532-2 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
720045-1 | 2-Critical | IP fragmented UDP DNS request and response packets dropped as DNS Malformed | |
710755-1 | 2-Critical | TMM crash when route information becomes stale and the system accesses stale information. | |
698333-1 | 2-Critical | K43392052 | TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families) |
694849-1 | 2-Critical | TMM crash when packet sampling is turned for DNS BDOS signatures. | |
672514-1 | 2-Critical | Local Traffic/Virtual Server/Security page crashed | |
630137-2 | 2-Critical | Dynamic Signatures feature can fill up /config partition impacting system stability | |
726154-2 | 3-Major | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies | |
704528-2 | 3-Major | tmm may run out of memory during IP shunning | |
704369-2 | 3-Major | TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled | |
696201-1 | 3-Major | Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation | |
686376-2 | 3-Major | Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon | |
707054-1 | 4-Minor | SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 | |
699454-4 | 4-Minor | Web UI does not follow current best coding practices |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726647-3 | 3-Major | PEM content insertion in a compressed response may truncate some data | |
721704-1 | 3-Major | UDP flows are not deleted after subscriber deletion | |
709670-2 | 3-Major | iRule triggered from RADIUS occasionally fails to create subscribers. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
721570-1 | 1-Blocking | K20285019 | TMM core when trying to log an unknown subscriber |
734446-2 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT | |
688246-1 | 2-Critical | An invalid mode in the LSN::persistence command causes TMM crash | |
708830-2 | 3-Major | Inbound or hairpin connections may get stuck consuming memory. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
738669-2 | 3-Major | Login validation may fail for a large request with early server response | |
737368-1 | 3-Major | Fingerprint cookie large value may result in tmm core. |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
739277 | 2-Critical | TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode | |
720585-1 | 3-Major | Signatures generated by Behavioral DOS algorithm can create false-positive signatures | |
689540-1 | 3-Major | The same DOS attack generates new signatures even if there are signatures generated during previous attacks. |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
726303-1 | 3-Major | Unlock 10 million custom db entry limit |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
726872-2 | 3-Major | iApp LX directory disappears after upgrade or restoring from UCS★ |
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Functional Change Fixes
None
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
693359-1 | 1-Blocking | AWS M5 and C5 instance families are supported |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
721364 | 1-Blocking | BIG-IP per-application VE BYOL license does not support three wildcard virtual servers | |
716469 | 1-Blocking | OpenSSL 1.0.1l fails with 512 bit DSA keys | |
697615-1 | 1-Blocking | K65013424 | Neurond may restart indefinitely after boot, with neurond_i2c_config message |
675921-2 | 1-Blocking | Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running | |
723130-1 | 2-Critical | K13996 | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file |
700086-1 | 2-Critical | AWS C5/M5 Instances do not support BIG-IP VE | |
696732-3 | 2-Critical | K54431534 | tmm may crash in a compression provider |
721985 | 3-Major | PAYG License remains inactive as dossier verification fails. | |
721512 | 3-Major | Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6. | |
721342 | 3-Major | No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. | |
720961-1 | 3-Major | Upgrading in Intelligence Community AWS environment may fail | |
720756-1 | 3-Major | SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS | |
720651-2 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
720104-1 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
719396-1 | 3-Major | K34339214 | DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. |
717832 | 3-Major | Remove unneeded files from UCS backup directories | |
714303-1 | 3-Major | K25057050 | X520 virtual functions do not support MAC masquerading |
712266-1 | 3-Major | Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware | |
697616-2 | 3-Major | Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests | |
680086 | 3-Major | BMC firmware fails md5sum check | |
673996-2 | 3-Major | Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms | |
680388-1 | 4-Minor | f5optics should not show function name in non-debug log messages | |
653759-1 | 4-Minor | Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★ | |
720391-2 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
737550 | 2-Critical | State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade★ | |
701538-2 | 2-Critical | SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured | |
720460-1 | 3-Major | Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly | |
694778-1 | 3-Major | Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size | |
686631-2 | 3-Major | Deselect a compression provider at the end of a job and reselect a provider for a new job | |
679494-1 | 3-Major | Change the default compression strategy to speed | |
495443-9 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
679496-2 | 4-Minor | Add 'comp_req' to the output of 'tmctl compress' |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
717909 | 2-Critical | tmm can abort on sPVA flush if the HSB flush does not succeed | |
701637 | 2-Critical | Crash in bcm56xxd during TMM failover | |
644822 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
702738-1 | 3-Major | K32181540 | Tmm might crash activating new blob when changing firewall rules |
698182 | 3-Major | Upgrading from 13.1.1 to newer release might cause config to not be copied over★ | |
697516 | 3-Major | Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled |
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
716992-2 | CVE-2018-5539 | K75432956 | The ASM bd process may crash |
710244-3 | CVE-2018-5536 | K27391542 | Memory Leak of access policy execution objects |
710140-1 | CVE-2018-5527 | K20134942 | TMM may consume excessive resources when processing SSL Intercept traffic |
709688-3 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
695072-2 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
K23030550 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
693744-4 | CVE-2018-5531 | K64721111 | CVE-2018-5531: vCMP vulnerability |
651741-2 | CVE-2017-5970, | K60104355 | CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop |
717900-2 | CVE-2018-5528 | K27044729 | TMM crash while processing APM data |
710827-2 | CVE-2019-6598 | K44603900 | TMUI dashboard daemon stability issue |
710148-2 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
709256-2 | CVE-2017-9074 CVE-2017-7542 |
K61223103 | CVE-2017-9074: Local Linux Kernel Vulnerability |
705476-2 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
698813-2 | CVE-2018-5538 | K45435121 | When processing DNSX transfers ZoneRunner does not enforce best practices |
688625-5 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
662850-6 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
714879-3 | CVE-2018-15326 | K34652116 | APM CRLDP Auth passes all certs |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
685020-3 | 3-Major | Enhancement to SessionDB provides timeout |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
708956-1 | 1-Blocking | K51206433 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
719597 | 2-Critical | HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 | |
715820-1 | 2-Critical | vCMP in HA configuration with VIPRION chassis might cause unstable data plane | |
712401-1 | 2-Critical | Enhanced administrator lock/unlock for Common Criteria compliance | |
676203-3 | 2-Critical | Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. | |
665362-2 | 2-Critical | MCPD might crash if the AOM restarts | |
581851-6 | 2-Critical | K16234725 | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands |
711249-1 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
710976-1 | 3-Major | Network Map might take a long time to load | |
708484-2 | 3-Major | Network Map might take a long time to load | |
707445-3 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
705818-1 | 3-Major | GUI Network Map Policy with forward Rule to Pool, Pool does not show up | |
704804-1 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
704733-1 | 3-Major | NAS-IP-Address is sent with the bytes in reverse order | |
704247-2 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
701249-1 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
700895-1 | 3-Major | K34944451 | GUI Network Map objects in subfolders are not being shown |
696260-1 | 3-Major | K53103420 | GUI Network Map as Start Screen presents database error |
694696-5 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
694547-2 | 3-Major | K74203532 | TMSH save sys config creates unneeded generate_config processes. |
689730-3 | 3-Major | Software installations from v13.1.0 might fail★ | |
687658 | 3-Major | Monitor operations in transaction will cause it to stay unchecked | |
686906-2 | 3-Major | Fragmented IPv6 packets not handled correctly on Virtual Edition | |
674455-5 | 3-Major | Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS | |
678254-1 | 4-Minor | Error logged when restarting Tomcat |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
721571-1 | 2-Critical | State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★ | |
718071-1 | 2-Critical | HTTP2 with ASM policy not passing traffic | |
715747 | 2-Critical | TMM may restart when running traffic through custom SSLO deployments. | |
709828-2 | 2-Critical | fasthttp can crash with Large Receive Offload enabled | |
707244-3 | 2-Critical | iRule command clientside and serverside may crash tmm | |
707207-1 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
700597-1 | 2-Critical | Local Traffic Policy on HTTP/2 virtual server no longer matches | |
700056-1 | 2-Critical | MCPD process may lock up and restart when applying Local Traffic Policy to virtual server | |
690756-1 | 2-Critical | APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated | |
571651-4 | 2-Critical | Reset Nitrox3 crypto accelerator queue if it becomes stuck. | |
713951-5 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
713934-2 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
712819-2 | 3-Major | 'HTTP::hsts preload' iRule command cannot be used | |
712475-3 | 3-Major | K56479945 | DNS zones without servers will prevent DNS Express reading zone data |
712437-3 | 3-Major | K20355559 | Records containing hyphens (-) will prevent child zone from loading correctly |
711281-5 | 3-Major | nitrox_diag may run out of space on /shared | |
710996-2 | 3-Major | VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP | |
709133-2 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur | |
709132-1 | 3-Major | When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur | |
707961-2 | 3-Major | K50013510 | Unable to add policy to virtual server; error = Failed to compile the combined policies |
707109-1 | 3-Major | Memory leak when using C3D | |
704381-5 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
702151-1 | 3-Major | HTTP/2 can garble large headers | |
700889-3 | 3-Major | K07330445 | Software syncookies without TCP TS improperly include TCP options that are not encoded |
700061-4 | 3-Major | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | |
699598-2 | 3-Major | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR | |
696755 | 3-Major | HTTP/2 may truncate a response body when served from cache | |
693308-1 | 3-Major | SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain | |
689089-1 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
688744-1 | 3-Major | K11793920 | LTM Policy does not correctly handle multiple datagroups |
686890-1 | 3-Major | X509_EXTENSION memory blocks leak when C3D forges the certificate. | |
682944-1 | 3-Major | key-id missing for installed netHSM key for standby BIG-IP system in high availability (HA) setup | |
682283-2 | 3-Major | Malformed HTTP/2 request with invalid Content-Length value is served against RFC | |
678872-3 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
673399-3 | 3-Major | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | |
653201-2 | 3-Major | Update the default CA certificate bundle file to the latest version and remove expiring certificates from it | |
713533-2 | 4-Minor | list self-ip with queries does not work | |
708249-2 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
692095-1 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
678801-4 | 4-Minor | WS::enabled returned empty string | |
677958-4 | 4-Minor | WS::frame prepend and WS::frame append do not insert string in the right place. |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
698992-1 | 3-Major | Performance degraded |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
713066-1 | 2-Critical | K10620131 | Connection failure during DNS lookup to disabled nameserver can crash TMM |
707310-2 | 2-Critical | DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) | |
721895 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | |
715448-2 | 3-Major | Providing LB::status with a GTM Pool name in a variable caused validation issues | |
710032-1 | 3-Major | 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. | |
706128-2 | 3-Major | DNSSEC Signed Zone Transfers Can Leak Memory | |
703545-1 | 3-Major | DNS::return iRule "loop" checking disabled |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
718152 | 2-Critical | K14591455 | ASM GUI request log does not load on cluster |
716788-2 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
713390-1 | 2-Critical | ASM Signature Update cannot be performed on hourly billing cloud instance | |
685230-3 | 2-Critical | memory leak on a specific server scenario | |
606983-2 | 2-Critical | ASM errors during policy import | |
719459-2 | 3-Major | Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled | |
719005-1 | 3-Major | Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation | |
717756-2 | 3-Major | High CPU usage from asm_config_server | |
716940-2 | 3-Major | Traffic Learning screen graphs shows data for the last day only | |
715128-1 | 3-Major | Simple mode Signature edit does not escape semicolon | |
713282-1 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
712362-3 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
711405-1 | 3-Major | K14770331 | ASM GUI Fails to Display Policy List After Upgrade |
710327-1 | 3-Major | Remote logger message is truncated at NULL character. | |
707147-1 | 3-Major | High CPU consumed by asm_config_server_rpc_handler_async.pl | |
706845-2 | 3-Major | False positive illegal multipart violation | |
706665-2 | 3-Major | ASM policy is modified after pabnagd restart | |
704643-1 | 3-Major | Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule | |
702008-1 | 3-Major | ASM REST: Missing DB Cleanup for some tables | |
700143-2 | 3-Major | ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages | |
691897-3 | 3-Major | Names of the modified cookies do not appear in the event log | |
687759-1 | 3-Major | bd crash | |
686765-2 | 3-Major | Database cleaning failure may allow MySQL space to fill the disk entirely | |
674256-2 | 3-Major | K60745057 | False positive cookie hijacking violation |
675232-6 | 4-Minor | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
710315-1 | 2-Critical | AVR-profile might cause issues when loading a configuration or when using config sync | |
698226-1 | 2-Critical | Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly | |
696642-1 | 2-Critical | monpd core is sometimes created when the system is under heavy load. | |
721474-1 | 3-Major | AVR does not send all SSLO statistics to offbox machine. | |
715110 | 3-Major | AVR should report 'resolutions' in module GtmWideip | |
712118 | 3-Major | AVR should report on all 'global tags' in external logs | |
706361 | 3-Major | IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0★ | |
696212-1 | 3-Major | monpd does not return data for multi-dimension query | |
648242-2 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
649161-2 | 4-Minor | K42340304 | AVR caching mechanism not working properly |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
720214-1 | 2-Critical | NTLM Authentication might fail if Strict Update in iApp is modified | |
720189-1 | 2-Critical | VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download | |
719149-2 | 2-Critical | VDI plugin might hang while processing native RDP connections | |
716747-2 | 2-Critical | TMM my crash while processing APM or SWG traffic | |
715250-1 | 2-Critical | TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED | |
713156-1 | 2-Critical | AGC cannot do redeploy in Exchange and ADFS use cases | |
710116-1 | 2-Critical | VPN clients experience packet loss/disconnection | |
694078-1 | 2-Critical | In rare cases, TMM may crash with high APM traffic | |
720695-1 | 3-Major | Export then import of APM access Profile/Policy with advanced customization is failing | |
719192 | 3-Major | In VPE Agent VMware View Policy shows no properties | |
715207-3 | 3-Major | coapi errors while modifying per-request policy in VPE | |
714961-1 | 3-Major | antserver creates large temporary file in /tmp directory | |
714700-2 | 3-Major | SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy | |
713111-1 | 3-Major | When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging. | |
710305-1 | 3-Major | When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging. | |
709274-1 | 3-Major | RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0 | |
699267-2 | 3-Major | LDAP Query may fail to resolve nested groups | |
658278-1 | 3-Major | Network Access configuration with Layered-VS does not work with Edge Client |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
703515-3 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
692310-2 | 3-Major | K69250459 | ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
677473-3 | 2-Critical | MCPD core is generated on multiple add/remove of Mgmt-Rules |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
711570-3 | 3-Major | PEM iRule subscriber policy name query using subscriber ID, may not return applied policies | |
663874-2 | 3-Major | K77173309 | Off-box HSL logging does not work with PEM in SPAN mode. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
719186-2 | 3-Major | Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts | |
716318-2 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
714334-1 | 2-Critical | admd stops responding and generates a core while under stress. | |
718772-2 | 3-Major | The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) | |
718685-1 | 3-Major | The measured number of pending requests is two times higher than actual one | |
701288-1 | 3-Major | Server health significantly increases during DoSL7 TPS prevention |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
693694-1 | 3-Major | tmsh::load within IApp template results in unpredicted behavior |
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
716392-1 | 1-Blocking | Support for 24 vCMP guests on a single 4450 blade | |
712429 | 1-Blocking | Serverside packets excluded from DoS stats | |
704552 | 3-Major | Support for ONAP site licensing |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707100 | 2-Critical | Potentially fail to create user in AzureStack | |
706688 | 2-Critical | Automatically add additional certificates to BIG-IP system in C2S and IC environments | |
709936 | 3-Major | Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. | |
707585-1 | 3-Major | Use native driver for 82599 NICs instead of UNIC | |
703869 | 3-Major | Waagent updated to 2.2.21 |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
713273 | 2-Critical | BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart | |
715153-1 | 3-Major | AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
716746 | 3-Major | Possible tmm restart when disabling single endpoint vector while attack is ongoing | |
712710 | 3-Major | TMM may halt and restart when threshold mode is set to stress-based mitigation |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
699103-1 | 3-Major | tmm continuously restarts after provisioning AFM |
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
709972-6 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
707186-1 | CVE-2018-5514 | K45320419 | TMM may crash while processing HTTP/2 traffic |
702232-1 | CVE-2018-5517 | K25573437 | TMM may crash while processing FastL4 TCP traffic |
693312-1 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
688516-1 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
686305-1 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
589233-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
714369 | CVE-2018-5526 | K62201098 | ADM may fail when processing HTTP traffic |
714350 | CVE-2018-5526 | K62201098 | BADOS mitigation may fail |
710314-1 | CVE-2018-5537 | K94105051 | TMM may crash while processing HTML traffic |
706176-1 | CVE-2018-5512 | K51754851 | TMM crash can occur when using LRO |
706086-3 | CVE-2018-5515 | K62750376 | PAM RADIUS authentication subsystem hardening |
703940-2 | CVE-2018-5530 | K45611803 | Malformed HTTP/2 frame consumes excessive system resources |
699346-3 | CVE-2018-5524 | K53931245 | NetHSM capacity reduces when handling errors |
688011-7 | CVE-2018-5520 | K02043709 | Dig utility does not apply best practices |
688009-7 | CVE-2018-5519 | K46121888 | Appliance Mode TMSH hardening |
677088-2 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
708653-1 | CVE-2018-15311 | K07550539 | TMM may crash while processing TCP traffic |
632875-5 | CVE-2018-5516 | K37442533 | Non-Administrator TMSH users no longer allowed to run dig |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
708389 | 3-Major | BADOS monitoring with Grafana requires admin privilege | |
680850-2 | 3-Major | K48342409 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
694897-2 | 1-Blocking | Unsupported Copper SFP can trigger a crash on i4x00 platforms. | |
708054-1 | 2-Critical | Web Acceleration: TMM may crash on very large HTML files with conditional comments | |
706305-1 | 2-Critical | bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled | |
706087 | 2-Critical | Entry for SSL key replaced by config-sync causes tmsh load config to fail | |
703761-2 | 2-Critical | Disable DSA keys for public-key and host-based authentication in Common Criteria mode | |
696113-3 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
692683-1 | 2-Critical | Core with /usr/bin/tmm.debug at qa_device_mgr_uninit | |
690793-1 | 2-Critical | K25263287 | TMM may crash and dump core due to improper connflow tracking |
689577-3 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
688911-1 | 2-Critical | K94296004 | LTM Policy GUI incorrectly shows conditions with datagroups |
563661-1 | 2-Critical | Datastor may crash | |
704282-2 | 3-Major | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | |
703298-2 | 3-Major | Licensing and phonehome_upload are not using the sync'd key/certificate | |
701626-2 | 3-Major | K16465222 | GUI resets custom Certificate Key Chain in child client SSL profile |
698429-1 | 3-Major | Misleading log error message: Store Read invalid store addr 0x3800, len 10 | |
693964-1 | 3-Major | Qkview utility may generate invalid XML in files contained in Qkview | |
691497-2 | 3-Major | tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions | |
691210-1 | 3-Major | Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE. | |
687353-1 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
631316-2 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
514703-3 | 4-Minor | gtm listener cannot be listed across partitions |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
709334-1 | 2-Critical | Memory leak when SSL Forward proxy is used and ssl re-negotiates | |
708114-1 | 2-Critical | K33319853 | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed |
707447-1 | 2-Critical | Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. | |
707246-1 | 2-Critical | TMM would crash if SSL Client profile could not load cert-key-chain successfully | |
706631-2 | 2-Critical | A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. | |
705611-2 | 2-Critical | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | |
704666-1 | 2-Critical | memory corruption can occur when using certain certificates | |
704435-1 | 2-Critical | Client connection may hang when NTLM and OneConnect profiles used together | |
703914-2 | 2-Critical | TMM SIGSEGV crash in poolmbr_conn_dec. | |
703191-2 | 2-Critical | HTTP2 requests may contain invalid headers when sent to servers | |
701244-1 | 2-Critical | K81742541 | An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT |
701202-3 | 2-Critical | K35023432 | SSL memory corruption |
700393-3 | 2-Critical | K53464344 | Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash |
697259-2 | 2-Critical | K14023450 | Different versioned vCMP guests on the same chassis may crash. |
694656-1 | 2-Critical | K05186205 | Routing changes may cause TMM to restart |
686228-1 | 2-Critical | K23243525 | TMM may crash in some circumstances with VLAN failsafe |
680074-2 | 2-Critical | TMM crashes when serverssl cannot provide certificate to backend server. | |
667770-1 | 2-Critical | K12472293 | SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore |
648320-5 | 2-Critical | K38159538 | Downloading via APM tunnels could experience performance downgrade. |
705794-2 | 3-Major | Under certain circumstances a stale HTTP/2 stream might cause a tmm crash | |
701147-2 | 3-Major | K36563645 | ProxySSL does not work properly with Extended Master Secret and OCSP |
700057-4 | 3-Major | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | |
693910-4 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
693244-2 | 3-Major | BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned | |
690042-1 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
689561-1 | 3-Major | HTTPS request hangs when multiple virtual https servers shares the same ip address | |
686972-4 | 3-Major | The change of APM log settings will reset the SSL session cache. | |
685615-4 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
677525-2 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
663821-1 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
653976-4 | 3-Major | K00610259 | SSL handshake fails if server certificate contains multiple CommonNames |
594751-1 | 3-Major | K90535529 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
710424-2 | 2-Critical | Possible SIGSEGV in GTMD when GTM persistence is enabled. | |
678861-1 | 2-Critical | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
710870 | 2-Critical | Temporary browser challenge failure after installing older ASU | |
711011-2 | 3-Major | 'API Security' security policy template changes | |
683241-1 | 3-Major | K70517410 | Improve CSRF token handling |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
710947-1 | 2-Critical | AVR does not send errdef for entity DosIpLogReporting. | |
710110-1 | 2-Critical | AVR does not publish DNS statistics to external log when usr-offbox is enabled. | |
711929-1 | 3-Major | AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679221-2 | 1-Blocking | APMD may generate core file or appears locked up after APM configuration changed | |
708005-1 | 2-Critical | K12423316 | Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources |
703208-1 | 2-Critical | PingAccessAgent causes TMM core | |
702278-2 | 2-Critical | Potential XSS security exposure on APM logon page. | |
700522-1 | 2-Critical | APMD may unexpectedly restart when worker threads are stuck | |
700090-2 | 2-Critical | tmm crash during execution of a per-request policy when modified during execution. | |
699686-1 | 2-Critical | localdbmgr can occasionally crash during shutdown | |
697452-1 | 2-Critical | Websso crashes because of bad argument in logging | |
712924-1 | 3-Major | In VPE SecurID servers list are not being displayed in SecurID authentication dialogue | |
703793-3 | 3-Major | tmm restarts when using ACCESS::perflow get' in certain events | |
703171-1 | 3-Major | High CPU usage for apmd, localdbmgr and oauth processes | |
702487-3 | 3-Major | AD/LDAP admins with spaces in names are not supported | |
684937-3 | 3-Major | K26451305 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users |
683113-3 | 3-Major | K22904904 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users |
681415-3 | 3-Major | Copying of profile with advanced customization or images might fail | |
678427-1 | 3-Major | K03138339 | Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice |
675775-4 | 3-Major | TMM crashes inside dynamic ACL building session db callback | |
671597-3 | 3-Major | Import, export, copy and delete is taking too long on 1000 entries policy | |
673717-3 | 4-Minor | VPE loading times can be very long |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
701889-1 | 2-Critical | Setting log.ivs.level or log-config filter level to informational causes crash | |
679114-4 | 3-Major | Persistence record expires early if an error is returned for a BYE command |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708888-1 | 2-Critical | K79814103 | Some DNS truncated responses may not be processed by BIG-IP |
667353 | 2-Critical | Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
702705-2 | 2-Critical | Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile | |
699531-1 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
696294-1 | 2-Critical | TMM core may be seen when using Application reporting with flow filter in PEM | |
711093-1 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
709610-3 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
697718-1 | 3-Major | Increase PEM HSL reporting buffer size to 4K. | |
677494-1 | 3-Major | Flow filter with Periodic content insertion action could leak insert content record | |
677148-1 | 3-Major | Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific | |
676346-2 | 3-Major | PEM displays incorrect policy action counters when the gate status is disabled. | |
648802-1 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
710701-1 | 3-Major | "Application Layer Encryption" option is not saved in DataSafe GUI | |
709319-2 | 3-Major | Post-login client-side alerts are missing username in bigIQ | |
706835 | 3-Major | When cloning a profile, URL parameters are not shown | |
706771-1 | 3-Major | FPS ajax-mapping property may be set even when it should be blocked | |
706651-1 | 3-Major | Cloning URL does not clone "Description" field | |
706276-1 | 4-Minor | Unnecessary pop-up appears |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
708305-2 | 3-Major | Discover task may get stuck in CHECK_IS_ACTIVE step | |
705593-5 | 4-Minor | CVE-2015-7940: Bouncy Castle Java Vulnerability |
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
633441-1 | 3-Major | Datasync Background Tasks running even without features requiring it |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708189 | 4-Minor | OAuth Discovery Auto Pilot is implemented |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708840 | 3-Major | 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured |
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
705161-1 | CVE-2018-5505 | K23520761 | BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505 |
703517 | CVE-2018-5505 | K23520761 | BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505 |
700556-1 | CVE-2018-5504 | K11718033 | TMM may crash when processing WebSockets data |
699012-1 | CVE-2018-5502 | K43121447 | TMM may crash when processing SSL/TLS data |
698080-3 | CVE-2018-5503 | K54562183 | TMM may consume excessive resources when processing with PEM |
695901-1 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
691504-1 | CVE-2018-5503 | K54562183 | PEM content insertion in a compressed response may cause a crash. |
704580-1 | CVE-2018-5549 | K05018525 | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP |
701447-1 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
701445-1 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
701359-4 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
699455-4 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
699451-3 | CVE-2018-5511 | K30500703 | OAuth reports do not follow best practices |
676457-5 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
640766-2 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576 |
636986-1 | CVE-2021-22982 | K72708443 | big3d agent vulnerability CVE-2021-22982 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
686389-1 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
678524-1 | 3-Major | Join FF02::2 multicast group when router-advertisement is configured | |
693007-1 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707226 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
700315-2 | 1-Blocking | K26130444 | Ctrl+C does not terminate TShark |
667148-3 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
706998-3 | 2-Critical | Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication | |
692890-3 | 2-Critical | Adding support for BIG-IP 800 in 13.1.x | |
685458-7 | 2-Critical | K44738140 | merged fails merging a table when a table row has incomplete keys defined. |
665354-1 | 2-Critical | K31190471 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log |
703848-1 | 3-Major | Possible memory leak when reusing statistics rows in tables | |
702520-2 | 3-Major | K53330514 | Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address. |
694740-3 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
692753-1 | 3-Major | shutting down trap not sent when shutdown -r or shutdown -h issued from shell | |
689691-2 | 3-Major | iStats line length greater than 4032 bytes results in corrupted statistics or merge errors | |
686029-2 | 3-Major | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces | |
669462-2 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
589083-6 | 3-Major | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. | |
699281-1 | 4-Minor | Version format of hypervisor bundle matches Version format of ISO | |
685475-1 | 4-Minor | K93145012 | Unexpected error when applying hotfix |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
706534-1 | 1-Blocking | L7 connection mirroring may not be fully mirrored on standby BigIP | |
698424-1 | 1-Blocking | K11906514 | Traffic over a QinQ VLAN (double tagged) will not pass |
700862-1 | 2-Critical | K15130240 | tmm SIGFPE 'valid node' |
699298-2 | 2-Critical | 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV. | |
698461-1 | 2-Critical | Tmm may crash in fastl4 TCP | |
692970-2 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
691095-1 | 2-Critical | CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes | |
687635-1 | 2-Critical | K58002142 | Tmm becomes unresponsive and might restart |
687205-2 | 2-Critical | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
681175-3 | 2-Critical | K32153360 | TMM may crash during routing updates |
674576-3 | 2-Critical | Outage may occur with VIP-VIP configurations | |
452283-5 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
440620-1 | 2-Critical | New connections may be reset when a client reuses the same port as it used for a recently closed connection | |
704073-1 | 3-Major | K24233427 | Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm |
702439 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
698916-1 | 3-Major | TMM crash with HTTP/2 under specific condition | |
698379-2 | 3-Major | K61238215 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( |
698000-3 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
695707-5 | 3-Major | BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection | |
691806-1 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
689449-1 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
688571-2 | 3-Major | K40332712 | Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile. |
688570-5 | 3-Major | BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes | |
686307-3 | 3-Major | K10665315 | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later |
686065-2 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
682104-3 | 3-Major | HTTP PSM leaks memory when looking up evasion descriptions | |
680264-2 | 3-Major | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags | |
677666-2 | 3-Major | /var/tmstat/blades/scripts segment grows in size. | |
664528-2 | 3-Major | K53282793 | SSL record can be larger than maximum fragment size (16384 bytes) |
251162-1 | 3-Major | K11564 | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name |
685467-1 | 4-Minor | K12933087 | Certain header manipulations in HTTP profile may result in losing connection. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
699135-1 | 2-Critical | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | |
692941-1 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
691287-1 | 2-Critical | tmm crashes on iRule with GTM pool command | |
682335-1 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
580537-3 | 2-Critical | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
562921-5 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
705503-3 | 3-Major | Context leaked from iRule DNS lookup | |
703702 | 3-Major | Fixed iControl REST not listing GTM Listeners | |
700527-3 | 3-Major | cmp-hash change can cause repeated iRule DNS-lookup hang | |
699339-3 | 3-Major | K24634702 | Geolocation upgrade files fail to replicate to secondary blades |
696808-1 | 3-Major | Disabling a single pool member removes all GTM persistence records | |
691498-3 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
690166-1 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
687128-1 | 3-Major | gtm::host iRule validation for ipv4 and ipv6 addresses | |
680069-1 | 3-Major | K81834254 | zxfrd core during transfer while network failure and DNS server removed from DNS zone config★ |
679149-1 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
667469-3 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
636997-1 | 4-Minor | big3d may crash | |
636994-1 | 4-Minor | big3d may crash | |
636992-1 | 4-Minor | big3d may crash | |
636982-1 | 4-Minor | big3d may crash |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
705774-1 | 3-Major | Add a set of disallowed file types to RDP template | |
703833-1 | 3-Major | Some bot detected features might not work as expected on Single Page Applications | |
702946-3 | 3-Major | Added option to reset staging period for signatures | |
701841-2 | 3-Major | Unnecessary file recovery_db/conf.tar.gz consumes /var disk space | |
701327-2 | 3-Major | failed configuration deletion may cause unwanted bd exit | |
700812-1 | 3-Major | asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview | |
700726-2 | 3-Major | Search engine list was updated, and fixing case of multiple entries | |
698919-3 | 3-Major | Anti virus false positive detection on long XML uploads | |
697756-1 | 3-Major | Policy with CSRF URL parameter cannot be imported as binary policy file | |
697303-1 | 3-Major | BD crash | |
696265-5 | 3-Major | K60985582 | BD crash |
696073-2 | 3-Major | BD core on a specific scenario | |
695563-1 | 3-Major | Improve speed of ASM initialization on first startup | |
694922-5 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
693780-1 | 3-Major | Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices | |
693663-1 | 3-Major | Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode | |
691477-2 | 3-Major | ASM standby unit showing future date and high version count for ASM Device Group | |
679384-3 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
678293-2 | 3-Major | K25066531 | Uncleaned policy history files cause /var disk exhaustion |
665992-2 | 3-Major | K40510140 | Live Update via Proxy No Longer Works |
608988-1 | 3-Major | Error when deleting multiple ASM Policies |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
703233 | 3-Major | Some filters don't work in Security->Reporting->URL Latencies page |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
707676-1 | 2-Critical | Memory leak in Machine Certificate Check agent of the apmd process | |
700724-2 | 2-Critical | Client connection with large number of HTTP requests may cause tmm to restart | |
692557-1 | 2-Critical | When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted. | |
690116-1 | 2-Critical | websso daemon might crash when logging set to debug | |
689591-2 | 2-Critical | When pingaccess SDK processes certain POST requests from the client, the TMM may restart | |
677368-2 | 2-Critical | Websso crash due to uninitialized member in websso context object while processing a log message | |
631286-3 | 2-Critical | TMM Memory leak caused by APM URI cache entries | |
703429-2 | 3-Major | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | |
702263-1 | 3-Major | An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading. | |
702222-1 | 3-Major | RADIUS and SecurID Auth fails with empty password | |
701740-1 | 3-Major | apmd leaks memory when updating Access V2 policy | |
701737-1 | 3-Major | apmd may leak memory on destroying Kerberos cache | |
701736-1 | 3-Major | Memory leak in Machine Certificate Check agent of the apmd process | |
701639-1 | 3-Major | Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP. | |
697636-3 | 3-Major | ACCESS is not replacing headers while replacing POST body | |
695953-1 | 3-Major | Custom URL Filter object is missing after load sys config TMSH command | |
694624-1 | 3-Major | SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor | |
693844-1 | 3-Major | K58335157 | APMD may restart continuously and cannot come up |
692307-3 | 3-Major | User with 'operator' role may not be able to view some session variables | |
687937-1 | 3-Major | RDP URIs generated by APM Webtop are not properly encoded | |
685862-1 | 3-Major | BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message | |
684583-1 | 3-Major | Buitin Okta Scopes Request object uses client -id and client-secret | |
684325-1 | 3-Major | APMD Memory leak when applying a specific access profile | |
683389-3 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
683297-2 | 3-Major | Portal Access may use incorrect back-end for resources referenced by CSS | |
682500-2 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
678851-3 | 3-Major | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | |
675866-4 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
671627-3 | 3-Major | K06424790 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. |
632646-1 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
629334-1 | 3-Major | Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly | |
612792-1 | 3-Major | Support RDP redirection for connections launched from APM Webtop on iOS | |
612118-2 | 3-Major | Nexthop explicit proxy is not used for the very first connection to communicate with the backend. | |
536831-1 | 3-Major | APM PAM module does not handle local-only users list correctly |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
698338-1 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
689343-2 | 2-Critical | Diameter persistence entries with bi-directional flag created with 10 sec timeout | |
685708-4 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
700571-4 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
696049-1 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | |
674747-4 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
656901-3 | 3-Major | MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
704207-1 | 2-Critical | DNS query name is not showing up in DNS AVR reporting | |
692328-1 | 2-Critical | Tmm core due to incorrect memory allocation | |
703959 | 3-Major | Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI | |
631418-1 | 3-Major | Packets dropped by HW grey list may not be counted toward AVR. |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
696383-1 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
694717-1 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
616008-1 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
696789-1 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
695968-1 | 3-Major | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | |
694319-1 | 3-Major | CCA without a request type AVP cannot be tracked in PEM. | |
694318-1 | 3-Major | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | |
684333-1 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
678820-1 | 3-Major | Potential memory leak if PEM Diameter sessions are not created successfully. | |
642068-4 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
624231-4 | 3-Major | No flow control when using content-insertion with compression | |
680729-1 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
697363-1 | 2-Critical | FPS should forward all XFF header values | |
705559-1 | 3-Major | FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request | |
662311-1 | 3-Major | CS alerts should contain actual client IP address in XFF header |
Protocol Inspection Fixes
ID Number | Severity | Solution Article(s) | Description |
671716-1 | 3-Major | UCS version check was too strict for IPS hitless upgrade |
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
702419 | 3-Major | Protocol Inspection needs add-on license to work |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
660239-6 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
677919-4 | 3-Major | Enhanced Data Manipulation AJAX Support |
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
681955-1 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 | K23565223 | Apache CVE-2017-9788 |
673595-9 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 |
694274-1 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 |
672124-6 | CVE-2018-5541 | K12403422 | Excessive resource usage when BD is processing requests |
679861 | CVE-2019-6655 | K31152411 | Weak Access Restrictions on the AVR Reporting Interface |
673607-9 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 |
672667-6 | CVE-2017-7679 | K75429050 | CVE-2017-7679: Apache vulnerability |
641101-7 | CVE-2016-8743 | K00373024 | httpd security and bug fix update CVE-2016-8743 |
684033-3 | CVE-2017-9798 | K70084351 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) |
661939-2 | CVE-2017-2647 | K32115847 | Linux kernel vulnerability CVE-2017-2647 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
685056 | 3-Major | VE OVAs is not the supported platform to run VMware guest OS customization | |
670103-1 | 3-Major | No way to query logins to BIG-IP in TMUI | |
681385-2 | 4-Minor | Forward proxy forged cert lifespan can be configured from days into hours. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
700247 | 2-Critical | K60053504 | APM Client Software may be missing after doing fresh install of BIG-IP VE |
693979 | 3-Major | Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document | |
683131-1 | 3-Major | Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★ | |
682213-1 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
669585-1 | 3-Major | The tmsh sys log filter is unable to display information in uncompressed log files. | |
668826-1 | 3-Major | File named /root/.ssh/bigip.a.k.bak is present but should not be | |
668276-1 | 3-Major | BIG-IP does not display failed login attempts since last login in GUI | |
668273-1 | 3-Major | K12541531 | Logout button not available in Configuration Utility when using Client Cert LDAP |
471237-4 | 3-Major | K12155235 | BIG-IP VE instances do not work with an encrypted disk in AWS. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699624-1 | 2-Critical | Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade★ | |
463097-5 | 3-Major | Clock advanced messages with large amount of data maintained in DNS Express zones |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
672504-2 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
667542-6 | 2-Critical | DNS Express does not correctly process multi-message DNS IXFR updates. | |
645615-6 | 2-Critical | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
655233-2 | 3-Major | K93338593 | DNS Express using wrong TTL for SOA RRSIG record in NoData response |
648766-2 | 3-Major | K57853542 | DNS Express responses missing SOA record in NoData responses if CNAMEs present |
646615-2 | 4-Minor | Improved default storage size for DNS Express database |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699720-1 | 2-Critical | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | |
691670-5 | 2-Critical | Rare BD crash in a specific scenario | |
686108-1 | 2-Critical | User gets blocking page instead of captcha during brute force attack | |
684312-1 | 2-Critical | K54140729 | During Apply Policy action, bd agent crashes, causing the machine to go Offline |
698940-1 | 3-Major | Add new security policy template for API driven systems - "API Security" | |
690883-1 | 3-Major | BIG-IQ: Changing learning mode for elements does not always take effect | |
686517-2 | 3-Major | Changes to a parent policy that has no active children are not synced to the secondary chassis slots. | |
686470-1 | 3-Major | Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load. | |
686452-1 | 3-Major | File Content Detection Formats are not exported in Policy XML | |
685964-1 | 3-Major | cs_qualified_urls bigdb does not cause configured URLs to be qualified. | |
685771-1 | 3-Major | Policies cannot be created with SAP, OWA, or SharePoint templates | |
685207-1 | 3-Major | DoS client side challenge does not encode the Referer header. | |
685164-1 | 3-Major | K34646484 | In partitions with default route domain != 0 request log is not showing requests |
683508-1 | 3-Major | K00152663 | WebSockets: umu memory leak of binary frames when remote logger is configured |
680353-1 | 3-Major | Brute force sourced based mitigation is not working as expected | |
674494-4 | 3-Major | K77993010 | BD memory leak on specific configuration and specific traffic |
668184-2 | 3-Major | Huge values are shown in the AVR statistics for ASM violations | |
694073-3 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
685193-1 | 4-Minor | If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
697421 | 3-Major | Monpd core when trying to restart | |
688813-2 | 3-Major | K23345645 | Some ASM tables can massively grow in size. |
686510-1 | 3-Major | If tmm was restarted during an attack, the attack might appear ongoing in GUI | |
683474 | 3-Major | The case-sensitive problem during comparison of 2 Virtual Servers | |
679088-1 | 3-Major | Avr reporting and analytics does not display statistics of many source regions |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
684852-1 | 2-Critical | Obfuscator not producing deterministic output | |
692123 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
700320 | 2-Critical | tmm core under stress when BADOS configured and attack signatures enabled | |
691462-1 | 3-Major | Bad actors detection might not work when signature mitigation blocks bad traffic | |
687987 | 3-Major | Presentation of signatures in human-readable format | |
687986 | 3-Major | High CPU consumption during signature generation, not limited number of signatures per virtual server | |
687984 | 3-Major | Attacks with randomization of HTTP headers parameters generates too many signatures |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
698396-1 | 2-Critical | Config load failed after upgrade from 12.1.2 to 13.x or 14.x★ |
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
686190-1 | 2-Critical | LRO performance impact with BWC and FastL4 virtual server | |
667173-1 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 | |
683114-2 | 3-Major | Need support for 4th element version in Update Check |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
685628-1 | 1-Blocking | Performance regression on B4450 blade★ | |
673832-1 | 1-Blocking | Performance impact for certain platforms after upgrading to 13.1.0. | |
696525-1 | 2-Critical | B2250 blades experience degraded performance. |
Cumulative fix details for BIG-IP v13.1.4.1 that are included in this release
996381-5 : ASM attack signature may not match as expected
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
995629-1 : Loading UCS files may hang if ASM is provisioned★
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
UCS load might fail.
Workaround:
If you encounter this, run 'load sys config default' and de-provision ASM. The UCS file should then load successfully.
994801-5 : SCP file transfer hardening
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
Administrative user with SCP access.
Impact:
users with with SCP access but without shell access can run arbitrary commands
Workaround:
None
Fix:
The SCP file transfer system now follows current best practices.
990333-3 : APM may return unexpected content when processing HTTP requests
Component: Access Policy Manager
Symptoms:
APM may return unexpected content when processing HTTP requests
Conditions:
APM profile should be configured for virtual
Impact:
Unexpected content returned to clients
Workaround:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/public/images/customization/" && ([HTTP::path] contains ".." || [HTTP::path] contains "%2") } {
set removeDots [string map [list ".." "" ".%2e" "" ".%2E" "" "%2e." "" "%2E." "" "%2e%2e" "" "%2E%2e" "" "%2e%2E" "" ] [HTTP::uri]]
HTTP::redirect http://[HTTP::host]$removeDots
# log local0. "Redirect to [HTTP::host]$removeDots"
}
}
Fix:
APM now processes HTTP requests as expected
989009-5 : BD daemon may crash while processing WebSocket traffic
Component: Application Security Manager
Symptoms:
Under certain conditions, the BD daemon may crash while processing WebSocket traffic.
Conditions:
- ASM enabled
- WebSocket profile enabled
Impact:
BD daemon crash leading to a failover event
Workaround:
N/A
Fix:
The BD daemon now processes WebSocket traffic as expected.
981385-5 : AVRD does not send HTTP events to BIG-IQ DCD
Component: Application Visibility and Reporting
Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).
Conditions:
This happens under normal operation.
Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.
Workaround:
None.
981169-4 : F5 TMUI XSS vulnerability CVE-2021-22994
Solution Article: K66851119
980809-4 : ASM REST Signature Rule Keywords Tool Hardening
Component: Application Security Manager
Symptoms:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.
Conditions:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.
Impact:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.
Workaround:
N/A.
Fix:
The ASM REST Signature Rule Keywords Tool now follows current best practices.
980125-5 : BD Daemon may crash while processing WebSocket traffic
Component: Application Security Manager
Symptoms:
Under certain conditions, the WAF daemon may crash while processing WebSocket traffic.
Conditions:
- ASM enabled
- WebSocket profile enabled
Impact:
WAF crash resulting in a failover event.
Workaround:
N/A
Fix:
WAF now processes WebSocket traffic as expected.
976925-4 : BIG-IP APM VPN vulnerability CVE-2021-23002
Solution Article: K71891773
976501-4 : Failed to establish VPN connection
Component: Access Policy Manager
Symptoms:
VPN client exits with message "Failed to establish VPN connection"
Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser
Impact:
Client will be unable to launch the VPN tunnel from the browser.
Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.
975233-4 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
Solution Article: K52510511
973333-2 : TMM buffer-overflow vulnerability CVE-2021-22991
Solution Article: K56715231
973261-5 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:
err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.
Conditions:
GTM HTTPS monitor with non-default cert/key.
Impact:
Unable to use HTTPs monitor.
968733-4 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
Solution Article: K42202505
968421-5 : ASM attack signature doesn't matched
Component: Application Security Manager
Symptoms:
A specific attack signature doesn't match as expected.
Conditions:
Undisclosed conditions.
Impact:
Attack signature does not match as expected, request is not logged.
Workaround:
N/A
Fix:
Attack signature now matches as expected.
968349-4 : TMM crashes with unspecified message
Component: Service Provider
Symptoms:
TMM crashes with unspecified message
Conditions:
Requires specific iRule for gtp processing.
Impact:
TMM crashes with core and restarts. Traffic disrupted while TMM restarts.
Workaround:
None.
Fix:
TMM handles unspecified message properly.
967905-1 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
967745-4 : Last resort pool error for the modify command for Wide IP
Component: TMOS
Symptoms:
System reports error for the modify command for Wide IP.
01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.
Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.
Impact:
The object is not modified, and the system reports an error.
Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Append the command with last-resort-pool a <pool_name>, for example:
modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test
Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
965485-1 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
Solution Article: K41523201
962433-2 : HTTP::retry for a HEAD request fails to create new connection
Component: Local Traffic Manager
Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.
Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version
Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.
962341-3 : BD crash while processing JSON content
Component: Application Security Manager
Symptoms:
Under certain conditions, BD may crash while processing JSON content
Conditions:
- ASM enabled
- JSON content profile enabled
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
962177-4 : Results of POLICY::names and POLICY::rules commands may be incorrect
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
960749-4 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes, dumps a core file, and restarts.
Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.
-- The DNS Cache or Network DNS Resolver objects receive traffic.
Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.
Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.
960437-4 : The BIG-IP system may initially fail to resolve some DNS queries
Component: Global Traffic Manager (DNS)
Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.
Subsequent queries for the same domain name, however, work as expected.
Only some domain names are affected.
Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.
- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).
- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.
In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.
For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.
1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6.
4, Select Update.
You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.
959121-1 : Not following best practices in Guided Configuration Bundle Install worker
Solution Article: K74151369
955145-4 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
954381-4 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
953729-4 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
953677-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
951033-1 : Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'
Component: Local Traffic Manager
Symptoms:
Virtual server resets all the connections for rstcause 'VIP disabled (administrative)', after all the conditions are met.
Once it happens, the virtual server starts resetting all the incoming connections for rstcause 'VIP disabled (administrative)'. This continues even after the connection limit is deactivated.
Conditions:
-- There is at least one pool member that is DISABLED.
-- Other pool members have a connection limit configured.
-- A configuration change occurs while the connection limit is activated, and the change lowers the connection limit value, for example, the value is changed from 10 to 5.
Impact:
A virtual server continues resetting new connections.
Workaround:
Use Forced offline instead of disabled to prevent this issue.
Fix:
The BIG-IP system no longer continually resets new connections when the connection limit is lowered while it is being enforced.
950917-3 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
950077-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
950017-4 : TMM may crash while processing SCTP traffic
Component: TMOS
Symptoms:
Under certain conditions, TMM may crash while processing SCTP traffic. After this crash logs will show the message: "flow not in use".
Conditions:
- SCTP profile enabled
Impact:
TMM crashing leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes SCTP traffic as expected.
949933-3 : BIG-IP APM CTU vulnerability CVE-2021-22980
Solution Article: K29282483
949889-1 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
Solution Article: K04107324
949593-1 : Unable to load config if AVR widgets were created under '[All]' partition★
Component: Application Visibility and Reporting
Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.
Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.
Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.
Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':
# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config
This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.
Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.
949145-3 : Improve TCP's response to partial ACKs during loss recovery
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
948769-3 : TMM panic with SCTP traffic
Component: TMOS
Symptoms:
TMM panics and generates a core file. The panic message is "balanced nodes".
Conditions:
SCTP enabled virtual server
Impact:
Traffic interrupted while TMM restarts
Workaround:
Ensure that you have a route to the server's alternate address (like a default route since the remote server might not be under direct control) or
On versions earlier than 13.0 make sure that auto-lasthop is enabled for the virtual server (either via global, vlan or virtual setting)
Fix:
TMM now handles SCTP traffic properly
948573-3 : Wr_urldbd list of valid TLDs needs to be updated
Component: Traffic Classification Engine
Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.
Conditions:
New TLD is being queried
Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.
Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.
946581 : TMM vulnerability CVE-2020-27713
Solution Article: K37960100
945109-5 : Freetype Parser Skip Token Vulnerability CVE-2015-9382
Component: TMOS
Symptoms:
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.
Conditions:
An attacker may leverage this vulnerability by creating a crafted input file causing low confidentiality.
Impact:
In ps_parser_skip_PS_token(), lack of proper validation may lead the reading cursor holding the current position being processed to go beyond the end of the text content. This further causes an out of bounds read skip_comment() function and unexpected data may be exposed as a result of the over-read.
Workaround:
N/A
Fix:
Updated Freetype to patch for CVE-2015-9382
943913-5 : ASM attack signature does not match
Component: Application Security Manager
Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.
Conditions:
- ASM enabled
- Undisclosed attack signature variation
Impact:
ASM attack signature does not match or trigger further processing.
Workaround:
N/A
Fix:
ASM now processes traffic as expected.
943889 : Reopening the publisher after a failed publishing attempt
Component: Fraud Protection Services
Symptoms:
TMM crashes repeatedly on SIGSEGV.
Conditions:
This can occur after a HSL disconnect and re-connect.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system publishes data to HSL publisher on a second attempt successfully (after a reconnect).
943125-4 : ASM bd may crash while processing WebSocket traffic
Solution Article: K18570111
942701-4 : TMM may consume excessive resources while processing HTTP traffic
Component: Local Traffic Manager
Symptoms:
When processing HTTP traffic, TMM may consume excessive resources.
When BIGIP handles HTTP traffic, it provides a possibility to compress payload. Under certain conditions TMM may consume its memory inefficiently, resulting in OOM situations.
Conditions:
- Virtual server with http and httpcompression profiles.
- Undisclosed conditions at backend server.
Impact:
TMM exhausts its memory and may deny legitimate traffic or delay processing traffic.
Workaround:
Remove httpcompression profile from a virtual's configuration.
Fix:
TMM now processes HTTP traffic as expected.
941853-3 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
941621-4 : Brute Force breaks server's Post-Redirect-Get flow
Component: Application Security Manager
Symptoms:
Brute Force breaks server's Post-Redirect-Get flow
Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.
Impact:
Brute Force breaks server's Post-Redirect-Get flow
Workaround:
None
Fix:
Support PRG mechanism in brute force mitigations.
941449-5 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
Solution Article: K55237223
941089-4 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
940897-4 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
Component: Application Security Manager
Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".
Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.
Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.
Workaround:
N/A
Fix:
No false positives detected.
940401-4 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
940249-4 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached
Component: Application Security Manager
Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.
Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.
Impact:
Data after last allowed element is not masked.
Fix:
Now the values are masked.
940021-1 : Syslog-ng hang may lead to unexpected reboot
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.
The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.
Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).
Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.
Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.
Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.
939845-4 : BIG-IP MPTCP vulnerability CVE-2021-23004
Solution Article: K31025212
939841-4 : BIG-IP MPTCP vulnerability CVE-2021-23003
Solution Article: K43470422
939529-4 : Branch parameter not parsed properly when topmost via header received with comma separated values
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
938233-4 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
Component: Local Traffic Manager
Symptoms:
BIG-IP exhibits gradual and linear increase in memory accumulation (high xfrag accumulation) leading to high CPU utilization.
Impact:
This may start affecting BIG-IPs capacity to serve other incoming requests as CPU utilization tends towards maximum limit.
Fix:
BIG-IP no longer shows the known issues of high memory (xfrag) accumulation that leads to the high CPU utilization.
937637-5 : BIG-IP APM VPN vulnerability CVE-2021-23002
Solution Article: K71891773
937365-5 : LTM UI does not follow best practices
Component: TMOS
Symptoms:
The SCTP component of LTM WebUI does not follow current best practices.
Conditions:
- Authenticated LTM WebUI user
Impact:
LTM WebUI does not follow current best practices.
Workaround:
None
Fix:
TMUI now follows best practices.
935721-3 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
Solution Article: K82252291
935433-5 : iControl SOAP Hardening
Component: TMOS
Symptoms:
Under certain condition, iControl SOAP does not follow current best practices.
Conditions:
- Undisclosed conditions.
Impact:
iControl SOAP doe not follow current best practices.
Workaround:
N/A
Fix:
iControl SOAP now follows current best practices.
935401-5 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001
Solution Article: K06440657
935293-1 : 'Detected Violation' Field for event logs not showing
Component: Application Security Manager
Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.
Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.
Impact:
You cannot see the violation details.
Workaround:
Disabling parameter learning helps.
Note: This happens only with a large number of parameters. Usually it works as expected.
Fix:
The eventlog is reserving space for violations.
933777-3 : Context use and syntax changes clarification
Component: Application Visibility and Reporting
Symptoms:
There are 2 issues:
1) tmsh analytics commands related to server side connections changed in 14.x
2)"max-tps" is non-cumulative and cannot be used in this context
Conditions:
Using tmsh analytics commands in BIG-IP v14.x and higher
Impact:
1) tmsh commands (related to server side connections) should be written differently in 14.x+
2)The "max-tps" measure is not applicable in the 'client-ip' context
Workaround:
There are 2 issues:
1)tmsh display name changed from total-server-side-conns to server-side-conns etc (14.x+)
2)Change the "max-tps" attribute "commutative" from false to true and change the merge formula from SUM to MAX
Fix:
Change the "max-tps" attribute "commutative" from false to true and change the merge formula from SUM to MAX
933741-5 : BIG-IP FPS XSS vulnerability CVE-2021-22979
Solution Article: K63497634
933461-2 : BGP multi-path candidate selection does not work properly in all cases.
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
933297 : FTP virtual server passive data channels do not pass traffic
Solution Article: K20984059
932697-1 : BIG-IP TMM vulnerability CVE-2021-23000
Solution Article: K34441555
932485-1 : Incorrect sum(hits_count) value in aggregate tables
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
932065-4 : iControl REST vulnerability CVE-2021-22978
Solution Article: K87502622
931837-3 : NTP has predictable timestamps
Component: TMOS
Symptoms:
No known symptoms.
Conditions:
Ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 are vulnerable.
Two main prerequisites for this to be exploited.
1. Having the BIG-IP act as an NTP server.
2. Sources for BIG-IP's time being unreliable/unauthenticated upstream NTP servers
Impact:
A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. An attacker who can send a large number of packets with the spoofed IPv4 address of the upstream server can use this flaw to modify the victim's clock by a limited amount or cause ntpd to exit.
Workaround:
Redhat suggested the following mitigations:
1. Have enough trustworthy sources of time.
2. If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.
3. Use NTP packet authentication where appropriate.
4. Pay attention to error messages logged by ntpd.
5. Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.
6. If you must get unauthenticated time over IPv4 on a hostile network, Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.
931513-4 : TMM vulnerability CVE-2021-22977
Solution Article: K14693346
930741-4 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
Component: TMOS
Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.
One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.
Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.
Impact:
Traffic disruption caused by the reboot.
Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.
929001-5 : ASM form handling improvements
Component: Application Security Manager
Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.
Conditions:
- Brute force protection is configured
Impact:
Enforcement not triggered as expected.
Workaround:
N/A
Fix:
ASM now processes forms as expected.
928685-4 : ASM Brute Force mitigation not triggered as expected
Component: Application Security Manager
Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.
Conditions:
- ASM enabled
- Brute Force mitigation enabled
Impact:
Brute Force mitigation is not triggered as expected.
Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when ASM_REQUEST_DONE
{
if { [catch { HTTP::username } ] } {
log local0. "ERROR: bad username";
ASM::raise bad_auth_header_custom_violation
}
}
Fix:
Brute Force mitigation is now triggered as expected.
928037-4 : APM Hardening
Solution Article: K15310332
927941-2 : IPv6 static route BFD does not come up after OAMD restart
Component: TMOS
Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"
Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.
Impact:
BFD session is not shown in 'show bfd session'.
Workaround:
Restart tmrouted:
bigstart restart tmrouted
Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.
927617-4 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
Component: Application Security Manager
Symptoms:
A valid request that should be passed to the backend server is blocked.
Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.
-- The cookie header that contain the valid cookie value is encoded to base64.
Impact:
A request is blocked that should not be.
Workaround:
Disable 'Base64 Decoding' for the desired cookie.
Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.
926929-1 : RFC Compliance Enforcement lacks configuration availability
Component: Local Traffic Manager
Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.
Conditions:
The configuration has a virtual server with an HTTP profile.
Impact:
Some applications that require certain constructions after a header name may not function.
Workaround:
None.
Fix:
A configuration item is introduced to manage any RFC compliance option when enforcement is turned on:
HTTP profile option enforcement.allow-ws-header-name; prior releases Tmm.HTTP.RFC.AllowWSHeaderName DB key (necessarily a global flag, rather than per-profile control).
924929 : Logging improvements for VDI plugin
Component: Access Policy Manager
Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.
Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts
Impact:
Event names are not displayed in the APM log.
Workaround:
None.
Fix:
Event names along with the exceptions are also seen in the APM log file.
924493-5 : VMware EULA has been updated
Component: TMOS
Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.
Conditions:
The EULA is presented to the user when deploying an OVF template.
Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).
Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.
Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.
Fix:
The EULA presented in VMware was out of date and has been updated.
922317-1 : Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections
Component: Local Traffic Manager
Symptoms:
-- Stalled serverside connections visible in connection table.
-- No traffic going out towards pool member.
-- Sometimes tmm crashes may occur.
Conditions:
The LSN::persistence_entry Tcl command is used inside of an iRule triggered by a serverside event, e.g., SERVER_CONNECTED.
Impact:
-- Traffic not reaching pool members.
-- System disruption while tmm restarts in case of crash.
Workaround:
Do not use the LSN::persistence_entry command in iRules triggered by serverside events.
Fix:
Traffic now reaches pool members, no stalled connections occur, and crashes are eliminated.
922297-4 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs
Component: TMOS
Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.
You see the following log entries in /var/log/tmm:
-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...
In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:
-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...
Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.
Impact:
TMM does not start.
Workaround:
Configure fewer network interfaces or vCPUs.
Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).
921625-5 : The certs extend function does not work for GTM/DNS sync group
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.
As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.
The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.
You might see messages similar to the following:
-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....
Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.
Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.
Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.
921549-7 : The gtmd process does not receive updates from local big3d.
Component: Global Traffic Manager (DNS)
Symptoms:
Oversized server.crt file causes gtmd (other devices in a same syncgroup) from receiving from local big3d.
Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.
Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.
Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.
921337-1 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976
Solution Article: K88230177
920265 : TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option.
Component: Local Traffic Manager
Symptoms:
TMM crashes and produces a core dump.
Conditions:
This issue occurs when:
- You initially enable the transparent-nexthop setting on a virtual server.
- You then disable the option.
- You then disable auto-lasthop for the virtual server.
- The virtual server receives traffic.
Impact:
Traffic is impacted while TMM restarts.
Workaround:
There is no workaround that you can instantiate to prevent this issue. However, if you are aware that you have already performed the necessary configuration changes to cause this issue to occur, and TMM has not crashed yet, you can delete the virtual server and recreate it (with the intended/final configuration) to prevent the crash.
Fix:
TMM no longer crashes after modifying a virtual server as described under Conditions.
919553-4 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
Component: Global Traffic Manager (DNS)
Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.
Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.
918933-4 : The BIG-IP ASM system may not properly perform signature checks on cookies
Solution Article: K88162221
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221
918597-1 : Under certain conditions, deleting a topology record can result in a crash.
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.
918169-3 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when all of the following conditions are true:
-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).
-- The server's HTTP response does not terminate with a newline.
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by performing any one of the following actions:
-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.
-- Ensure the server's HTTP response ends with a newline.
Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.
917509-1 : BIG-IP ASM vulnerability CVE-2020-27718
Solution Article: K58102101
917005-3 : ISC BIND Vulnerability: CVE-2020-8619
Solution Article: K19807532
916821-5 : iControl REST vulnerability CVE-2021-22974
Solution Article: K68652018
915825-5 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
Component: TMOS
Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.
Configuration error: Can't associate folder (/User/Drafts) folder does not exist.
Conditions:
This occurs in the following scenario:
1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.
Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.
Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.
915689-5 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.
Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.
Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.
Workaround:
None.
Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.
915605-4 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★
Solution Article: K56251674
Component: Local Traffic Manager
Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.
tmsh show software status will report the status for the target volume as one of the following:
-- Could not access configuration source.
-- Unable to get hosting system product info.
Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.
Impact:
Unable to upgrade or more generally install an image on a new or existing volume.
Workaround:
Re-mount /usr as read-only:
mount -o remount,ro /usr
915305-2 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
Component: TMOS
Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.
Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.
Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.
Workaround:
Use static routing to provide a path to remote tunnel endpoint.
915281-6 : Do not rearm TCP Keep Alive timer under certain conditions
Component: Local Traffic Manager
Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.
Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.
Impact:
Continuous rearming results in consuming CPU resources unnecessarily.
Workaround:
None.
Fix:
Rearming of TCP Keep Alive timer is improved.
914649-1 : Support USB redirection through VVC (VMware virtual channel) with BlastX
Component: Access Policy Manager
Symptoms:
USB is unavailable after opening VMware View Desktop.
Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client
Impact:
USB is unavailable after opening VMware View Desktop
Workaround:
None.
Fix:
USB is now available after opening VMware View Desktop
913829-2 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.
For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.
Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.
Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.
You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.
913441 : Tmm cores while doing Hitless Upgrade while there are active flows
Component: Traffic Classification Engine
Symptoms:
Tmm cores.
Conditions:
Addition of new flows to existing lib while Hitless Upgrade is in progress.
Impact:
Tmm core while doing app detection for new flows. Traffic disrupted while tmm restarts.
Workaround:
Restrict addition of new flows if a Hitless Upgrade is in progress.
Fix:
New flows are no longer added to the classification engine to any of the library if the Hitless Upgrade process is in progress.
913433-4 : On blade failure, some trunked egress traffic is dropped.
Component: TMOS
Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.
Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)
Workaround:
None.
913085-5 : Avrd core when avrd process is stopped or restarted
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
912969-5 : iAppsLX REST vulnerability CVE-2020-27727
Solution Article: K50343630
912221-3 : CVE-2020-12662 & CVE-2020-12663
Solution Article: K37661551
912001-1 : TMM cores on secondary blades of the Chassis system.
Component: Global Traffic Manager (DNS)
Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:
tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307
Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.
Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.
Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.
911761-5 : F5 TMUI XSS vulnerability CVE-2020-5948
Solution Article: K42696541
910201-5 : OSPF - SPF/IA calculation scheduling might get stuck infinitely
Component: TMOS
Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.
Conditions:
SPF/IA calculation gets suspended;
This occurs for various reasons; BIG-IP end users have no influence on it occurring.
Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.
Workaround:
Restart the routing daemons:
# bigstart restart tmrouted
Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.
If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.
909837-3 : TMM may consume excessive resources when AFM is provisioned
Solution Article: K05204103
909757 : HTTP CONNECT method with a delayed payload can cause a connection to be closed
Component: Local Traffic Manager
Symptoms:
If the HTTP CONNECT method is utilized and payload arrives in a later TCP segment, the HTTP connection will be closed.
Conditions:
-- HTTP profile.
-- HTTP CONNECTION with delayed payload.
Impact:
The HTTP connection is incorrectly closed.
Workaround:
None.
Fix:
Traffic containing the HTTP CONNECT method and a delayed payload no longer has its connection closed.
909237-3 : CVE-2020-8617: BIND Vulnerability
Solution Article: K05544642
909233-3 : DNS Hardening
Solution Article: K97810133
908673-2 : TMM may crash while processing DNS traffic
Solution Article: K43850230
908065-5 : Logrotation for /var/log/avr blocked by files with .1 suffix
Component: Application Visibility and Reporting
Symptoms:
AVR logrotate reports errors in /var/log/avr:
error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged
Conditions:
Files ending with .1 exist in the log directory.
Impact:
Logrotate does not work. This might fill the disk with logs over time.
Workaround:
Remove or rename all of the .1 log files.
Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.
908021-3 : Management and VLAN MAC addresses are identical
Component: TMOS
Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.
Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.
Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.
Workaround:
None.
Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.
907337-5 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
A specific scenario that results in memory corruption.
Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.
Workaround:
None.
Fix:
This BD crash no longer occurs.
907245-4 : AFM UI Hardening
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, the AFM WebUI does not follow current best practices.
Conditions:
- AFM provisioned
- Authenticated AFM WebUI user
Impact:
AFM WebUI does not follow current best practices.
Workaround:
N/A
Fix:
AFM WebUI now follows current best practices
906377-5 : iRulesLX hardening
Component: TMOS
Symptoms:
Under certain conditions, iRulesLX does not follow current best practices.
Conditions:
- Authenticated administrative user
Impact:
iRulesLX does not follow current best practices.
Workaround:
N/A
Fix:
iRulesLX now follows current best practices.
905905-4 : TMUI CSRF vulnerability CVE-2020-5904
Solution Article: K31301245
905125-4 : Security hardening for APM Webtop
Solution Article: K30343902
904937-5 : Excessive resource consumption in zxfrd
Solution Article: K25595031
904053-5 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never
Component: Application Security Manager
Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.
Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.
Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.
Workaround:
Disable Learning mode for the Policy disables Cookie hashing.
Note: This affects all learning, not just Cookie hashing.
Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".
903453 : TMM crash following redirect when Proactive Bot Defense is used
Component: Application Security Manager
Symptoms:
TMM may rarely crash when Proactive Bot Defense is enabled.
Conditions:
TMM may rarely crash under specific configurations when Proactive Bot Defense is used.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None.
902485-1 : Incorrect pool member concurrent connection value
Component: Application Visibility and Reporting
Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.
Conditions:
This is encountered when viewing the pool-traffic report.
Impact:
Incorrect stats reported in the pool-traffic report table
Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:
From this:
formula=round(sum(server_concurrent_conns),2)
Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)
Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.
902417-5 : Configuration error caused by Drafts folder in a deleted custom partition★
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
900797-5 : Brute Force Protection (BFP) hash table entry cleanup
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.
Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.
Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.
Workaround:
N/A
Fix:
Mitigated entries are kept in the hash table.
900793-3 : APM Brute Force Protection resources do not scale automatically
Solution Article: K32055534
Component: Application Security Manager
Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.
Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.
Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.
Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.
Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.
900789-5 : Alert before Brute Force Protection (BFP) hash are fully utilized
Component: Application Security Manager
Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.
Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.
Impact:
No alert is sent when entries are evicted.
Workaround:
None.
Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.
900757-5 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
898949-4 : APM may consume excessive resources while processing VPN traffic
Solution Article: K04518313
898705-2 : IPv6 static BFD configuration is truncated or missing
Component: TMOS
Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.
-- IPv6 static BFD configuration entries go missing during a daemon restart.
Conditions:
IPv6 static BFD configuration.
Impact:
The IPv6 static BFD configuration does not persist during reloads.
-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.
Workaround:
None.
896709-1 : Add support for Restart Desktop for webtop in VMware VDI
Component: Access Policy Manager
Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.
Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.
Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.
Workaround:
None.
Fix:
APM now supports restart desktop option on webtop for VMware VDI.
896217-5 : BIG-IP GUI unresponsive
Component: TMOS
Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.
Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.
Impact:
GUI becomes unresponsive.
Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat
895993-5 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895981-5 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895881-4 : BIG-IP TMUI XSS vulnerability CVE-2020-5903
Solution Article: K43638305
895525-5 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
892677-3 : Loading config file with imish adds the newline character
Component: TMOS
Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.
In particular, this affects the bigip_imish_config Ansible module.
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Regex expressions are not created properly.
Workaround:
You can use either of the following workarounds:
-- Delete and re-add the offending commands using the imish interactive shell.
-- Restart tmrouted:
bigstart restart tmrouted
892385-3 : HTTP does not process WebSocket payload when received with server HTTP response
Component: Local Traffic Manager
Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.
Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.
Impact:
-- WebSocket connection hangs.
Workaround:
None.
Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.
891457-5 : NIC driver may fail while transmitting data
Solution Article: K75111593
890277-1 : Full config sync to a device group operation takes a long time when there are a large number of partitions.
Component: TMOS
Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.
Conditions:
Full config sync on device with large number of partitions.
Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.
Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.
Workaround:
Enable Manual Incremental Sync.
890229-4 : Source port preserve setting is not honored
Component: Local Traffic Manager
Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.
Conditions:
This issue occurs when both of the following conditions are met:
-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
- Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
- Configuring a VLAN's 'CMP Hash' setting to a non-default value.
- Using a special variable such as non-default udp.hash or tcp.hash.
Impact:
Applications relying on a specific, fixed source port might not work as expected.
Workaround:
Set source-port to preserve-strict.
Fix:
Now source-port preserve setting does best effort to preserve the source port.
Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.
The source-port preserve setting now does best effort to preserve the source port.
889601-5 : OCSP revocation not properly checked
Component: Local Traffic Manager
Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.
Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles
Impact:
The SSL handshake continues eve if a certificate is revoked.
Fix:
OCSP revocation checking now working properly.
889557-3 : jQuery Vulnerability CVE-2019-11358
Solution Article: K20455158
889497-1 : Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage
Component: Access Policy Manager
Symptoms:
The urldb and urldbmgrd process CPU utilization increases to over 90%.
Conditions:
-- SWG provisioned.
-- Creating an APM Event log profile and then deleting it.
Impact:
High CPU utilization by urldb and urldbmgrd.
Workaround:
Do not delete an APM Event log profile.
If an APM Event log has already been deleted, restart urldb and urldbmgrd to return CPU processing.top
888517-4 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.★
Component: Local Traffic Manager
Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.
Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.
Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.
Workaround:
Correct the underlying networking/virtualization issue.
Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.
888497-5 : Cacheable HTTP Response
Component: TMOS
Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.
Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.
Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.
Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.
Workaround:
Disable caching in browsers.
888493-5 : ASM GUI Hardening
Solution Article: K40843345
888341-3 : HA Group failover may fail to complete Active/Standby state transition
Component: TMOS
Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:
-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.
Note: You can confirm sod process uptime in tmsh:
# tmsh show /sys service sod
Conditions:
HA Group failover configured.
Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:
o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).
Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.
Workaround:
There is no workaround.
The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
888289-4 : Add option to skip percent characters during normalization
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).
887089-5 : Upgrade can fail when filenames contain spaces
Component: TMOS
Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.
The file's content is also significant because that determines the md5sum value.
Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:
Not enough free disk space to install!
Conditions:
Filenames with spaces in /config directory.
Impact:
Upgrade or loading of UCS fails.
Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.
886693-1 : System may become unresponsive after upgrading★
Component: TMOS
Symptoms:
After upgrading, the system encounters numerous issues:
-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.
Conditions:
-- The configuration works in the previous release, but does not work properly in the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.
Exact conditions that trigger this issue are unknown. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html
Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.
Workaround:
Reboot to an unaffected, pre-upgrade volume.
-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.
-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.
Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.
For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.
Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:
-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
-- BIG-IP Virtual Edition (VE)
886085-1 : BIG-IP TMM vulnerability CVE-2020-5925
Solution Article: K45421311
885241 : TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event.
Component: Access Policy Manager
Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.
Conditions:
The 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event (for example, the CLIENTSSL_HANDSHAKE event).
The only affected versions are 13.1.3.2 and 13.1.3.3.
Impact:
The leak initially causes traffic disruption, as TMM reaps flows prematurely in an effort to free up memory. Eventually, TMM crashes, as it is unable to allocate any more memory. When this happens, redundant systems fail over. Traffic disrupted while tmm restarts.
Workaround:
Do not use the 'ACCESS::session remove' iRule command under any event that isn't an ACCESS event.
To restore TMM to a fully functional state after making all necessary configuration changes, or to temporarily work around this issue, you can restart TMM with the following command:
bigstart restart tmm
883717-4 : BD crash on specific server cookie scenario
Solution Article: K37466356
882769-5 : Request Log: wrong filter applied when searching by Response contains or Response does not contain
Component: Application Security Manager
Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed
Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter
Impact:
You are unable to search by response in the GUI
Workaround:
There is no way to search in GUI, but you can search using REST API
Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters
882633-5 : Active Directory authentication does not follow current best practices
Solution Article: K51213246
882557-5 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
Component: TMOS
Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:
ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.
Impact:
TMM continually restarts.
Workaround:
Use the sock driver instead of virtio.
In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:
# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
Configure a socket driver:
echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl
Reboot the instance
882273-1 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
Component: Service Provider
Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.
Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.
Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
When server is down BIG-IP keeps creating new connection to it. there is memory leak need to be fixed.
882189-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897
Solution Article: K20346072
882185-4 : BIG-IP Edge Client Windows ActiveX
Solution Article: K20346072
881445-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
Solution Article: K69154630
881317-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
Solution Article: K15478554
881293-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
Solution Article: K15478554
880361-4 : iRules LX vulnerability CVE-2021-22973
Solution Article: K13323323
879745-5 : TMM may crash while processing Diameter traffic
Solution Article: K82530456
879413-4 : Statsd fails to start if one or more of its *.info files becomes corrupted
Component: Local Traffic Manager
Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:
-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.
Conditions:
Corrupted *.info file in /var/rrd.
Impact:
Stats are no longer accurate.
Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):
found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done
Fix:
The system now detects corrupt *.info files and deletes and recreates them.
879025-6 : When processing TLS traffic, LTM may not enforce certificate chain restrictions
Solution Article: K72752002
877109-5 : Unspecified input can break intended functionality in iHealth proxy
Component: TMOS
Symptoms:
Unspecified input can break intended functionality in iHealth proxy
Impact:
iHealth proxy functionality will not work as intended
Workaround:
None
Fix:
iHealth proxy functions as expected
876801-1 : Tmm crash: invalid route type
Component: Local Traffic Manager
Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:
tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **
Conditions:
The issue is intermittent.
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.
Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.
876581-5 : JavaScript engine file is empty if the original HTML page cached for too long
Component: Fraud Protection Services
Symptoms:
JavaScript engine file is empty.
Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.
Impact:
No FPS protection for that HTML page.
Workaround:
You can use either workaround:
-- Use an iRule to disable caching for protected HTML pages.
-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).
Fix:
FPS now also removes ETag headers from protected HTML pages.
872673-4 : TMM can crash when processing SCTP traffic
Solution Article: K26464312
871761-2 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
Component: Access Policy Manager
Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.
Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.
Impact:
APM end users are unable to get a logon page.
Workaround:
Disable the XML profile for the APM virtual server.
Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.
871657-3 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
Component: TMOS
Symptoms:
Mcpd restarts and produces a core file.
Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.
Impact:
Mcpd crash and restart results in high availability (HA) failover.
Workaround:
Use a lowercase 'a' or 's' as the flag value.
Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.
870957-2 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
Component: Application Visibility and Reporting
Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.
Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.
Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.
Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
$ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
$ bigstart restart monpd
Fix:
Dividing the TMM value with 100 to fit correct scale.
868781-3 : TMM crashes while processing MRF traffic
Component: Service Provider
Symptoms:
TMM panic occurs when processing overflowed the MPI messages due to incorrectly calculated master key length:
../dev/mpi/mpi_mem.c:1129: Assertion "tail not past head" failed.
Conditions:
-- Message Routing Framework (MRF) traffic of type Diameter and SIP.
-- Auto-initialization enabled on peer, but can happen without auto-initialization enabled, just at a less-predictable rate.
Impact:
Tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM crash no longer occurs under these conditions.
868349-5 : TMM may crash while processing iRules with MQTT commands
Solution Article: K62830532
867181-4 : ixlv: double tagging is not working
Component: TMOS
Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).
Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.
Impact:
The BIG-IP's VLAN tag is lost.
Fix:
Both VLAN tags are now present in packets.
867013-5 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
Component: TMOS
Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.
Conditions:
This can be encountered when there are a large number of policies configured in ASM.
Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.
Workaround:
None.
Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.
866925-1 : The TMM pages used and available can be viewed in the F5 system stats MIB
Component: TMOS
Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.
Conditions:
When system resource decisions are being made, the information about memory usage is important.
Impact:
It is not feasible to query each BIG-IP device separately.
Workaround:
None.
Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.
866613-2 : Missing MaxMemory Attribute
Component: Application Visibility and Reporting
Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.
Conditions:
This is encountered when viewing the System Monitor report.
Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').
Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.
Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.
Fix:
The MaxMemory attribute is now reported in System Monitor statistics.
866109-4 : JWK keys frequency does not support fewer than 60 minutes
Component: Access Policy Manager
Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:
01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.
Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.
Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.
Workaround:
Use a value of 60 minutes or higher.
Fix:
Auto discovery frequency now supported values lower than 60 minutes.
866021-4 : Diameter Mirror connection lost on the standby due to "process ingress error"
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.
Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.
Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.
Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.
865241-4 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
Component: TMOS
Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.
Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.
The conditions that cause this to occur are unknown.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
865225-2 : 100G modules may not work properly in i15000 and i15800 platforms
Component: TMOS
Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.
Conditions:
-- Using OPT-0039 or OPT-0031 modules.
-- Running on i15000 and i15800 platforms.
Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.
Impact:
You might see traffic drop.
Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.
Workaround:
None.
864757-1 : Traps that were disabled are enabled after configuration save
Component: TMOS
Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.
Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.
Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.
Workaround:
None.
863917-4 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
Component: Global Traffic Manager (DNS)
Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:
The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.
This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.
Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.
Impact:
Messages are logged that imply the system is overloaded when it is not.
Workaround:
Create a log filter to suppress the messages
sys log-config filter gtm-warn {
level warn
message-id 011ae116
source gtmd
}
863161-5 : Scheduled reports are sent via TLS even if configured as non encrypted
Component: Application Visibility and Reporting
Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.
Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.
Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.
Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.
862597-3 : Improve MPTCP's SYN/ACK retransmission handling
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.
Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
Fix:
MPTCP's SYN/ACK retransmission handling is improved.
860517-4 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
Component: TMOS
Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.
As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash
Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.
Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.
Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.
Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.
860477-6 : SCP hardening
Solution Article: K82518062
860005-4 : Ephemeral nodes/pool members may be created for wrong FQDN name
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.
Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.
The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.
Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.
Workaround:
It may be possible to mitigate this issue by one or more of the following actions:
-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.
-- Reducing the number of FQDN template nodes (FQDN names to be resolved).
-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.
859717-4 : ICMP-limit-related warning messages in /var/log/ltm
Component: Local Traffic Manager
Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:
warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.
Conditions:
Viewing /var/log/ltm.
Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.
Workaround:
None.
Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.
859089-3 : TMSH allows SFTP utility access
Solution Article: K00091341
858973-4 : DNS request matches less specific WideIP when adding new wildcard wideips
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.
Conditions:
New less specific Wildcard WideIPs are created.
Impact:
DNS request matches less specific WideIP.
Workaround:
# tmsh load sys config gtm-only
or
restart tmm
858701-4 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★
Component: Local Traffic Manager
Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.
-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.
Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.
Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:
If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.
Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:
Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:
Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.
You can check this value with the guishell command:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.
------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:
1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.
2. Fail over Active system to Standby status:
tmsh run sys failover standby
3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.
4. Save the config to disk:
tmsh save sys config
5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
tmsh load sys config
6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
tmsh load sys config
7. Verify it worked:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
Example of a fixed config:
guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
-----------------------------------------------------------
| NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
-----------------------------------------------------------
| /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
| /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
| /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
| /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
| /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled
------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':
tmsh load sys config
858301-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
858297-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
858289-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
858285-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
858229-2 : XML with sensitive data gets to the ICAP server
Solution Article: K22493037
Component: Application Security Manager
Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.
Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.
Impact:
Sensitive data will reach the ICAP server.
Workaround:
No immediate workaround except policy related changes
Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.
Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.
When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.
858197-4 : Merged crash when memory exhausted
Component: TMOS
Symptoms:
Merged crashes when system memory is exhausted
Conditions:
System memory is is at 0% available.
Impact:
Merged crashes, stopping stats updates
Workaround:
Reduce the configuration on the system
Fix:
Remove function call to drop row from table on error path where row was not successfully added.
858025-5 : BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984
Solution Article: K33440533
857845-5 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule
Component: Local Traffic Manager
Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.
Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.
Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.
856961-4 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207
Solution Article: K17269881
854177-2 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
Component: Application Security Manager
Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.
Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.
Impact:
Latency is introduced to ASM handling.
Workaround:
Set the fast changing nodes to static updates every hour.
Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.
853585-5 : REST Wide IP object presents an inconsistent lastResortPool value
Component: Global Traffic Manager (DNS)
Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:
...
"lastResortPool": "aaaa \"\""
...
Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:
tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>
Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.
Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.
Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.
853329 : HTTP explicit proxy can crash TMM when used with classification profile
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.
Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.
Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release prevents a condition causing this TMM crash.
852929-2 : AFM WebUI Hardening
Solution Article: K25160703
852445-5 : Big-IP : CVE-2019-6477 BIND Vulnerability
Solution Article: K15840535
852289-6 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
Solution Article: K23278332
Component: Advanced Firewall Manager
Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.
Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.
Impact:
DNS over TCP is DDoS attack is not mitigated correctly.
Workaround:
Using DNS DoS vector to mitigate the attack.
Fix:
The attack mitigation by sweep and flood vector is accurate.
852101-4 : Monitor fails.
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.
Conditions:
TLS SIP monitor on pool member requiring client auth.
Impact:
Big3d fails external monitor SIP_monitor.
Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.
851857-4 : HTTP 100 Continue handling does not work when it arrives in multiple packets
Component: Local Traffic Manager
Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.
Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.
Impact:
The response is not delivered to the client. Browsers may retry the request.
Workaround:
None.
Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.
851045-4 : LTM database monitor may hang when monitored DB server goes down
Component: Local Traffic Manager
Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.
Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).
Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.
Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.
850673-4 : BD sends bad ACKs to the bd_agent for configuration
Component: Application Security Manager
Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.
-- The policy may be incomplete in the bd causing incorrect enforcement actions.
Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.
Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).
-- A partial policy may exist in bd causing improper enforcement.
Workaround:
-- Unassign and reassign the policy.
-- if unassign/reassign does not help, export and then reimport the policy.
Fix:
Fixed inconsistency scenario between bd and bd_agent.
850277-5 : Memory leak when using OAuth
Component: Access Policy Manager
Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.
Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.
Impact:
Memory leak occurs in which tmm memory usage increases.
Workaround:
None.
849861 : TMM may crash with FastL4 and HTTP profile using fallback host and iRule command
Component: Local Traffic Manager
Symptoms:
TMM may crash when FastL4 is used with an HTTP profile and an iRule command. Even if TMM does not crash, the incorrect iRule may prevent the connection from working.
Conditions:
-- A virtual server configured to use FastL4 with an HTTP profile with a fallback host.
-- The virtual server has an iRule that performs a pool pick after the connection is established.
Note: Using the pool command after the server-side connection is established is not a valid operation.
Impact:
TMM typically crashes; however, whether or not TMM crashes, the invalid use of the pool command results in connection failure.
Workaround:
Remove the invalid iRule configuration.
Fix:
This issue no longer occurs.
848445-4 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★
Solution Article: K86285055
Component: Application Security Manager
Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.
Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.
Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.
Workaround:
Can defined the parameters as global sensitive parameters.
Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer
848405-1 : TMM may consume excessive resources while processing compressed HTTP traffic
Solution Article: K26244025
846917-5 : lodash Vulnerability: CVE-2019-10744
Solution Article: K47105354
846493 : ASM CAPTCHA is not working the first time when a request contains sensitive parameters
Component: Application Security Manager
Symptoms:
ASM end users are required to type CAPTCHA letters twice to get the login request to be forwarded to the server. In addition, the original login request is not sent to the server, which results in failed logins.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Brute force enabled in the ASM policy.
-- Brute force issues CAPTCHA mitigation.
Impact:
False-positive bad logins.
Workaround:
Remove sensitive parameters from asm policy.
Impact of workaround: This results in sensitive parameters being revealed in the ASM event logs.
Fix:
CAPTCHA mechanism now works correctly along with sensitive parameters.
846441-4 : Flow-control is reset to default for secondary blade's interface
Component: TMOS
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
The flow-control setting is reset to default (tx-rx).
Workaround:
Reload the configuration on the primary blade.
846137-5 : The icrd returns incorrect route names in some cases
Component: TMOS
Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.
Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.
Impact:
Result information is not compatible with actual result.
Workaround:
None.
Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.
846057-1 : UCS backup archive may include unnecessary files
Component: Application Security Manager
Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.
Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.
Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.
Workaround:
Before running the UCS backup process, remove directories:
/var/tmp/ts_db.save_dir_*.cstmp/
845461-1 : MRF DIAMETER: additional details to log event to assist debugging
Component: Service Provider
Symptoms:
There are not enough details in log events when stale pending requests are removed.
Conditions:
An answer message is not received before the configured timeout has been reached.
Impact:
The set of arguments in the log message do not have enough information to debug why the message was not responded to.
Workaround:
None.
Fix:
New details have been added to help debug why the message was not responded to.
843597-4 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
Component: TMOS
Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes. This issue can present itself in a few different ways, depending on the underlying platform. One example would be the BIG-IP failing to initialize vmxnet interfaces with messages similar to the following logged in /var/log/tmm:
notice vmxnet3[1b:00.0]: MTU: 9198
notice vmxnet3[1b:00.0]: Error: Activation command failed: 1
If the BIG-IP does successfully initialize its vmxnet interfaces, there can be unpredictable behavior (possibly with the hypervisor).
Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- If the BIG-IP is able to initialize the vmxnet interfaces: Passing packets larger than 9000 bytes.
Impact:
The BIG-IP system may not be able to initialize the vmxnet3 interfaces on startup. If it is able to do so, then packets may be dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.
Workaround:
Modify the tmm_init.tcl file, adding the following line:
ndal mtu 9000 15ad:07b0
Fix:
The software now ensure that the default setting for the vmxnet3 driver MTU is 9000, which prevents the issue from occurring.
842829-5 : Multiple tcpdump vulnerabilities
Solution Article: K04367730
842717-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
Solution Article: K55102004
842625-1 : SIP message routing remembers a 'no connection' failure state forever
Component: Service Provider
Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.
Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.
Impact:
The BIG-IP system is never be able to establish connection to the peer.
Workaround:
None.
Fix:
SIP message routing now recovers from a 'no connection' failure state.
842189-3 : Tunnels removed when going offline are not restored when going back online
Component: TMOS
Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.
Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.
Impact:
Failure of tunnel packet traffic.
Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.
Fix:
Tunnels removed when going offline are now restored when going back online.
842125-2 : Unable to reconnect outgoing SCTP connections that have previously aborted
Component: TMOS
Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.
Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.
Impact:
New connections are unable to be created resulting in dropped messages.
Workaround:
None.
Fix:
SCTP connections can now be halted and recreated to the same endpoint.
841577-6 : iControl REST hardening
Solution Article: K20606443
841469-3 : Application traffic may fail after an internal interface failure on a VIPRION system.
Component: Local Traffic Manager
Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.
For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.
Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.
For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:
slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.
You can run the following command to inspect the CMP state of each slot:
clsh 'tmctl -d blade -s cmp_state tmm/cmp'
All slots should report the same state, for instance:
# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
15
=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
15
=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
15
=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
15
When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:
-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
And a CMP transition will be visible in the /var/log/tmm file similar to the following example:
-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb
For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.
Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.
Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.
Workaround:
F5 recommends the following to minimize the impact of this potential issue:
1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).
The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.
To ensure this functionality will trigger, the following configuration requirements must be met:
a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).
Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.
2) For 'regular' standalone units.
If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.
3) For a standalone chassis which belongs to a pool on an upstream load-balancer.
If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.
An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.
The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.
Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.
When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:
-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.
-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.
Fix:
The system now includes the enhancement for the 'standalone chassis which belongs to a pool' use-case, as discussed under the Workaround section.
841333-3 : TMM may crash when tunnel used after returning from offline
Component: TMOS
Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.
Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
839597-2 : Restjavad fails to start if provision.extramb has a large value
Component: Device Management
Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:
daemon.log: emerg logger: Re-starting restjavad
The system reports similar message at the command line.
No obvious cause is logged in rest logs.
Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800 MB for v12.1.0 and earlier.
+ above ~2900-3000 MB for v13.0.0 and later.
-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'
*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.
To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb
tmsh list sys db restjavad.useextramb
Impact:
This impacts the ability to use the REST API to manage the system.
Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).
To set that at command line:
tmsh modify sys db provision.extramb value 2000
If continual restarts of restjavad are causing difficulties managing the unit on the command line:
1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad
2. Reduce the large value of provision.extramb if necessary.
3. Restart the restjavad service:
tmsh start sys service restjavad
Fix:
Restjavad memory is now capped at a sensible maximum.
If provision.extramb is set to a value higher than 2500 MB it will be considered to be 2500 MB for the purposes of restjavad, and the system logs a message similar to the following in /var/log/ltm, where XXXX is the value of provision.extramb:
notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX.
839453-2 : lodash library vulnerability CVE-2019-10744
Solution Article: K47105354
838909-6 : BIG-IP APM Edge Client vulnerability CVE-2020-5893
Solution Article: K97733133
838901-1 : TMM receives invalid rx descriptor from HSB hardware
Component: TMOS
Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.
Conditions:
The exact conditions under which this occurs are unknown.
Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.
Workaround:
None.
838709-2 : Enabling DoS stats also enables page-load-time
Component: Application Visibility and Reporting
Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.
Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.
Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.
Workaround:
Can use iRules to control which pages should get the JavaScript injection.
For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.
Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.
838685-1 : DoS report exist in per-widget but not under individual virtual
Component: Application Visibility and Reporting
Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.
Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.
Impact:
GUI widgets report errors and cannot show stats.
Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:
1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
$ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/
2. Change permissions to allow modifying it:
$ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
3. Change the file to include the fix:
$ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
$ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
4. Verify that the fix is as expected:
$ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php
(** You should see two lines modified:
1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')
5. Revert permissions of the file:
$ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
6. Log out and log back into the GUI, so that the new version of the file loads.
Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.
838677-5 : lodash library vulnerability CVE-2019-10744
Solution Article: K47105354
837773-4 : Restjavad Storage and Configuration Hardening
Solution Article: K12936322
836357-1 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
Component: Service Provider
Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.
Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.
Impact:
This causes the BIG-IP system to abort the flow that originates the message.
Workaround:
None.
Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.
834533-4 : Linux kernel vulnerability CVE-2019-15916
Solution Article: K57418558
834257-5 : TMM may crash when processing HTTP traffic
Solution Article: K25400442
833685-1 : Idle async handlers can remain loaded for a long time doing nothing
Component: Application Security Manager
Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.
Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.
Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.
Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.
833213-5 : Conditional requests are served incorrectly with AAM policy in webacceleration profile
Component: WebAccelerator
Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.
Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.
Impact:
Client does not receive an updated resource.
Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.
Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.
833113-1 : Avrd core when sending large messages via https
Component: Application Visibility and Reporting
Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.
Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.
Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.
Workaround:
None.
Fix:
Fixed an avrd crash
833049-3 : Category lookup tool in GUI may not match actual traffic categorization
Component: Access Policy Manager
Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).
Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.
Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.
Workaround:
None.
832885-5 : Self-IP hardening
Solution Article: K05975972
832757-4 : Linux kernel vulnerability CVE-2017-18551
Solution Article: K48073202
831777-2 : Tmm crash in Ping access use case
Solution Article: K42933418
831549 : Marketing name does not display properly for BIG-IP i10010 (C127)
Component: TMOS
Symptoms:
The /var/log/ltm log includes error messages about the marketing names errors:
Invalid marketing name.
Conditions:
-- Running BIG-IP software version 13.1.3.1.
-- Using BIG-IP i10010 (C127) platform.
Impact:
This causes errors in the logs, and affects the tmsh and LCD displays. The LCD displays C127 for the Platform Name instead of the actual platform name. The TMSH command, tmsh show sys hw, displays C127 for the Platform Name instead of the actual platform name.
Workaround:
None.
Fix:
This is fixed in version 13.1.3.2.
831325-3 : HTTP PSM detects more issues with Transfer-Encoding headers
Solution Article: K10701310
Component: Local Traffic Manager
Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.
Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.
Impact:
Traffic is not alarmed/blocked as expected.
Workaround:
None.
Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.
831293-2 : SNMP address-related GET requests slow to respond.
Component: TMOS
Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.
Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.
Impact:
Slow performance.
Workaround:
None.
830833-3 : HTTP PSM blocking resets should have better log messages
Component: Local Traffic Manager
Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.
Conditions:
This occurs under either of these conditions:
-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.
Impact:
The reset reason given is not descriptive, making troubleshooting difficult.
Workaround:
None.
Fix:
The reset reason used when rejecting HTTP PSM traffic is more descriptive.
830401-5 : TMM may crash while processing TCP traffic with iRules
Solution Article: K54200228
830341-4 : False positives Mismatched message key on ASM TS cookie
Component: Application Security Manager
Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"
Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact
Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation
Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.
OR
2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint
Fix:
ASM system does not trigger false positives
830073-5 : AVRD may core when restarting due to data collection device connection timeout
Component: Application Visibility and Reporting
Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core
Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.
Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes
Workaround:
None.
Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.
829821-4 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
Component: TMOS
Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.
Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).
Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).
Workaround:
None.
829677-4 : .tmp files in /var/config/rest/ may cause /var directory exhaustion
Component: TMOS
Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.
Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.
Conditions:
Process traffic while DoS Dashboard is open.
This issue is happening because a VIPRION process is not available because of a REST timeout.
Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.
Workaround:
Manually run the following commands, in sequence:
bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad
Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker
The fix also includes automatic removal of unused tmp files.
829317-1 : Memory leak in icrd_child due to concurrent REST usage
Component: TMOS
Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.
Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.
Impact:
Memory slowly leaks in icrd_child.
Workaround:
None.
Fix:
Fixed a memory leak in icrd_child.
829193-5 : REST system unavailable due to disk corruption
Component: TMOS
Symptoms:
-- The iControl REST commands respond with the following:
[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'
-- The GUI indicates that iAppLX sub-system is unresponsive.
-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.
Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.
Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.
Impact:
The iControl REST system is unavailable.
Workaround:
Run the following commands at the BIG-IP command prompt:
bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat
Then, reinstall any iAppLX packages that were installed.
829121-5 : State mirroring default does not require TLS
Solution Article: K65720640
829117-5 : State mirroring default does not require TLS
Solution Article: K17663061
828937-4 : Some systems can experience periodic high IO wait due to AVR data aggregation
Solution Article: K45725467
Component: Application Visibility and Reporting
Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.
Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.
Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.
Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).
Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.
Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 2148 on systems with the number of CPU cores fewer than or equal to 16.
828601-4 : IPv6 Management route is preferred over IPv6 tmm route
Component: Local Traffic Manager
Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.
Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.
-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)
Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.
Workaround:
None.
Fix:
IPv6 routes now prioritize TMM interfaces.
826601-3 : Prevent receive window shrinkage for looped flows that use a SYN cookie
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Set the initial receive window value of the VIP to 3.
Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.
825413-1 : /var/lib/mysql can run out of disk space with ASM provisioned
Component: Application Security Manager
Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.
Conditions:
ASM provisioned
Impact:
/var/lib/mysql can run out of disk space
Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
Note that existing brute force username and IPs reporting data will be lost.
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"
2. Add row_limit for the two tables to avoid the same issue in the future.
Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml
PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
row_limit: 100000
order_by: brute_force_mitigated_username_id
PRX.BRUTE_FORCE_MITIGATED_IPS:
row_limit: 100000
order_by: brute_force_mitigated_ip_id
Restart clean_db process (there is no impact of restarting this process)
# pkill -f clean_db
Wait 30 sec, and make sure the process came back
# ps aux | grep clean_db
824365-1 : Need informative messages for HTTP iRule runtime validation errors
Component: Local Traffic Manager
Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:
err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".
The system should post a more informative message, in this case:
err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"
Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.
Impact:
With no informative error messages, it is difficult to identify the validation error.
Workaround:
There is no workaround at this time.
Fix:
Informative messages are provided for HTTP iRule runtime validation errors.
824149-1 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
Component: Service Provider
Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.
Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.
824093-1 : Parameters payload parser issue
Component: Application Security Manager
Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.
Conditions:
-- ASM in use.
-- Request contains multipart headers.
Impact:
Incorrect policy enforcement.
Workaround:
None.
Fix:
This release fixes an issue related to multipart requests.
823893-4 : Qkview may fail to completely sanitize LDAP bind credentials
Solution Article: K03318649
822025-4 : HTTP response not forwarded to client during an early response
Component: Local Traffic Manager
Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.
Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.
Impact:
A client does not receive the redirect from the HTTP::respond iRule.
Workaround:
None.
Fix:
The client now receives the redirect from the HTTP:respond iRule.
820845-1 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
Component: TMOS
Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.
Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.
Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.
Workaround:
Create static ARP entries on affected endpoints.
819397-3 : TMM does not enforce RFC compliance when processing HTTP traffic
Solution Article: K50375550
Component: Local Traffic Manager
Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.
Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client
Impact:
Pool members may be exposed to non-compliant HTTP requests.
Workaround:
None.
Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
Behavior Change:
A new BigDB variable has been added.
The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.
If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.
If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.
819197-6 : BIGIP: CVE-2019-13135 ImageMagick vulnerability
Solution Article: K20336394
819189-5 : BIGIP: CVE-2019-13136 ImageMagick vulnerability
Solution Article: K03512441
819053-4 : CVE-2019-13232 unzip: overlapping of files in ZIP container
Component: TMOS
Symptoms:
CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service
Conditions:
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container
Impact:
UnZip overlapping will leading to denial of service.
Workaround:
N/A
Fix:
UnZip updated to resolve CVE-2019-13232
818853-5 : Duplicate MAC entries in FDB
Component: Local Traffic Manager
Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.
Conditions:
-- Having multiple paths to a MAC in a given configuration.
Impact:
There are duplicate MAC address entries which come from multiple interfaces.
Workaround:
None.
818709-4 : TMSH does not follow current best practices
Solution Article: K36814487
818429-2 : TMM may crash while processing HTTP traffic
Solution Article: K70275209
818213-6 : CVE-2019-10639: KASLR bypass using connectionless protocols
Solution Article: K32804955
818177-1 : CVE-2019-12295 Wireshark Vulnerability
Solution Article: K06725231
816413-4 : CVE-2019-1125: Spectre SWAPGS Gadget
Solution Article: K31085564
816273-4 : L7 Policies may execute CONTAINS operands incorrectly.
Component: Local Traffic Manager
Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.
The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.
Conditions:
Multiple CONTAINS conditions are used on the same virtual server.
Impact:
The wrong policy actions may be triggered.
Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.
Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.
815877-4 : Information Elements with zero-length value are rejected by the GTP parser
Component: Service Provider
Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.
Conditions:
Virtual server with GTP profile enabled processing GTP traffic.
Impact:
Well-formed GTP messages might get rejected.
Workaround:
Avoid sending GTP messages containing zero-length IEs.
Fix:
Zero-length IEs are now processed correctly.
815753-4 : TMM leaks memory when explicit SWG is configured with Kerberos authentication
Component: Access Policy Manager
Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.
Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.
Impact:
TMM sweeper enters aggressive mode and reaps connections.
Workaround:
None.
815529-4 : MRF outbound messages are dropped in per-peer mode
Component: Service Provider
Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.
Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.
Impact:
Outbound traffic with the same destination address may be dropped at random.
Workaround:
Change the peer connection mode to 'Per TMM'.
Fix:
Multiple outbound messages to the same destination address are no longer randomly dropped.
815425 : RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x★
Component: TMOS
Symptoms:
On RAID supported BIG-IP platforms, upgrade from BIG-IP v12.1.3.5 to BIG-IP v13.1.x, RAID array member state is shown as 'undefined' in below commands, though actual RAID status is 'up'.
- array
- tmsh show sys raid
Conditions:
On RAID supported platforms, clean install of BIG-IP 12.1.x version followed by upgrade to BIG-IP 13.1.x version.
Impact:
RAID information is reported wrongly.
Fix:
RAID information is retrieved and parsed according to the new mdadm supported in BIG-IP 13.1.x version.
814761-3 : PostgreSQL monitor fails on second ping with count != 1
Component: Local Traffic Manager
Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.
When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:
Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
at java.lang.Thread.run(Thread.java:748)
Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.
Impact:
Unable to monitor the health of postgresql server pool members accurately.
Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.
Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.
814585-5 : PPTP profile option not available when creating or modifying virtual servers in GUI
Component: TMOS
Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.
Conditions:
Creating or modifying a virtual server in the GUI.
Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.
Workaround:
Use TMSH to add a PPTP profile to the virtual server.
814097-4 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
Component: Service Provider
Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.
Conditions:
Converting the transport of SIP messages with the Generic Message router.
Impact:
Any code that waits for the SERVER_CONNECTED event will not run.
Fix:
SERVER_CONNECTED event is raised.
814037-1 : No virtual server name in Hardware Syncookie activation logs.
Component: Local Traffic Manager
Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:
notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.
Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.
Impact:
Difficult to determine which virtual server actually got the Syncookie activated.
Workaround:
None.
813945-1 : PB core dump while processing many entities
Component: Application Security Manager
Symptoms:
PB core dump.
Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).
This is a very rarely occurring scenario.
Impact:
PB core dump and restart.
Workaround:
None.
Fix:
PB core dump no longer occurs.
813673-1 : The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT
Component: Local Traffic Manager
Symptoms:
A typical configuration of the HTTP Explicit Proxy includes four virtual servers:
-- Two virtual servers for the Explicit Proxy, one IPv4, one IPv6.
-- Two general-purpose virtual servers: one IPv4, one IPv6.
The general-purpose virtual servers allow handling of CONNECT tunneling over the HTTP-tunnel interface.
Unfortunately, if an IPv6 client tries to CONNECT to an IPv4 destination, it fails, returning a 503 status error.
This is due to the IPv6 general-purpose virtual server not being found when performing the destination lookup.
Conditions:
-- The HTTP explicit proxy is used on an IPv6 address.
-- 'default-connect-handling deny' is configured on the explicit proxy HTTP profile.
-- IPv4 and IPv6 general-purpose virtual servers exist on the HTTP-tunnel interface.
-- The client connects, and uses CONNECT to proxy to an IPv4 address.
Impact:
The client will not be able to CONNECT through the explicit proxy to an IPv4 address.
Workaround:
None.
Fix:
Mismatched IPv6 to IPv4 scenarios are supported with the HTTP Explicit Proxy.
813657 : MRF SIP ALG with SNAT incorrectly detects ingress queue full
Component: Service Provider
Symptoms:
When SIP ALG processes a non-registered subscriber SIP outbound call, the ingress queue counter may underflow. This is interpreted as ingress queue full and the rest of message will be dropped.
Conditions:
SIP ALG processes non registered subscriber SIP outbound calls (nonregister-subscriber-callout option is enabled in SIP session profile).
Impact:
SIP ALG incorrectly detects the ingress queue is full and stops processing the rest of SIP ALG traffic.
Workaround:
None
Fix:
When SIP ALG processes non registered subscriber SIP call, the ingress queue counter is handled correctly.
813561-1 : MCPD crashes when assigning an iRule that uses a proc
Component: Local Traffic Manager
Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.
Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.
Impact:
MCPD will crash, unable to use a desired iRule.
Workaround:
None
Fix:
iRules using proc can be assigned to a Virtual Server without crashing MCPD.
812981-2 : MCPD: memory leak on standby BIG-IP device
Component: TMOS
Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.
Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically
Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.
Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.
812525-5 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003
Workaround:
None.
Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003
812341-1 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.
Component: Application Security Manager
Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.
Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.
Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.
Workaround:
None.
Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.
812237-3 : i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD
Component: TMOS
Symptoms:
"tmsh show sys hardware" will not display a "Name" for the Platform on i100000 series appliances with part number 505-0030.
The LCD will not display the system name.
Conditions:
i10000 series appliances with part number 505-0030 with HDVC (high voltage DC) power supplies.
Impact:
Display only. No functional impact.
The LCD and "tmsh show sys hardware" will not display the product name of i10600 or i10800 as expected.
Workaround:
None
Fix:
Display correct F5 marketing name for i10000 series appliances with high voltage DC power supplies.
811965-3 : Some VDI use cases can cause excessive resource consumption
Solution Article: K73657294
811789-4 : Device trust UI hardening
Solution Article: K57214921
811745-4 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
Component: Service Provider
Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.
Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.
Impact:
Loss of mirroring between BIG-IP systems.
Workaround:
None.
Fix:
Mirror connections no longer disconnect during a failover.
811145-4 : VMware View resources with SAML SSO are not working
Component: Access Policy Manager
Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.
Conditions:
VMware View resource is configured with SAML SSO method.
Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.
Workaround:
None.
Fix:
Can now successfully use VMware View resources with SAML SSO.
811105-3 : MRF SIP-ALG drops SIP 183 and 200 OK messages
Component: Service Provider
Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.
Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address
Impact:
SIP calls are unable to establish media connections.
Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"
Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.
811033-3 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
Component: Service Provider
Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.
Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.
Impact:
Messages are forwarded to an incorrect endpoint.
Workaround:
None.
Fix:
For all bi-directional persistence records the transport protocol of the connection is not used in the key used to store the record.
810821-4 : Management interface flaps after rebooting the device
Component: TMOS
Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.
Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.
This problem has been observed only on hardware platforms.
Impact:
Devices go active-active for a few seconds and then resume normal operation.
Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.
For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.
Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.
810593-4 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★
Solution Article: K10963690
Component: TMOS
Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.
Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.
Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.
Workaround:
There is no workaround. You must upgrade the VCMP host to a fixed version, for example, 15.1.0.
810557-9 : ASM ConfigSync Hardening
Solution Article: K05123525
810537-3 : TMM may consume excessive resources while processing iRules
Solution Article: K12234501
810445-3 : PEM: ftp-data not classified or reported
Component: Local Traffic Manager
Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.
Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.
Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.
Workaround:
None.
Fix:
Ftp-data is now correctly classified and reported. Note that the 'inherit-parent-profile' in the FTP profile must be enabled.
810381-1 : The SNMP max message size check is being incorrectly applied.
Component: TMOS
Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.
Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.
Impact:
Responses time out.
Workaround:
Do not send SNMPv3 requests to the BIG-IP system.
Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.
809597-1 : Memory leak in icrd_child observed during REST usage
Component: Local Traffic Manager
Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.
Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.
Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.
Workaround:
None.
Fix:
Fixed a memory leak in icrd_child.
809377-4 : AFM ConfigSync Hardening
Solution Article: K05123525
809205-3 : CVE-2019-3855: libssh2 Vulnerability
Component: TMOS
Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.
Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.
Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Workaround:
None.
Fix:
libcurl updated
809165-4 : TMM may crash will processing connector traffic
Solution Article: K50046200
808525-4 : TMM may crash while processing Diameter traffic
Solution Article: K55812535
808409-1 : Unable to specify if giaddr will be modified in DHCP relay chain
Component: Local Traffic Manager
Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.
However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.
Conditions:
DHCP Relay deployments where the giaddr needs to be changed.
Impact:
You are unable to specify whether giaddr will be changed.
Workaround:
None.
Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced
The default is :
sys db tmm.dhcp.relay.giaddr.overwrite {
value "enable"
}
On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP
On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain
808301-1 : TMM may crash while processing IP traffic
Solution Article: K04897373
808281 : OVA/Azure template sets '/var' partition with not enough space
Component: TMOS
Symptoms:
After booting a new BIG-IP Virtual Edition (VE) image from OVA or Azure, you see errors on the console:
Broadcast message from root@localhost.localdomain:
011d0004:3: Disk partition /var has only 19% free.
Conditions:
Installing BIG-IP software via the OVA template or Azure image.
Impact:
System is generally un-usable; applications cannot operate without space in /var. Diskmonitor reports console errors and errors in /var/log/ltm.
Workaround:
Remove unused APM binaries in /var/sam/images.
807821-3 : ICMP echo requests occasionally go unanswered
Component: Local Traffic Manager
Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.
Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.
Impact:
Possible traffic failures.
Workaround:
None.
Fix:
ICMP echo replies are always sent for a valid ICMP echo request.
807477-9 : ConfigSync Hardening
Solution Article: K04280042
807445 : Replaced ISC_TRUE and ISC_FALSE with true and false
Component: Global Traffic Manager (DNS)
Symptoms:
Updated the zrd code to remove references to ISC_TRUE and ISC_FALSE since the software is upgraded BIND to 9.11.8 and those macros do not exist anymore.
Conditions:
BIND version is earlier than 9.11.8.
Impact:
There is no functional impact.
Workaround:
None.
Fix:
Removed references to ISC_TRUE and ISC_FALSE zrd since the software has been upgraded to BIND to 9.11.8 and those macros do not exist anymore.
807177-1 : HTTPS monitoring is not caching SSL sessions correctly
Component: Global Traffic Manager (DNS)
Symptoms:
In situations where a cached SSL session cannot be used, there are conditions where the information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.
Conditions:
When using GTM HTTPS monitoring.
Impact:
Information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.
Workaround:
Restart big3d by running the following command:
bigstart restart big3d
807005-3 : Save-on-auto-sync is not working as expected with large configuration objects
Component: TMOS
Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true
Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions
Impact:
Configuration is not saved, which leads to out-of-sync condition.
Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.
805837-4 : REST does not follow current design best practices
Solution Article: K22441651
805017-3 : DB monitor marks pool member down if no send/recv strings are configured
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.
Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
804477-2 : Add HSB register logging when parts of the device becomes unresponsive
Component: TMOS
Symptoms:
Parts of the HSB can become unresponsive, with insufficient logging to diagnose the root cause. Additional data needs to be captured when the issue occurs.
Conditions:
This additional logging will trigger whenever parts of the HSB become unresponsive.
Impact:
The register logging will provide further insight into the HSB state when it becomes unresponsive.
Workaround:
None.
Fix:
Additional logging of HSB register states has been added whenever parts of the HSB become unresponsive.
804313-4 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
Component: Service Provider
Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.
Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.
Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.
Workaround:
None
Fix:
Message sweeper interval value now loads correctly.
804309-3 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
Component: TMOS
Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:
[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy
Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.
Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.
Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false
tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false
804185-3 : Some WebSafe request signatures may not work as expected
Component: Fraud Protection Services
Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected
Conditions:
There is at least one wildcard URL configured by the request signature update file.
Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).
Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.
Fix:
FPS now correctly handles signature-based wildcard URL's priority.
803933-4 : Expat XML parser vulnerability CVE-2018-20843
Solution Article: K51011533
803825 : WebSSO does not support large NTLM target info length
Component: Access Policy Manager
Symptoms:
WebSSO crashes.
Conditions:
When the optional field of the target info is about 1000 bytes or larger.
Impact:
WebSSO crashes and loss of service.
Workaround:
Config NTLM not to have large target info, recommend < 800.
803813-3 : TMM may experience high latency when processing WebSocket traffic
Component: Application Security Manager
Symptoms:
Under certain conditions, TMM may experience higher than usual latency when processing WebSocket traffic.
Conditions:
-- WebSocket traffic.
-- Very long connections or large amounts traffic.
-- Platforms with many CPUs.
Impact:
Increased latency in WebSocket traffic.
Workaround:
None.
Fix:
Fix an issue that could cause a latency with WebSocket traffic.
803809-1 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
Component: Service Provider
Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.
Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.
Impact:
Calls from one or more clients are unable to be completed.
Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.
Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.
803645-1 : GTMD daemon crashes
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.
Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.
Impact:
The gtmd process restarts and produces a core file.
Workaround:
None.
803477-1 : BaDoS State file load failure when signature protection is off
Component: Anomaly Detection Services
Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.
Conditions:
Restart of admd when signature protection is off.
Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.
Workaround:
Turn on signatures detection.
Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.
803233-4 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
Component: Local Traffic Manager
Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):
1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:
-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.
2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:
-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.
Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.
Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.
Workaround:
None.
Fix:
FQDN ephemeral pool members are created in a more timely manner when FQDN resolution via DNS returns new address records.
802961-1 : The 'any-available' prober selection is not as random as in earlier versions
Component: Global Traffic Manager (DNS)
Symptoms:
Some big3d instances can be periodically busier than other big3d instances.
Conditions:
-- When 'any-available' is selected for either the prober-preference or prober-fallback options.
-- A large number of monitors are defined.
Impact:
When the 'any-available' prober option is used, the selection of big3d probers may not be as random as in BIG-IP software versions prior to v13.0.0.
Workaround:
None.
802685-4 : Unable to configure performance HTTP virtual server via GUI
Component: TMOS
Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.
Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).
Impact:
Failed to create a 'performance HTTP' virtual server.
Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }
802281-4 : Gossip shows active even when devices are missing
Component: TMOS
Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.
Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.
Impact:
Gossip reports that it is working when it is not.
Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:
restcurl -X POST -d '{}' tm/shared/bigip-failover-state
801705-2 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
Component: Local Traffic Manager
Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.
Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.
Impact:
There is no space preceding the attribute. RFC is violated.
Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.
801637-1 : Cmp_dest on C2200 platform may give incorrect results
Component: TMOS
Symptoms:
Cmp_dest on C2200 platform may give incorrect results.
Conditions:
Run cmp_dest.
Impact:
Incorrect results from cmp_dest.
Fix:
Cmp_dest now gives correct results.
800453-1 : False positive virus violations
Solution Article: K72252057
Component: Application Security Manager
Symptoms:
False positive ASM virus violations.
Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM.
Impact:
ASM reports a virus when the antivirus reply is timed out. False positive blocking or violation reporting.
Workaround:
Configure the EnableASMByPass internal parameter setting to allow the antivirus server to not reply, so it does not issue a violation when it occurs:
/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm
Note: When the internal parameter is enabled, ASM also bypasses huge HTTP requests (when they come on multiple connections) instead of resetting them.
Fix:
False positive ASM virus violations no longer occur under these conditions.
800305-4 : VDI::cmp_redirect generates flow with random client port
Component: Local Traffic Manager
Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.
Conditions:
-- VDI::cmp_redirect iRule command used
Impact:
Client port is not the same as the original client port.
Fix:
The VDI::cmp_redirect iRule command now uses the same port.
800193 : Update OpenSSH to version 7 or later for disabling of DSA keys
Component: TMOS
Symptoms:
Current OpenSSH version 6.6.1p1 in BIG-IP v13.1.x does not allow for disabling DSA Key. Lack of this feature causes failure audits due to allowing DSA keys to authenticate to the BIG-IP system.
Conditions:
The issue can be seen on BIG-IP software that has OpenSSH version 6.6.
Impact:
Lack of this feature(disabling DSA Key) causes audit failures due to allowing DSA keys to authenticate to the BIG-IP system.
Workaround:
None.
Fix:
This version has updated OpenSSH to version 7 for disabling DSA keys.
800185-2 : Saving a large encrypted UCS archive may fail and might trigger failover
Component: TMOS
Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:
# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package
-- If saving UCS is automated you may find related errors in /var/log/audit:
err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))
-- Other services might be restarted due to lack of memory, which might result in failover.
--System management via config utility or command line may be sluggish while UCS saves.
Conditions:
-- Large encrypted UCS files and low free host memory.
-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.
Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.
The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.
Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.
Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)
If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.
Fix:
Saving a large UCS file no longer fails.
799617-4 : ConfigSync Hardening
Solution Article: K05123525
799589-4 : ConfigSync Hardening
Solution Article: K05123525
799149 : Authentication fails with empty password
Component: Access Policy Manager
Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:
-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.
Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.
Impact:
APM end users cannot change a password/token or access backend resources.
Workaround:
None.
Fix:
Per-request policy auth no longer complains about empty password. If the backend server accepts an empty password, auth should work fine.
798261-4 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
Component: Access Policy Manager
Symptoms:
The following logs showed up in APM log and user session was terminated.
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
The SET command failed because it incorrectly attempted to create session variable in all traffic groups.
Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.
Impact:
User sessions will be terminated
Workaround:
Disable virtual address spanning.
Fix:
N/A
797885-4 : ConfigSync Hardening
Solution Article: K05123525
797829-3 : The BIG-IP system may fail to deploy new or reconfigure existing iApps
Component: TMOS
Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:
script did not successfully complete: ('source-addr' unexpected argument while executing
The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.
The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.
Conditions:
This issue occurs when:
-- The BIG-IP system is configured with multiple users of varying roles.
-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.
-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.
Note: You can inspect the number of child processes already created by scriptd by running the following command:
pstree -a -p -l | grep scriptd | grep -v grep
However, it is not possible to determine their current 'security context'.
Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.
Workaround:
Restart scriptd. To restart scriptd, run:
bigstart restart scriptd
Running this command has no negative impact on the system.
The workaround is not permanent; the issue may occasionally recur depending on your system usage.
Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.
797785-3 : AVR reports no ASM-Anomalies data.
Component: Application Visibility and Reporting
Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\
Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.
Impact:
AVR reports no ASM-Anomalies data.
Workaround:
None.
797769-3 : Linux vulnerability : CVE-2019-11599
Solution Article: K51674118
796993-3 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
Component: Local Traffic Manager
Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.
Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability
Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.
796601-6 : Invalid parameter in errdefsd while processing hostname db_variable
Component: TMOS
Symptoms:
Errdefsd crashes, creates a core file, and restarts.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Possible loss of some logged messages.
Workaround:
None.
796469-2 : ConfigSync Hardening
Solution Article: K05123525
795797-4 : AFM WebUI Hardening
Solution Article: K21121741
795649-2 : Loading UCS from one iSeries model to another causes FPGA to fail to load
Component: TMOS
Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.
The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:
-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.
Impact:
FPGA fails to load; the BIG-IP system becomes unusable.
Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:
-- For the i2800:
# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i7800:
# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i11400-ds:
# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
2. Reboot the system
795437-2 : Improve handling of TCP traffic for iRules
Solution Article: K06747393
795197-3 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Solution Article: K26618426
794561-4 : TMM may crash while processing JWT/OpenID traffic.
Solution Article: K46901953
794501-4 : Duplicate if_indexes and OIDs between interfaces and tunnels
Component: TMOS
Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.
Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.
Impact:
SNMP OIDs relating to interfaces may yield incomplete results.
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:
# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
if-index 64 <-------------------------------
net interface mgmt {
if-index 32
net vlan external {
if-index 96
net vlan internal {
if-index 112
net vlan test {
if-index 128
net vlan tmm_bp {
if-index 48
net tunnels tunnel http-tunnel {
if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
if-index 80
# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm
-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289
Workaround:
No workaround currently known.
Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.
794493 : Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true
Component: Local Traffic Manager
Symptoms:
Client SSL profiles may have distinct (different from parent profile) certificate and key files, but the 'inherit-certkeychain' attribute set as 'true', even though the profile should not be inheriting these values from parent, for example:
ltm profile client-ssl example-prof {
cert example.crt
cert-key-chain {
example{
app-service none
cert example.crt
chain none
key example.key
passphrase none
}
}
defaults-from intermediate
inherit-certkeychain true
key example.key
}
If multiple profiles are configured for SNI and assigned to a virtual server, attempting to modify the parent profile can result in error:
err mcpd[5352]: 0107149e:3: Virtual server /Common/vs_test has more than one clientssl/serverssl profile with same server name.
Conditions:
-- Parent profile other than 'clientssl'
-- Have a child profile created by defining 'cert' and 'key' attributes, rather than specifying a 'cert-key-chain', e.g.:
tmsh create ltm profile client-ssl example-prof defaults-from intermediate cert example.crt key example.key
Impact:
Not able to modify SSL profile if profiles assigned to virtual server.
If profiles are not configured for SNI, the specified certificate and key on child profiles will be reverted to the values from the parent profile.
Workaround:
Create SSL profiles by specifying cert-key-chain, rather than separately specifying 'cert' and 'key' attributes on SSL profile.
For profiles that are already affected, you can use either of the following workarounds.
Use the GUI:
-- Modify profiles using the GUI and check the 'Custom' checkbox for 'Certificate Key Chain'.
Change the configuration file:
1. Save the configuration.
2. Open bigip.conf for editing.
3. Modify the affected profiles, changing 'inherit-certkeychain true' to 'inherit-certkeychain false'.
4. Load the configuration.
Fix:
SSL profiles created specifying certificates and keys in the profile now have inherit-certkeychain set to false.
794417-2 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★
Component: Local Traffic Manager
Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.
Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:
1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
Impact:
The configuration does not load if saved, and reports an error:
01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.
Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.
Fix:
Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.
Behavior Change:
BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile
794413-9 : BIND vulnerability CVE-2019-6471
Solution Article: K10092301
794389-9 : iControl REST endpoint response inconsistency
Solution Article: K89509323
793121-1 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
Component: TMOS
Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.
Conditions:
The TMUI redirect-http-to-https is enabled.
Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.
Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.
793013 : MRF DIAMETER: Implement sweeper for pending request messages queue
Component: Service Provider
Symptoms:
MRF Diameter remembers details for each request message to assist with routing answer messages. If the answer message is not received, this information is not cleaned up.
Conditions:
The server does not respond to a request message with an answer message.
Impact:
For each unresponded request message, memory is leaked. Eventually the system might run of memory and restart.
Workaround:
None.
Fix:
The DIAMETER logic will not delete any stale pending request record if it is older than twice the configured transaction timeout (in diameterrouter profile).
793005-4 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.
Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.
Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.
Workaround:
None.
Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.
792341-4 : Google Analytics shows incorrect stats.
Component: Application Security Manager
Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.
Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).
Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.
Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.
Impact:
Incorrect data is displayed in the Google Analytics dashboard.
Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.
Fix:
ASM now handles the backend's response to fix up document.referrer for tools that read this property.
792285-3 : TMM crashes if the queuing message to all HSL pool members fails
Component: TMOS
Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.
Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
792265-1 : Traffic logs does not include the BIG-IQ tags
Component: Application Visibility and Reporting
Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.
Conditions:
When AVR collects traffic data and sending it BIG-IQ.
Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.
Workaround:
None.
Fix:
Traffic logs now include the BIG-IQ tags.
791369-4 : The REST framework may reflect client data in error logs
Solution Article: K01049383
790845-1 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
Component: Local Traffic Manager
Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.
Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.
Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.
Impact:
An In-TMM monitor is falsely marked as down.
Workaround:
Use default settings for a CMP-hash.
Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.
790205-2 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
Component: Local Traffic Manager
Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.
Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.
Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when adding routes to child domains.
789921-4 : TMM may restart while processing VLAN traffic
Solution Article: K03386032
789893-4 : SCP file transfer hardening
Solution Article: K54336216
788773-4 : HTTP/2 Vulnerability: CVE-2019-9515
Solution Article: K50233772
788769-4 : HTTP/2 Vulnerability: CVE-2019-9514
Solution Article: K01988340
788753-1 : GATEWAY_ICMP monitor marks node down with wrong error code
Component: Local Traffic Manager
Symptoms:
Pool state shows down when there is no route configured to node.
Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.
Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.
Workaround:
None.
788577 : BFD sessions may be reset after CMP state change
Component: TMOS
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.
It might also lead to a situation where the BFD session is deleted and immediately recreated.
This problem occurs rarely and only on a chassis with more than one blade.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.
Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.
This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There are two workarounds, although the latter is probably impractical:
-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.
Fix:
BFD session is no longer reset during CMP state change.
788557 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
Component: TMOS
Symptoms:
GRST - BGP graceful reset.
The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.
After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.
Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.
Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.
Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
None.
Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.
788513-4 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
Component: Service Provider
Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:
warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]
This appears to be benign, as the configuration loads successfully, and the script works as expected.
Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name
Instead of:
RADIUS::avp replace USER-NAME "static value"
Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.
Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.
788417-3 : Remote Desktop client on macOS may show resource auth token on credentials prompt
Component: Access Policy Manager
Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.
This behavior is observed only with Remote Desktop Client v10.x for macOS.
Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.
Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.
Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.
Workaround:
Apply the following iRule:
Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.
when HTTP_RESPONSE_RELEASE {
catch {
set locationUri [HTTP::header Location]
if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
$locationUri contains "username=s:f5_apm"} {
HTTP::header Location \
[string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
}
}
}
Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.
788325-4 : Header continuation rule is applied to request/response line
Solution Article: K39794285
Component: Local Traffic Manager
Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.
Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.
Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).
Workaround:
None.
Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.
788301-3 : SNMPv3 Hardening
Solution Article: K58243048
Component: TMOS
Symptoms:
SNMPv3 agents do not follow current best practices.
Conditions:
SNMPv3 agents enabled.
Impact:
SNMPv3 agents do not follow current best practices.
Fix:
SNMPv3 features now follow current best practices.
788269-1 : Adding toggle to disable AVR widgets on device-groups
Component: Application Visibility and Reporting
Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.
It occurs more frequently when manual config sync is enabled.
It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.
Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.
Impact:
Devices go into a non-synced state.
Workaround:
None.
Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.
Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.
788057-1 : MCPD may crash while processing syncookies
Solution Article: K00103216
787901 : While deleting a DoS profile, tmm might core in sPVA
Component: Advanced Firewall Manager
Symptoms:
When trying to delete a DoS profile attached to a virtual server, it is possible that tmm might core and restart.
Conditions:
-- An AFM DoS profile is attached to a virtual server.
-- Some of the DoS attacks are programmed into hardware (HW) through sPVA.
-- That DoS profile is deleted.
Impact:
tmm might generate a core and restart. Traffic disrupted while tmm restarts.
Workaround:
Use software (SW) DoS only.
Fix:
The tmm process no longer generates a core and restarts when deleting a profile that is attached to a virtual server.
787825-3 : Database monitors debug logs have plaintext password printed in the log file
Solution Article: K58243048
Component: Local Traffic Manager
Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password
Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql
Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.
Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.
787477-1 : Export fails from partitions with '-' as second character
Component: Access Policy Manager
Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.
Conditions:
Partition with '-' as second character in the name.
Impact:
Unable to export policy from given partition
Workaround:
Rename partition without '-' as the second character.
Fix:
Export is working as expected in this scenario.
786981-1 : Pending GTP iRule operation maybe aborted when connection is expired
Component: Service Provider
Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.
Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.
Impact:
GTP iRule may not be completely executed.
Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.
Fix:
When connection is expired, pending iRule operations in GTP iRule events are now completed.
786517-1 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
Component: Local Traffic Manager
Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.
- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.
Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.
Impact:
Monitors are sent to an incorrect IP address.
tmsh load /sys config will fail to load the configuration.
Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.
-- Fix the monitor definition using tmsh.
785017-4 : Secondary blades go offline after new primary is elected
Component: TMOS
Symptoms:
Secondary active blades go offline.
Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.
For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.
Impact:
Cluster reduced to a single blade, which may impact performance.
Workaround:
None.
784989-4 : TMM may crash with panic message: Assertion 'cookie name exists' failed
Component: Access Policy Manager
Symptoms:
TMM crashes with SIGFPE panic
panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.
Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.
Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.
784565-4 : VLAN groups are incompatible with fast-forwarded flows
Component: Local Traffic Manager
Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.
Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.
Impact:
Some connections may fail.
Workaround:
None.
Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.
783817-4 : UI becomes unresponsive when accessing Access active session information
Component: Access Policy Manager
Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.
The following error messages shows up in TMM log:
-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588
Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.
Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.
783617-4 : Virtual server resets connections when all pool members are marked disabled
Component: Local Traffic Manager
Symptoms:
The BIG-IP system immediately responds with an RST against a SYN when all pool members are marked disabled by a monitor.
Conditions:
All of the pool members are marked disabled by a monitor or administratively.
Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.
Cannot use LTM policies to select multiple pools if all pool members are disabled in a default pool assigned to a virtual server.
Workaround:
Use Forced offline instead of disabled to prevent this issue.
Fix:
Virtual server no longer resets connections when all pool members are marked disabled.
783513-1 : ASU is very slow on device with hundreds of policies due to logging profile handling
Component: Application Security Manager
Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.
Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.
Impact:
The ASU process takes hours to complete.
Workaround:
None.
783505 : ASU is very slow on device with hundreds of policies due to table checksums
Component: Application Security Manager
Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.
Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.
Impact:
The ASU process takes hours to complete.
Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.
783289-3 : PEM actions not applied in VE bigTCP.
Component: Policy Enforcement Manager
Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.
Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.
Impact:
PEM policies do not get applied.
Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).
783125-4 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.
Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.
Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.
Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.
Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.
See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
https://clouddocs.f5.com/api/irules/DNS__drop.html
https://clouddocs.f5.com/api/irules/UDP__drop.html
783113 : BGP sessions remain down upon new primary slot election
Component: TMOS
Symptoms:
BGP flapping after new primary slot election.
Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)
-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.
-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.
Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.
Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted
Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.
782529-4 : iRules does not follow current design best practices
Solution Article: K30215839
782353-8 : SIP MRF via header shows TCP Transport when TLS is enabled
Component: Service Provider
Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.
Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.
Impact:
The via header is not correct and violates the SIP RFC.
Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:
when SIP_REQUEST_SEND {
if { [clientside] } {
SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0
}
}
Fix:
The via headers show the correct text (e.g., SIP/2.0/TLS) when an SSL Client Profile is enabled on a SIP Message-Routing virtual server.
781829-4 : GTM TCP monitor does not check the RECV string if server response string not ending with \n
Component: Global Traffic Manager (DNS)
Symptoms:
GTM TCP monitor marks resource down.
Conditions:
TCP server respond string not ending with '\n'.
Impact:
Available resources are marked down.
Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.
If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.
781753-1 : WebSocket traffic is transmitted with unknown opcodes
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.
Conditions:
A request logging profile is configured on a WebSocket virtual server.
Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.
-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.
Workaround:
Remove the request logging profile.
781637-4 : ASM brute force counts unnecessary failed logins for NTLM
Component: Application Security Manager
Symptoms:
False positive brute force violation raised and login request is blocked
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type
Impact:
login request blocked by asm policy
Workaround:
Define higher thresholds in brute force protection settings
Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM
781605-1 : Fix RFC issue with the multipart parser
Component: Application Security Manager
Symptoms:
False positive or false negative attack signature match on multipart payload.
Conditions:
Very specific parsing issue.
Impact:
A parameter specific excluded signature may be matched or un-matched.
Workaround:
N/A
Fix:
Multi part parser issue was fixed.
781581-4 : Monpd uses excessive memory on requests for network_log data
Component: Application Visibility and Reporting
Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:
err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child
Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.
Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.
Workaround:
None.
Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.
Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.
781449-4 : Increase efficiency of sPVA DoS protection on wildcard virtual servers
Solution Article: K14703097
781377-1 : tmrouted may crash while processing Multicast Forwarding Cache messages
Solution Article: K93417064
781225-3 : HTTP profile Response Size stats incorrect for keep-alive connections
Component: Local Traffic Manager
Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.
Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses
Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.
Workaround:
None.
Fix:
The HTTP Response Size statistics are correctly updated using per-response values.
781069-4 : Bot Defense challenge blocks requests with long Referer headers
Component: Application Security Manager
Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.
Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long
Impact:
Legitimate browsers may get blocked or suffer from a challenge loop
Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.
Fix:
Challenges with long Referer headers no longer block legitimate clients.
780817 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
Component: TMOS
Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:
notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.
Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.
+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms
-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.
Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.
Guests part of a redundant pair may fail over.
Workaround:
None.
Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.
780601-4 : SCP file transfer hardening
Solution Article: K03585731
779857-4 : Misleading GUI error when installing a new version in another partition★
Component: TMOS
Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:
'Install Status':Failed Troubleshooting
Conditions:
Install a new version in another partition.
Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.
Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.
779177-4 : Apmd logs "client-session-id" when access-policy debug log level is enabled
Solution Article: K37890841
778869-1 : ACLs and other AFM features (e.g., IPI) may not function as designed
Solution Article: K72423000
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.
Conditions:
AFM provisioned and configured.
TCP mitigations active.
Impact:
AFM features do not function as designed.
Workaround:
None.
Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.
778517-2 : Large number of in-TMM monitors results in delayed processing
Solution Article: K91052217
Component: Local Traffic Manager
Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.
Conditions:
Device has a large number of in-TMM monitors.
Impact:
-- Monitor target may appear down when responding correctly.
-- Monitor may continue to run after removed from pool / member / node.
-- Increased monitoring load on server.
Workaround:
Disable in-tmm monitors:
tmsh modify sys db bigd.tmm value disable
Fix:
Large numbers of in-TMM monitors are processed in a timely fashion.
778365-1 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
Component: Global Traffic Manager (DNS)
Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.
Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.
Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.
Fix:
RTT metrics are collected only when the DNS service is present otherwise zero RTT values are returned.
778077-1 : Virtual to virtual chain can cause TMM to crash
Solution Article: K53183580
778049-6 : Linux Kernel Vulnerability: CVE-2018-13405
Solution Article: K00854051
777737-2 : TMM may consume excessive resources when processing IP traffic
Solution Article: K39225055
777733-1 : DoS profile default values cause config load failure on upgrade
Component: Advanced Firewall Manager
Symptoms:
Upon upgrading from 12.1.x, the config fails to load with an error similar to the following:
01071aa6:3: Dos DNS query data bad actor can not be enabled if per-source detection/limit pps is less than 1% of the Dos vector (a) rate threshold setting for sub-profile (PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP) of Dos profile (/Common/PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP).
Conditions:
-- AFM configured.
-- One or more SIP or DNS vectors are configured with the rate_threshold values set to the default in 12.x.
+ For SIP, the rate_threshold value in 12.x is 30000.
+ For DNS, the rate_threshold value in 12.x is 50000.
Impact:
During upgrade, the BIG-IP system fails to convert these thresholds to the new default value of 'infinite'. After upgrade, the configuration fails to load.
Workaround:
Manually edit the profile to disable bad-actor, or change the DNS and SIP default rate_threshold value to 'infinite', then config can be loaded.
For example, in this affected configuration for DNS:
dns-query-vector {
a {
allow-advertisement disabled
...
rate-increase 500
rate-limit 250000
rate-threshold 50000 <<---
}
Change it to this:
dns-query-vector {
a {
allow-advertisement disabled
...
rate-increase 500
rate-limit 250000
rate-threshold infinite
}
At that point, the configuration should load successfully.
Fix:
DNS and SIP default rate_threshold value of 50000 and 30000 of 12.1.x are now converted to default value of 'infinite' during upgrade, so the configuration loads as expected.
777261-2 : When SNMP cannot locate a file it logs messages repeatedly
Component: TMOS
Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.
Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.
Impact:
This can fill up the log with errors.
Fix:
The SNMP daemon has been fixed to log this error once.
777173-4 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
Component: Access Policy Manager
Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed
This is result of a license check added for HTTP header transformation.
Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp
Impact:
Administrator is not able to use the iApp to configure Citrix vdi access
Workaround:
Adding LTM module license will resolve the error.
Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.
776229-4 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero
Component: Local Traffic Manager
Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:
err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"
Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.
Impact:
The iRule rejects traffic when the pool member's port number is 0.
Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.
Fix:
No longer blocking access to pool members that use port number 0 (zero) from iRule 'pool' commands.
775621-4 : urldb memory grows past the expected ~3.5GB
Component: Access Policy Manager
Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).
Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.
Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.
Workaround:
None.
Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.
775105-1 : False positive on bot defense logs
Component: Application Security Manager
Symptoms:
Remote log entries suggest that blocking events have occurred although their DoS profile is not set to block any traffic.
Conditions:
DoS profile is not set to block any traffic.
Impact:
False positives where remote log entries which suggest blocking events have occurred.
Workaround:
None.
Fix:
Bot defense remote logging profile attached to virtual servers and some bot signatures is be set to 'Report'.
775013-4 : TIME EXCEEDED alert has insufficient data for analysis
Component: Fraud Protection Services
Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.
Conditions:
Viewing alert logs for time-exceeded messages.
Impact:
Makes troubleshooting and/or analysis difficult.
Workaround:
None.
Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.
774481-3 : DNS Virtual Server creation problem with Dependency List
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.
Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.
Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.
Workaround:
You can use either of the following workarounds:
-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.
774445-3 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2
Solution Article: K74921042
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).
Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.
Impact:
Traffic does not pass through non-mgmt interfaces.
Workaround:
You can use the following workarounds:
-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.
-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.
-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.
Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.
IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.
To switch driver:
1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:
echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl
2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):
bigstart restart tmm
3. After tmm restarts, confirm the driver in use by examining the output of:
tmctl -d blade tmm/device_probed
Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.
773693-3 : CVE-2020-5892: APM Client Vulnerability
Solution Article: K15838353
773673-4 : HTTP/2 Vulnerability: CVE-2019-9512
Solution Article: K98053339
773649-4 : APM Client Logging
Solution Article: K23876153
773553-4 : ASM JSON parser false positive.
Component: Application Security Manager
Symptoms:
False positive JSON malformed violation.
Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.
Impact:
HTTP request is blocked or an alarm is raised.
Workaround:
There is no workaround other than disabling the JSON profile.
Fix:
JSON parser has been fixed as per RFC8259.
773421-2 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
Component: Local Traffic Manager
Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.
Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).
-- OneConnect is applied.
-- proxy-mss is enabled (the default value starting in v12.0.0).
Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.
Workaround:
Disable proxy-mss in the configured TCP profile.
Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.
773253-2 : The BIG-IP may send VLAN failsafe probes from a disabled blade
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core
Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.
Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.
Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.
Impact of workaround: Traffic disrupted while tmm restarts.
772545-1 : Tmm core in SSLO environment
Component: Local Traffic Manager
Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.
Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.
772233-1 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
Component: Global Traffic Manager (DNS)
Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.
The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.
Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.
Impact:
RTT metric is not set at all.
Workaround:
Use collection protocols - ICMP instead.
Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.
771873-3 : TMSH Hardening
Solution Article: K40378764
771173-1 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★
Component: Advanced Firewall Manager
Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.
Conditions:
This happens when upgrading from 12.x to 13.x and beyond.
Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.
Workaround:
You can fix the configuration by modifying it manually after upgrading.
In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>
771025-2 : AVR send domain names as an aggregate
Component: Application Visibility and Reporting
Symptoms:
AVR sends domain name as an aggregate of a number of domain names.
Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.
Impact:
Cannot see the correct domain name.
Workaround:
None.
Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.
770989-1 : Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★
Component: TMOS
Symptoms:
F5optics installation can fail with RPM database corruption on B4450 blades and iSeries platforms when installing 14.1.x.
Conditions:
-- Using B4450 blades or iSeries platforms.
-- Clean install (i.e., a completely new installation) of 14.1.0 from either an external drive or PXE without taking over license:
image2disk --format=volumes --nosaveconfig --nosavelicense BIGIP-14.1.0-0.0.116.iso
Impact:
-- After 14.1.0 boots up, when you check /shared/lib/rpm RPM database (by running the command: /opt/bin/rpm --dbpath /shared/lib/rpm -qa), you see errors if the RPM database has already been corrupted.
+ rpmdb: /shared/lib/rpm/Name: unexpected file type or format.
+ error: cannot open Name index using db3 - Invalid argument (22).
-- No default f5optics package is reported when running the command: tmsh show net f5optics. No f5optics packages is present in the /shared/f5optics/images/ directory (even the /shared/f5optics/images/ directory is not created).
Due to corruption of '/shared/lib/rpm' RPM database, additional component 'f5optics' installation can fail with RPM error. Other components such as geoip or epsec might also be affected due to corrupted '/shared/lib/rpm' RPM database.
Other symptoms may be that the Link Controller linkcost library (Non-US patch) may be unable to install, showing the error message:
DB_VERSION_MISMATCH: Database environment version mismatch.
Workaround:
Remove the RPM database and manually install the f5_optics RPM package.
Steps
=====
1. Remove corrupted RPM database:
# rm -rf /shared/lib/rpm/
2. Initialize rpm database and update
# /opt/bin/rpm --root /shared --dbpath /lib/rpm --initdb
# /opt/bin/rpm --dbpath /shared/lib/rpm -qa
3. For iSeries platform:
# /usr/bin/f5optics_install
For VIPRION platform
# tmsh install net f5optics slot all
770621-1 : [Portal Access] HTTP 308 redirect does not get rewritten
Component: Access Policy Manager
Symptoms:
Requests with URLs that are not rewritten in web application.
Conditions:
HTTP response from the backend with 308 redirect.
Impact:
HTTP Status Code 308 (Permanent Redirect) is not supported. Unexpected web application operation.
Workaround:
Use a custom iRule to rewrite the request.
Fix:
HTTP Status Code 308 (Permanent Redirect) is now supported; Location header is now rewritten.
770477-3 : SSL aborted when client_hello includes both renegotiation info extension and SCSV
Component: Local Traffic Manager
Symptoms:
Client SSL reports an error and terminates handshake.
Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
Impact:
Unable to connect with SSL.
Workaround:
None.
Fix:
Allow both signaling mechanism in client_hello.
769981-3 : bd crashes in a specific scenario
Component: Application Security Manager
Symptoms:
bd crash with a core file.
Conditions:
-- XML profile with schema validation is attached to a security policy.
-- The bd.log shows out-of-memory messages relating to XML.
Impact:
Failover; traffic disruption.
Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803
769817 : BFD fails to propagate sessions state change during blade restart
Component: TMOS
Symptoms:
BFD fails to propagate sessions state change during blade restart.
Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.
Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.
Workaround:
Change BGP hold time to reasonable lower value.
Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.
769809-2 : The vCMP guests 'INOPERATIVE' after upgrade
Component: TMOS
Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.
Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.
Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.
Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.
Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).
Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade
769589-4 : CVE-2019-6974: Linux Kernel Vulnerability
Solution Article: K11186236
769581 : Timeout when sending many large iControl Rest requests
Component: TMOS
Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.
Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.
2. Deploy config with AS3:
curl -X POST \
https://<$IP_address>/mgmt/shared/appsvcs/declare \
-H 'Content-Type: application/json' \
-d //This should be the data from an AS3 body
3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
https://<$IP_address>/mgmt/shared/appsvcs/task \
-H 'Content-Type: application/json'
4. Delete configuration:
curl -X DELETE \
https://<$IP_address>/mgmt/shared/appsvcs/declare
It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:
-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'
Impact:
Saving new configuration data does not work. Any new transaction tasks fail.
Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.
Fix:
Changes to handle the new transaction iControl Rest creation process creation properly when the existing process was killed with a timeout operation.
769309-3 : DB monitor reconnects to server on every probe when count = 0
Component: Local Traffic Manager
Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.
Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).
Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.
Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.
Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).
769193-1 : Added support for faster congestion window increase in slow-start for stretch ACKs
Component: Local Traffic Manager
Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.
Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.
Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.
Workaround:
There is no workaround at this time.
Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.
Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
769169-1 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
Component: TMOS
Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.
Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.
Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.
Lot of process terminated/re-created messages in restjavad logs.
Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.
Fix:
The system now handles the queue so that there is time for BIG-IP system to recover and become responsive.
769061-4 : Improved details for learning suggestions to enable violation/sub-violation
Component: Application Security Manager
Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.
Conditions:
There are learning suggestions to enable violations/sub-violation in the policy
Impact:
Misleading suggestion details.
Workaround:
None.
Fix:
The misleading word 'Matched' was removed from the title.
768981-4 : VCMP Hypervisor Hardening
Solution Article: K05765031
768761-4 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy
Component: Application Security Manager
Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).
Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.
Impact:
Action description can be difficult to understand.
Workaround:
None.
Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.
768025-1 : SAML requests/responses fail with "failed to find certificate"
Component: Access Policy Manager
Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.
Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.
Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.
-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.
-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.
Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.
-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.
Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.
767941-2 : Gracefully handle policy builder errors
Component: Application Security Manager
Symptoms:
Policy Builder (pabnagd) restarts when it encounters an error, and logs errors to /var/log/asm:
crit perl[24868]: 01310027:2: ASM subsystem error (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads (required: 2, found: 0).
Conditions:
This occurs when policy builder encounters an error.
Impact:
Temporary loss of connectivity with ASM and Policy Builder.
Workaround:
None.
Fix:
The system now handles Policy Builder errors gracefully and reduces Policy Builder down time upon connectivity loss with ASM.
767737-3 : Timing issues during startup may make an HA peer stay in the inoperative state
Component: TMOS
Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.
Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.
Impact:
An HA peer does not become ACTIVE when it should.
Workaround:
None.
767653-2 : Malformed HTTP request can result in endless loop in an iRule script
Solution Article: K23860356
767613-3 : Restjavad can keep partially downloaded files open indefinitely
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain open, the total number of available file handles for the process decreases, and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
Fix:
The restjavad process now internally clears the file handles of such partially downloaded files if they remain untouched for two hours.
767373-3 : CVE-2019-8331: Bootstrap Vulnerability
Solution Article: K24383845
767045 : TMM cores while applying policy
Component: Anomaly Detection Services
Symptoms:
TMM core and possible cores of other daemons.
Conditions:
The exact conditions are unknown.
Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
767013-4 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
Component: TMOS
Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.
Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.
Impact:
Reboot the BIG-IP system.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.
766577-4 : APMD fails to send response to client and it already closed connection.
Component: Access Policy Manager
Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer
APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.
Conditions:
Backend server is slow, causing longer-than-usual response times.
Impact:
This causes the client to close the connection. APMD fails to respond to the client.
The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.
Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.
766405-3 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device
Component: Service Provider
Symptoms:
The next active device may crash with a core when attempting to create media flows.
Conditions:
The names for the LSN pool and router profile are longer than expected.
Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.
Workaround:
None.
Fix:
Device no longer cores.
766169-3 : Replacing all VLAN interfaces resets VLAN MTU to a default value
Component: Local Traffic Manager
Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.
Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.
Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.
Workaround:
There are two workarounds:
-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.
Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.
766017-2 : [APM][LocalDB] Local user database instance name length check inconsistencies★
Component: Access Policy Manager
Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.
The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.
Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.
Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.
Workaround:
Delete instance from tmsh and re-create it with a shorter name.
Fix:
Tmsh now enforces the length limit for localdb instance names.
765621-1 : POST request being rejected when using OAuth Resource Server mode
Component: Access Policy Manager
Symptoms:
POST request is rejected.
Conditions:
-- Using OAuth Resource Server access type.
-- Client sends a large POST body.
Impact:
The request is rejected.
Workaround:
Increase the tmm.access.maxrequestbodysize sys db variable to be larger than the POST body size.
Fix:
The system now supports larger POST requests in OAuth Resource Server mode.
765533-4 : Sensitive information logged when DEBUG logging enabled
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
764873-4 : An accelerated flow transmits packets to a dated, down pool member.
Component: TMOS
Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.
Conditions:
A flow changes the pool member it goes to while the flow is accelerated.
Impact:
The traffic continues to target the dated pool member that is not available.
Workaround:
Disable HW acceleration.
Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only
764665-1 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.
Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.
Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.
Workaround:
None.
Fix:
Corrected issue in setting value for internal flag.
764373-1 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths
Component: Application Security Manager
Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.
Conditions:
Server sends enforced cookies with the same name but with different paths.
Impact:
A valid request might be rejected.
Workaround:
None.
Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.
763349-1 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
Component: Application Visibility and Reporting
Symptoms:
avrd application on BIG-IP crashes; core is generated.
Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.
-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.
Impact:
avrd crashes, and a core is generated.
Workaround:
None.
Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.
763121-1 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
Component: Advanced Firewall Manager
Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:
Assertion "packet must already have an ethernet header" failed.
Conditions:
This issue occurs when all of the following conditions are met:
- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.
Fix:
TMM no longer crashes when utilizing the AFM Packet Tester tool.
763093-1 : LRO packets are not taken into account for ifc_stats (VLAN stats)
Component: Local Traffic Manager
Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.
Conditions:
LRO is enabled and used for incoming packets.
Impact:
ifc_stats are incorrect for incoming octets and packets.
Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm
763005-2 : Aggregated Domain Names in DNS statistics are shown as random domain name
Component: Application Visibility and Reporting
Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.
Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.
Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.
Workaround:
None.
763001-2 : Web-socket enforcement might lead to a false negative
Solution Article: K70312000
Component: Application Security Manager
Symptoms:
A request that should be blocked will be passed to server.
Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.
Impact:
Bad requests may be passed to the server
Workaround:
Disable parse parameters flag in json profile
Fix:
Web-socket enforcement now filters requests as expected.
762453 : Hardware cryptography acceleration may fail
Solution Article: K63558580
762205-1 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
Component: TMOS
Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.
Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
[I] [PROTO_ERR]: unexpected critical payload (type 43)
Note: This message may be correctly present under other conditions, with different type constants not equal to 43.
Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.
Workaround:
No workaround is known at this time.
Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.
762073-1 : Continuous TMM restarts when HSB drops off the PCI bus
Component: TMOS
Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.
Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.
Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.
Workaround:
Manually reboot the BIG-IP system.
Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.
761993-4 : The nsm process may crash if it detects a nexthop mismatch
Component: TMOS
Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.
Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.
Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.
Workaround:
None.
Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.
761941-3 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server
Component: Application Security Manager
Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.
Impact:
Backend app gets CSRT parameter, which might impact its business logic.
Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.
Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server
761921-3 : avrd high CPU utilization due to perpetual connection attempts
Component: Application Security Manager
Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.
Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.
Impact:
avrd consumes a large amount of CPU.
Workaround:
Correct BIG-IQ availability and restart avrd.
Fix:
avrd now waits between connection retries, so this issue does not occur.
761553-4 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
Component: Application Security Manager
Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:
X requests triggered this suggestion from date:time until date:time.
Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.
-- The format of the time in 'from date:time until date:time' is difficult to parse.
Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.
Impact:
Text might be misleading.
Workaround:
None.
Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic
761549-4 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
Component: Application Security Manager
Symptoms:
Accept and Stage action is available, even for entities that are in staging already.
Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.
Impact:
Action that is not relevant is shown.
Workaround:
None.
Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging
761345-1 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
Component: Advanced Firewall Manager
Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.
Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.
Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.
Workaround:
Enable auto config-sync instead of manual config-sync.
Fix:
Additional config-sync is not required in these conditions.
761300 : Errors in REST token requests may log sensitive data
Solution Article: K61105950
Component: Device Management
Symptoms:
When requests for REST tokens generate a parsing error the logged message may contain sensitive data present in the request, including passwords.
Conditions:
Error in token request parsing. Typically causes include a typo or other JSON syntax error in the POST body of the REST request.
Impact:
Restlogs record sensitive data. Properly formatted requests do not generate this error logging and do not record sensitive data.
Workaround:
None.
Fix:
Sensitive data is now filtered from logging.
761273-1 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.
Component: Traffic Classification Engine
Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.
Conditions:
System rotates log files.
Impact:
Some automated systems might not be able to read log file.
Workaround:
None.
Fix:
Log file preserves text file type after log rotation.
761231-4 : Bot Defense Search Engines getting blocked after configuring DNS correctly
Solution Article: K79240502
Component: Application Security Manager
Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.
A cache is stored for legal / illegal requests to prevent querying the DNS again.
This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.
Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.
Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.
Workaround:
Restart TMM by running the following command:
bigstart restart tmm
Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.
761185-4 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
Solution Article: K50375550
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550
Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550
Impact:
For more information please see: https://support.f5.com/csp/article/K50375550
Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550
Fix:
For more information please see: https://support.f5.com/csp/article/K50375550
761144-6 : Broadcast frames may be dropped
Solution Article: K95117754
761112-5 : TMM may consume excessive resources when processing FastL4 traffic
Solution Article: K76328112
761032-4 : TMSH displays TSIG keys
Solution Article: K36328238
Component: Global Traffic Manager (DNS)
Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.
Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.
Impact:
Displaying TSIG keys is a security exposure.
Workaround:
None.
Fix:
TMSH no longer displays TSIG keys when listing configuration.
761030-1 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
Component: Local Traffic Manager
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.
Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.
Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.
Workaround:
None.
Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.
761014-4 : TMM may crash while processing local traffic
Solution Article: K11447758
760974-1 : TMM SIGABRT while evaluating access policy
Component: Access Policy Manager
Symptoms:
TMM cores while evaluating access policy.
Conditions:
-- Secure Web Gateway is configured and in use.
-- An access policy is being evaluated.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an iRule similar to the following:
when ACCESS_POLICY_COMPLETED {
set res [ACCESS::session data get "session.policy.result"]
if {[string compare $res "in_progress"] == 0} {
log local0.notice "rejecting"
reject
}
log local0.notice "result :$res"
}
Fix:
TMM no longer cores under these conditions.
760961 : TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts
Component: Traffic Classification Engine
Symptoms:
Webroot daemon (wr_urldbd) crashes because of a socket handler issue that occurs when sending the URI categorization request to the BrightCloud server.
Wr_urldbd daemon restarts, and during startup, it loads the downloaded database to the shared memory channel. This shared memory channel is being used by the TMM, which has no information about the wr_urldbd restart, so tmm restarts.
Conditions:
-- Wr_urldbd restarts (which occurs due to an issue in socket handler when sending URL categorization requests to the BrightCloud server).
-- During wr_urldbd startup, the daemon starts loading the downloaded webroot database to the shared memory channel set up between the wr_urldbd and TMM.
-- TMM accesses this shared memory channel to perform a URL category lookup (due to traffic).
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
760878-2 : Incorrect enforcement of explicit global parameters
Component: Application Security Manager
Symptoms:
A false positive or false negative enforcement of explicit global parameter.
Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.
Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.
Workaround:
Make the explicit parameters a wildcard parameter.
Fix:
Explicit parameters are enforced correctly on all parameters.
760771-3 : FastL4-steered traffic might cause SSL resume handshake delay
Component: Local Traffic Manager
Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.
Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.
Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.
Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.
Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.
Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.
760683-2 : RST from non-floating self-ip may use floating self-ip source mac-address
Component: Local Traffic Manager
Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.
Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.
Impact:
An L2 switch may update the fwd table incorrectly.
Workaround:
None.
Fix:
The system now uses the correct source mac-address under these conditions.
760679 : Memory corruption when using C3D on certain platforms
Component: Local Traffic Manager
Symptoms:
When using Client Certificate Constrained Delegation (C3D), memory corruption can occur, which can eventually lead to a tmm crash.
Conditions:
C3D is enabled on a virtual server.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
760629-2 : Remove Obsolete APM keys in BigDB
Component: Access Policy Manager
Symptoms:
Several APM/Access BigDB keys are obsolete
Conditions:
This is encountered on BIG-IP software installations.
Impact:
The db keys are obsolete and can be safely ignored.
Workaround:
None
Fix:
The following db keys have been removed from the system:
Log.AccessControl.Level
Log.ApmAcl.Level
Log.SSO.Level
Log.swg.Level
Log.AccessPerRequest.Level
Log.access.syslog
Log.access.db
760622-2 : Allow Device Certificate renewal from BIG-IP Configuration Utility
Component: TMOS
Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.
Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.
Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.
Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:
openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt
For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:
openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt
Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.
760550-3 : Retransmitted TCP packet has FIN bit set
Component: Local Traffic Manager
Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.
Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.
Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.
Workaround:
Set Nagle to disabled in the TCP profile.
Fix:
The incorrect FIN bit is removed.
760471-4 : GTM iQuery connections may be reset during SSL key renegotiation.
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)
Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.
Workaround:
There is no workaround.
Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.
760439-2 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
Component: TMOS
Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).
Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.
Impact:
Unit may become active/standby before intended (e.g., during maintenance).
Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.
760438-1 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
Component: Policy Enforcement Manager
Symptoms:
tmm coredump
Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.
Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The BIG-IP system now validates session presence before applying the policy.
760408-1 : System Integrity Status: Invalid after BIOS update★
Solution Article: K23438711
Component: TMOS
Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.
This issue causes the System Integrity Status to return a value of 'Invalid'.
Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.
Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.
Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.
Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.
760363-2 : Update Alias Address field with default placeholder text
Component: TMOS
Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.
Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.
Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.
Workaround:
Pass empty value or ::
Fix:
Allow monitors to update with default placeholder text for Alias Address
760356-4 : Users with Application Security Administrator role cannot delete Scheduled Reports
Component: Application Visibility and Reporting
Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.
Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.
Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.
Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.
Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports
760222-5 : SCP fails unexpected when FIPS mode is enabled
Component: TMOS
Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.
Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.
Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.
Workaround:
None.
Fix:
This scp issue no longer occurs when FIPS cards are installed.
760130-1 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
Component: Access Policy Manager
Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200
Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.
Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.
Workaround:
None.
Fix:
When PingAccess encounters an error after sending traffic data to PingAccess SDK, TMM no longer leaks memory.
760050-4 : "cwnd too low" warning message seen in logs
Component: Local Traffic Manager
Symptoms:
The following benign message appears in the log: "cwnd too low."
The message can be seen in both tmm logs (where it shows as 'notice' severity) and also in the ltm log (where it shows as 'crit' (critical) severity).
Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.
Impact:
None. TCP resets the congestion window to 1 MSS.
Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.
759968 : Distinct vCMP guests are able to cluster with each other.
Component: Local Traffic Manager
Symptoms:
-- Distinct vCMP guests are able to cluster with each other.
-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:
clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac
Check the 'rebroad_mac' field for duplicate mac addresses.
vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------
Conditions:
-- It is not yet clear under what circumstances the issue occurs.
-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.
Impact:
Only the vCMP guest acting as primary will be operative.
Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:
modify sys db clusterd.communicateovertmmbp value false.
To disable the db variable on the affected guest, log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
Then run the following commands, in sequence:
stop sys service clusterd
modify sys db clusterd.communicateovertmmbp value false
start sys service clusterd
save sys config
Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask and then changing it back.
With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Important: Applying procedure described in K13030 interrupts traffic.
Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.
759735-1 : OSPF ASE route calculation for new external-LSA delayed
Component: TMOS
Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.
Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.
Impact:
Delay of route update from external LSA.
Workaround:
Manually clear ip ospf process.
Fix:
OSPF ASE route calculation from external LSA are happening as normal.
759721-4 : DNS GUI does not follow best practices
Solution Article: K03332436
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS WebUI does not follow best security practices.
Conditions:
DNS services provisioned, enabled, and configured
Impact:
The DNS WebUI does not follow best security practices.
Workaround:
None.
Fix:
The DNS WebUI now follows best security practices.
759638-1 : APM current active and established session counts out of sync after failover
Component: Access Policy Manager
Symptoms:
The 'tmsh show apm license' command shows that the current established session count is much larger than the current active session count. In the extreme case, current established session count can reach the maximum allowed, and the system reports the ERR_TOOBIG error in the apm log.
err tmm3[12351]: 01490581:3: (null):Common:00000000: Access stats encountered error: SessionDB operation failed (key: tmm.license.global_estab_stats.f26de3c7, ret: ERR_TOOBIG).
Conditions:
This counter out-of-sync period happens right after failover and lasts for five minutes.
Impact:
There is no impact to user sessions. Only the connection counts are impacted.
Workaround:
None.
759596-3 : Tcl errors in iRules 'table' command
Component: TMOS
Symptoms:
The iRules 'table delete' command causes Tcl errors due to improperly handling the return code from SessionDB.
Conditions:
-- iRules 'table delete' command is used.
-- Does not occur consistently, but is more prone to occur when the system is processing more traffic.
Impact:
The 'table delete' command randomly fails and causes disruptions in traffic.
Workaround:
Do not use 'table delete' command
Fix:
Fixed 'table delete' to properly interpret the return code from SessionDB.
759536-4 : Linux kernel vulnerability: CVE-2019-8912
Solution Article: K31739796
759480-2 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
Component: Local Traffic Manager
Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.
Conditions:
When all of the following conditions are met:
-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.
-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).
-- A CLIENT_CLOSED event is present.
-- The pool member fails in some manner, triggering LB_FAILED
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.
759360 : Apply Policy fails due to policy corruption from previously enforced signature
Component: Application Security Manager
Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.
Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.
Impact:
Apply policy fails.
Workaround:
As a workaround, run the following SQL, and then apply the policy:
----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------
759192-1 : TMM core during display of PEM session under some specific conditions
Component: Policy Enforcement Manager
Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.
Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.
Fix:
TMM core during display of PEM session no longer occurs.
759135-5 : AVR report limits are locked at 1000 transactions
Component: Application Visibility and Reporting
Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.
Conditions:
Using AVR reports for more than 1000 transactions.
Impact:
Unable to create reports with more than 1000 rows.
Workaround:
None.
Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.
For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:
tmsh modify sys db avr.stats.reportrownumberlimit value 10000
Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.
For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:
tmsh modify sys db avr.stats.reportrownumberlimit value 10000
759077-4 : MRF SIP filter queue sizes not configurable
Component: Service Provider
Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.
Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.
Impact:
Messages may be dropped.
Workaround:
None.
Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.
759056-1 : stpd memory leak on secondary blades in a multi-blade system
Component: Local Traffic Manager
Symptoms:
On secondary blades in a multi-blade system, stpd shows continued increased memory usage.
Conditions:
A non passthru STP mode (STP, RSTP or MSTP) is enabled on the system.
Impact:
System performance is degraded due to needless memory usage by stpd.
Workaround:
None.
Fix:
Stpd no longer leaks memory.
758992-1 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
Component: Local Traffic Manager
Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.
Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.
Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.
Impact:
Incorrect MAC address used for traffic associated with the traffic-group.
Workaround:
None.
Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.
758961 : During brute force attack, the attempted passwords may be logged
Solution Article: K58243048
Component: Application Security Manager
Symptoms:
Request data potentially included passwords is not masked in the ASM local and remote logger.
Conditions:
A brute force attack is in progress and login traffic is blocked from the suspicious IPs.
Impact:
An exposure of potentially sensitive data to the BIG-IP logger.
Workaround:
N/A
Fix:
Potentially sensitive data from brute force blocked requests is no longer logged.
758872-2 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.
Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.
Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.
Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.
Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.
Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.
758781-1 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
Component: TMOS
Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()
Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.
Impact:
Slowness might cause timeouts in applications that are calling these functions.
Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.
758772-4 : DNS Cache RRSET Evictions Stat not increasing
Component: Global Traffic Manager (DNS)
Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.
Conditions:
This occurs when the cache is full enough for records to be evicted.
Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.
Workaround:
None.
Fix:
Fixed an issue preventing the DNS Cache's 'Resource Record Cache' statistic from counting 'Evictions'.
758764-4 : APMD Core when CRLDP Auth fails to download revoked certificate
Component: Access Policy Manager
Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.
Conditions:
Empty revoked-certificate list handling.
Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.
Workaround:
None.
Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).
758631-2 : ec_point_formats extension might be included in the server hello even if not specified in the client hello
Component: Local Traffic Manager
Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.
Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.
Impact:
Some clients abort the connection in this case.
Workaround:
There is no workaround other than not configuring any EC cipher suites.
Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.
758599-4 : IPv6 Management route is preferred over IPv6 tmm route
Component: Local Traffic Manager
Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.
Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.
Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.
Workaround:
None.
Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.
758527-4 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
Solution Article: K39604784
Component: TMOS
Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.
Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.
Impact:
Frames not delivered as expected.
Workaround:
Disable global STP.
Fix:
Frames now delivered as expected.
758437-4 : SYN w/ data disrupts stat collection in Fast L4
Component: Local Traffic Manager
Symptoms:
Fast L4 analytics reports very large integers for goodput.
Conditions:
BIG-IP receives SYNs with attached data.
Impact:
Goodput data is unreliable.
Workaround:
None.
Fix:
Data coupled with the SYN breaks the check for a Fast L4 state change. The connection can still function normally, but statistics collection is reliant on the state change to initialize things properly. The system now ensures the correct state under these conditions, so statistics are measured correctly.
758436-2 : Optimistic ACKs degrade Fast L4 statistics
Component: Local Traffic Manager
Symptoms:
Fast L4 Analytics reports very large integers for goodput.
Conditions:
Endpoints send ACKs for data that has not been sent.
Impact:
Goodput statistics are not usable in certain data sets.
Workaround:
None.
Fix:
Additional checks prevent analytics from trusting optimistic ACKs.
758336-1 : Incorrect recommendation in Online Help of Proactive Bot Defense
Component: Application Security Manager
Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:
Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.
Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.
The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Conditions:
Application has multiple cross-domain resources.
Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.
Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.
758119-4 : qkview may contain sensitive information
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
758065-2 : TMM may consume excessive resources while processing FIX traffic
Solution Article: K82781208
758041-4 : Pool Members may not be updated accurately when multiple identical database monitors configured
Component: Local Traffic Manager
Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.
Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.
As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affected pool members members may be marked with the correct state.
Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
Fix:
The system now correctly updates pool members when multiple identical database monitors are configured.
758018-3 : APD/APMD may consume excessive resources
Solution Article: K61705126
757992-1 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Component: Access Policy Manager
Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.
Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.
Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.
Fix:
RADIUS Acct STOP message is now sent as expected.
757827-3 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.
-- The BIG-IP version in use contains the fix for ID 726319 :: Bug ID 726319: 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses :: https://cdn.f5.com/product/bugtracker/ID726319.html.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected. As a result, some pools may not have any active pool members, and do not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes ('##' is the desired number of seconds between successive DNS queries to resolve the configure FQDN name):
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Fix:
When using FQDN nodes and pool members, ephemeral pool members are now created as expected following a configuration-load or BIG-IP reboot operation.
However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:
-- err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
-- err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
These are benign messages that do not affect BIG-IP functionality.
757781-1 : Portal Access: cookie exchange may be broken sometimes
Component: Access Policy Manager
Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.
Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.
Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.
Workaround:
None.
Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.
757722-1 : Unknown notify message types unsupported in IKEv2
Component: TMOS
Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.
Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.
Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.
Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.
Fix:
All unknown notify types are now logged and then ignored.
757578-4 : RAM cache is not compatible with verify-accept
Component: Local Traffic Manager
Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature
Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.
Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.
Workaround:
Do not use TCP's verify-accept option together with RAM cache.
Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.
757464-3 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
Component: Global Traffic Manager (DNS)
Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.
tmm crash
Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.
Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.
Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.
Fix:
Fixed an issue preventing records from a DNS Validating Resolver's 'Key' sub-cache from being deleted when utilizing the TMSH command:
delete ltm dns cache records key cache
757455-1 : Excessive resource consumption when processing REST requests
Solution Article: K87920510
757442-1 : A missed SYN cookie check causes crash at the standby TMM in HA mirroring system
Component: Local Traffic Manager
Symptoms:
In a high availability (HA) mirroring configuration, an L7 packet SYN cookie check may be skipped on the standby unit and eventually causes TMM to crash.
Conditions:
-- L7 traffic being passed to an HA configuration that is configured for mirroring traffic.
-- Failover occurs.
Impact:
TMM crashes on the standby device. No connections shown on the standby unit even when mirroring isenabled.
Workaround:
Do not use HA mirroring.
Fix:
The system now provides SYN cookie checks for L7 mirrored packets on the standby system.
757441-2 : Specific sequence of packets causes Fast Open to be effectively disabled
Component: Local Traffic Manager
Symptoms:
You see this warning in the logs:
warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.
Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.
Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).
Workaround:
TCP ECN option can be disabled.
Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.
757414 : GUI Network Map slow page load with large configuration
Component: TMOS
Symptoms:
Network Map loads very slowly when displaying large configurations.
Conditions:
Open Network Map page with a large configuration, for example, 2500 or more virtual servers, pools, and pool members.
Impact:
The Network Map page loads too slowly to be usable.
Workaround:
None.
Fix:
Network Map no longer loads very slowly when displaying large configurations.
757391-3 : Datagroup iRule command class can lead to memory corruption
Component: Local Traffic Manager
Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.
Conditions:
A [class] command used within a foreach loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround aside from removing that iRule.
Fix:
tmm no longer crashes under these conditions.
757359-3 : pccd crashes when deleting a nested Address List
Component: Advanced Firewall Manager
Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.
Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.
-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.
Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.
Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.
-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.
Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.
757357 : TMM may crash while processing traffic
Solution Article: K92002212
757306-2 : SNMP MIBS for AFM NAT do not yet exist
Component: Advanced Firewall Manager
Symptoms:
SNMP MIBS for AFM NAT do not yet exist.
Conditions:
This occurs in normal operation.
Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.
Workaround:
None.
757279 : LDAP authenticated Firewall Manager role cannot edit firewall policies
Component: Advanced Firewall Manager
Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).
Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.
Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.
Workaround:
None.
Fix:
Firewall manager can now edit firewall policies.
757088-3 : TMM clock advances and cluster failover happens during webroot db nightly updates
Component: Traffic Classification Engine
Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.
Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.
Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.
Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.
#vi /etc/wr_urldbd/bcsdk.cfg
DoBcap=true
DoRtu=false
DownloadDatabase=false
Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.
757027-3 : BIND Update
Solution Article: K01713115
757026-3 : BIND Update
Solution Article: K25244852
757025-3 : BIND Update
Solution Article: K00040234
757023-4 : BIND vulnerability CVE-2018-5743
Solution Article: K74009656
756820-1 : Non-UTF8 characters returned from /bin/createmanifest
Component: TMOS
Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).
Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.
Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.
Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.
Fix:
The corrected program converts any non-UTF8 characters into '%xx', thus outputting compliant UTF8 strings. These do not negatively impact the XML requirement, and the modified string can be uploaded to iHealth (and the non-UTF8 characters can be examined as hexadecimal values).
756774-4 : Aborted DNS queries to a cache may cause a TMM crash
Solution Article: K24401914
756538-1 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
Solution Article: K15759349
756494-1 : For in-tmm monitoring: multiple instances of the same agent are running on the Standby device
Component: Local Traffic Manager
Symptoms:
The standby device is sending monitor requests at a more frequent interval than what is configured.
Conditions:
-- In-tmm monitoring configured.
-- High availability (HA) configured.
There is no explicit way to reproduce this and it does not occur every time.
Impact:
Multiple instances of in-tmm monitoring may be created and the BIG-IP device may be sending monitoring traffic more frequently than what is configured.
Workaround:
Reboot the BIG-IP system.
Fix:
Fixed an issue causing multiple monitoring instances to be created.
756470-3 : Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.
Component: Global Traffic Manager (DNS)
Symptoms:
GTM logs 'no reply from big3d: timed out' messages when the configuration results in more runtime monitoring operations than can be supported in a given environment, but the same message also appears in the log for other reasons.
Conditions:
The GTM configuration results in more runtime monitoring operations than can be supported in a given environment.
Impact:
It is not possible to detect when there are more runtime monitoring operations than can be supported in a given environment without enabling debug logging and performing a complex analysis of the resulting log files.
Workaround:
Enable debug logging and conduct a detailed analysis to determine if monitor requests are scheduled at the configured intervals.
Fix:
There is now a warning message that provides a much clearer indication of the condition:
The list processing time (14 seconds) exceeded the interval value. There may be too many monitor instances configured with a 7 second interval.
756458-1 : Linux kernel vulnerability: CVE-2018-18559
Solution Article: K28241423
756450-2 : Traffic using route entry that's more specific than existing blackhole route can cause core
Component: Local Traffic Manager
Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.
Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use /32 blackhole routes.
Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.
756402-1 : Re-transmitted IPsec packets can have garbled contents
Component: TMOS
Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.
Conditions:
Possibly rare condition that might cause packet freeing while still in use.
Impact:
Likely tunnel outage until re-established.
Workaround:
No workaround is known at this time.
Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.
756311-1 : High CPU during erroneous deletion
Component: Policy Enforcement Manager
Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.
There might be messages similar to the following in tmm logs:
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557
Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.
Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.
Workaround:
Delete all subscribers from the CLI.
756270-2 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
Component: Local Traffic Manager
Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.
Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.
Impact:
Handshake failure.
Workaround:
None.
Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.
756205-3 : TMSTAT offbox statistics are not continuous
Component: Application Visibility and Reporting
Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).
Conditions:
BIG-IP systems managed by BIG-IQ,
Impact:
Missing data on device health, such as CPU load and memory occupancy.
Workaround:
None.
Fix:
Functionality restored - BIG-IP systems send all the data as expected.
756153-2 : Add diskmonitor support for MySQL /var/lib/mysql
Component: TMOS
Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.
Conditions:
The disk partition /var/lib/mysql is filled to 100%.
Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.
Workaround:
None.
756102-3 : TMM can crash with core on ABORT signal due to non-responsive AVR code
Component: Application Visibility and Reporting
Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.
Conditions:
Non-responsive AVR code. No other special conditions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
756094-3 : DNS express in restart loop, 'Error writing scratch database' in ltm log
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd
Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).
Impact:
Zone updates from the DNS master servers are not processed.
Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:
bigstart stop zxfrd
rm /shared/zxfrd/*
bigstart start zxfrd
Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.
Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.
756088-1 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
Component: TMOS
Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.
The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.
Conditions:
-- There are multiple virtual servers associated with a virtual address.
-- The virtual-address icmp-echo is set to 'all' or 'any'.
-- The virtual-address route-advertisement is set to 'all' or 'any'.
Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.
-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.
-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.
The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.
Workaround:
None.
Fix:
The BIG-IP system now responds correctly to ICMP echo requests and correctly adds/removes dynamic routes to a virtual-address, as appropriate.
756071-1 : MCPD crash
Component: TMOS
Symptoms:
mcpd crashes on out of memory.
Conditions:
MCPD experiences a memory leak under one of the following conditions:
- A tmsh command such as the following is run:
tmsh reset-stats ltm virtual
- The ASM or AVR module is provisioned.
In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (e.g., millions):
tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40
Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.
Workaround:
None.
Fix:
A memory leak that occurred in the MCPD process has been fixed.
755854-1 : TMM crash due to missing classification category
Component: Traffic Classification Engine
Symptoms:
TMM crashes when 'Thin_Client' category is used. The tmm2 log contains messages:
-- notice panic: ../modules/hudfilter/gpa/gpa_config.c:507: Assertion "Category does not exist" failed.
Conditions:
-- TMM is configured for debug mode (which might occur in cases described in K11490: Configuring the Traffic Management Microkernel to use debug mode :: https://support.f5.com/csp/article/K11490).
-- There is a classification configured with a category that does not exist.
Impact:
TMM restart loop. Traffic disrupted while tmm restarts.
Workaround:
Change the category to something that exists to load tmm.debug.
Fix:
TMM no longer crashes with 'Thin_client' category.
755727-3 : Ephemeral pool members not created after DNS flap and address record changes
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.
Conditions:
This issue may occur under rare timing conditions when the following factors are present:
-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.
Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.
Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }
To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.
755585-3 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
Component: Local Traffic Manager
Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.
Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
* Creates a policy with 'Drafts/' as part of the policy name.
* Publishes that policy.
* Attaches that policy to a virtual server, either in the same transaction or a later transaction.
Impact:
mcpd restarts on all secondary blades of a cluster.
Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.
755507-3 : [App Tunnel] 'URI sanitization' error
Component: Access Policy Manager
Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)
Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).
Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.
Workaround:
None.
755475-3 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
Component: Access Policy Manager
Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.
Conditions:
1. Form a failover device group with two devices.
2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).
3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.
4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.
Impact:
Config is not synced properly to another device in the device group.
Workaround:
- Workaround 1:
Step1. On Standby (where the problem happens): delete the policy in question.
Step2. On Active: modify the access policy and Sync it.
* Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails).
- Workaround 2:
Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:
"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."
Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.
Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.
755197-1 : UCS creation might fail during frequent config save transactions
Component: TMOS
Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.
Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.
Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.
Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.
This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.
Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.
Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.
755018-4 : Egress traffic processing may be stopped on one or more VE trunk interfaces
Component: TMOS
Symptoms:
Trunk interface members might be missing from tmm on BIG-IP Virtual Edition (VE).
Conditions:
-- Using trunks on VE.
-- May happen after a TMM restart, or after interface link states change.
Impact:
No egress traffic processing on one or more interfaces of a VE trunk.
Workaround:
Modify an attribute of the trunk and then return it to its previous value, for example:
# tmsh modify net trunk <trunk name> link-select-policy maximum-bandwidth
# tmsh modify net trunk <trunk name> link-select-policy auto
Fix:
Traffic is processed on all trunk interfaces.
755005-3 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
Component: Application Security Manager
Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.
Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.
Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.
Workaround:
None.
Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.
754971-1 : OSPF inter-process redistribution might break OSPF route redistribution of various types.
Component: TMOS
Symptoms:
Enabling inter-process OSPF route redistribution might cause overall problems with OSPF route redistribution.
Conditions:
OSPF is configured with inter-process OSPF route redistribution, for example:
router ospf
network 0.0.0.0/0 area 0
redistribute kernel
redistribute ospf 1234 <--- !
Impact:
Routes might not be redistributed and will not be present in OSPF database. This affects all redistribution types (kernel, static, etc..)
Workaround:
Do not use inter-process OSPF route redistribution.
Fix:
Inter-process OSPF route redistribution is working properly.
754944-3 : AVR reporting UI does not follow best practices
Solution Article: K00432398
754901-3 : Frequent zone update notifications may cause TMM to restart
Component: Global Traffic Manager (DNS)
Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.
Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.
Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Frequent zone update notifications no longer cause TMM to restart.
754855-4 : TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile
Solution Article: K60344652
754658-1 : Improved matching of response messages uses end-to-end ID
Component: Service Provider
Symptoms:
Some responses incorrectly match requests when their hop-by-hop IDs match. This causes the response to be dropped.
Conditions:
Matching hop-by-hop ID.
Impact:
Responses rarely match the wrong request, but when they do, they will be dropped.
Workaround:
None.
Fix:
Responses are now matched to requests using end-to-end ID as well as hop-by-hop ID. There should be no more incorrect matches.
754617-1 : iRule 'DIAMETER::avp read' command does not work with 'source' option
Component: Service Provider
Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.
The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".
Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.
Impact:
'DIAMETER::avp read' does not work with the 'source' option.
Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.
754567 : Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file
Component: TMOS
Symptoms:
Child client SSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file used by the profile.
Conditions:
The issue is seen intermittently when all of the following conditions are met.
-- The client SSL profile is a child client SSL profile profile, i.e., it has a parent client SSL profile.
-- The child and the parent profile are using the same certificate.
-- The certificate file is updated, for example, by using a command similar to the following:
tmsh modify sys file ssl-cert child.crt { source-path file:///config/ssl/ssl.crt/default.crt app-service none cert-validation-options { } issuer-cert none }
Impact:
The child client SSL profile may unexpectedly end up using a different cert-key-chain from its parent profile.
Workaround:
The inherit-certkeychain flag can be set only in the GUI location: Local Traffic :: Profiles : SSL : Client :: child_profile.
In the row 'Configuration: \ Certificate Key Chain', uncheck the checkbox on the right side. That sets inherit-certkeychain to true (or does not customize the cert-key-chain for the child profile). Once the box is unchecked, the Certificate Key Chain field appears greyed out and filled with parent profile's cert-key-chain.
Fix:
The child profile's inherit-certkeychain flag is no longer unexpectedly set to false after updating the certificate file.
754542-4 : TMM may crash when using RADIUS Accounting agent
Component: Access Policy Manager
Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.
Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.
754365-3 : Updated flags for countries that changed their flags since 2010
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
Fix:
The three flags are now updated in ASM.
754349 : FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4
Component: Local Traffic Manager
Symptoms:
FTP uploads that are offloaded on both sides drop after the idle timeout period, even though data is flowing.
Conditions:
-- FTP virtual server set up with a standard profile and FastL4 offloading.
-- Attempt a file upload to the virtual server where both client and server side of the data channel are offloaded.
Impact:
Dropped connections; data loss.
Workaround:
You can do either of the following:
-- Enable Inherit Parent Profile on the FTP profile.
-- Turn off FastL4 offloading.
Fix:
-- FTP connections to virtual servers no longer drop when both sides of data channel are offloaded via FastL4.
-- The output of the following command displays the correct acceleration state: tmsh show sys conn all-properties.
754346-1 : Access policy was not found while creating configuration snapshot.
Component: Access Policy Manager
Symptoms:
APMD fails to create configuration snapshot with the following error:
--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!
If you attempt to modify the policy in question, the system reports a second error:
-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy
Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.
Impact:
Configuration snapshot is not created, and users cannot log on.
Workaround:
Recreate the access profile when TMM is stable.
754345-3 : WebUI does not follow best security practices
Solution Article: K79902360
754330-1 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected
Component: Application Visibility and Reporting
Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.
Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.
Impact:
Stats for AVR might not be loaded to the database within an expected interval.
Workaround:
None.
Fix:
Monpd now checks whether a new partition is required after each CSV file load. When needed, it creates one and aggregates data in the database to avoid this issue.
754143-2 : TCP connection may hang after finished
Solution Article: K45456231
Component: Local Traffic Manager
Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.
Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
10.0.0.1:5854 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5847 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5890 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5855 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5891 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN. The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.
Impact:
Those connections hang indefinitely (even past the idle timeout). Memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TCP connections no longer hang under these conditions.
754132-3 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
Component: TMOS
Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.
-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>
-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out
Conditions:
-- There is a BIG-IP system with the following routing configuration:
imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
bgp router-id 10.17.0.3
bgp graceful-restart restart-time 120
neighbor 10.17.0.4 remote-as 1
!
-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:
hostname[0]:sh ip ospf database
... <skip less important info>
AS External Link States
Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0
The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.
Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.
Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.
Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:
-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
+ If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
+ If you create a default route as a static route, recreate it.
+ And so on.
The idea is to remove a root of default route generation and then add it back.
-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:
# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in
Note: This time, the 'soft in' command requests the NLRIs.
Fix:
A NLRI with default route information is successfully propagated on 'clear ip bgp <neighbor router-id> soft out' command.
754109-3 : ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive
Component: Application Security Manager
Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.
Conditions:
-- ASM provisioned.
-- ASM or Bot-Defense/DoS attached on a virtual server.
-- ASM or Bot/Dos does inline injections, like CSRF/CSHUI.
Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.
Workaround:
You can use either of the following workarounds:
-- Disable csp in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm
-- Disable csp in Bot/DoS using an iRule:
when HTTP_REQUEST {
set csp 0
}
when HTTP_RESPONSE {
if { [HTTP::header exists Content-Security-Policy] } {
set csp "[HTTP::header values Content-Security-Policy]"
}
}
when HTTP_RESPONSE_RELEASE {
if { $csp != 0 } {
HTTP::header replace Content-Security-Policy $csp
}
set csp 0
}
Fix:
ASM/Bot/DoSL7 no longer modifies the csp header when both source-src and default-src directives are missing.
754103-2 : iRulesLX NodeJS daemon does not follow best security practices
Solution Article: K75532331
754003-1 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
Solution Article: K73202036
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036
Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036
Impact:
For more information please see: https://support.f5.com/csp/article/K73202036
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K73202036
753975 : TMM may crash while processing HTTP traffic with webacceleration profile
Solution Article: K92411323