Supplemental Document : BIG-IP 13.1.4.1 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.4

BIG-IP Link Controller

  • 13.1.4

BIG-IP Analytics

  • 13.1.4

BIG-IP LTM

  • 13.1.4

BIG-IP AFM

  • 13.1.4

BIG-IP PEM

  • 13.1.4

BIG-IP FPS

  • 13.1.4

BIG-IP DNS

  • 13.1.4

BIG-IP ASM

  • 13.1.4
Original Publication Date: 06/01/2021
Updated Date: 08/04/2021

BIG-IP Release Notes BIG-IP Release Information

Version: 13.1.4.1
Build: 3.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v13.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
794561-4 CVE-2020-5874 K46901953 TMM may crash while processing JWT/OpenID traffic.
965485-1 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
949889-1 CVE-2019-3900 K04107324 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
842829-5 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730 Multiple tcpdump vulnerabilities
803933-4 CVE-2018-20843 K51011533 Expat XML parser vulnerability CVE-2018-20843
797769-3 CVE-2019-11599 K51674118 Linux vulnerability : CVE-2019-11599
968733-4 CVE-2018-1120 K42202505 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
995629-1 2-Critical   Loading UCS files may hang if ASM is provisioned
967905-1 2-Critical   Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
935433-5 2-Critical   iControl SOAP Hardening
1000973-1 2-Critical   Unanticipated restart of TMM due to heartbeat failure
994801-5 3-Major   SCP file transfer hardening
950017-4 3-Major   TMM may crash while processing SCTP traffic
937365-5 3-Major   LTM UI does not follow best practices
906377-5 3-Major   iRulesLX hardening
756820-1 3-Major   Non-UTF8 characters returned from /bin/createmanifest
713708 3-Major   Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
819053-4 4-Minor   CVE-2019-13232 unzip: overlapping of files in ZIP container
1004417-2 4-Minor   Provisioning error message during boot up


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
754143-2 2-Critical K45456231 TCP connection may hang after finished
942701-4 3-Major   TMM may consume excessive resources while processing HTTP traffic
760050-4 3-Major   "cwnd too low" warning message seen in logs
752530-3 3-Major   TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-3 3-Major   Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
962433-2 4-Minor   HTTP::retry for a HEAD request fails to create new connection
962177-4 4-Minor   Results of POLICY::names and POLICY::rules commands may be incorrect
830833-3 4-Minor   HTTP PSM blocking resets should have better log messages


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
918597-1 2-Critical   Under certain conditions, deleting a topology record can result in a crash.
973261-5 3-Major   GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
912001-1 3-Major   TMM cores on secondary blades of the Chassis system.
863917-4 3-Major   The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
996381-5 2-Critical   ASM attack signature may not match as expected
989009-5 2-Critical   BD daemon may crash while processing WebSocket traffic
980125-5 2-Critical   BD Daemon may crash while processing WebSocket traffic
968421-5 2-Critical   ASM attack signature doesn't matched
943913-5 2-Critical   ASM attack signature does not match
1017645-4 2-Critical   False positive http compliance violation
950917-3 3-Major   Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
928685-4 3-Major   ASM Brute Force mitigation not triggered as expected
907337-5 3-Major   BD crash on specific scenario
888289-4 3-Major   Add option to skip percent characters during normalization
830341-4 3-Major   False positives Mismatched message key on ASM TS cookie
792341-4 3-Major   Google Analytics shows incorrect stats.


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
932485-1 3-Major   Incorrect sum(hits_count) value in aggregate tables
913085-5 3-Major   Avrd core when avrd process is stopped or restarted


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
889497-1 2-Critical   Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage
866109-4 3-Major   JWK keys frequency does not support fewer than 60 minutes
673748-2 3-Major K19534801 ng_export, ng_import might leave security.configpassword in invalid state
747234-4 4-Minor   Macro policy does not find corresponding access-profile directly
685888-1 4-Minor   OAuth client stores incorrectly escaped JSON values in session variables


Service Provider Fixes

ID Number Severity Solution Article(s) Description
868781-3 2-Critical   TMM crashes while processing MRF traffic
968349-4 3-Major   TMM crashes with unspecified message


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
907245-4 3-Major   AFM UI Hardening


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
948573-3 3-Major   Wr_urldbd list of valid TLDs needs to be updated



Cumulative fixes from BIG-IP v13.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
882633-5 CVE-2021-23008 K51213246 Active Directory authentication does not follow current best practices
754855-4 CVE-2020-27714 K60344652 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile
932697-1 CVE-2021-23000 K34441555 BIG-IP TMM vulnerability CVE-2021-23000
1003557-5 CVE-2021-23015 K74151369 Not following best practices in Guided Configuration Bundle Install worker
1002561-4 CVE-2021-23007 K37451543 TMM vulnerability CVE-2021-23007
838909-6 CVE-2020-5893 K97733133 BIG-IP APM Edge Client vulnerability CVE-2020-5893


Functional Change Fixes

ID Number Severity Solution Article(s) Description
913829-2 3-Major   i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
794417-2 3-Major   Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
719338-4 4-Minor   Concurrent management SSH connections are unlimited


TMOS Fixes

ID Number Severity Solution Article(s) Description
915305-2 2-Critical   Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
888341-3 2-Critical   HA Group failover may fail to complete Active/Standby state transition
886693-1 2-Critical   System may become unresponsive after upgrading
785017-4 2-Critical   Secondary blades go offline after new primary is elected
743975-2 2-Critical   TMM crash (SIGFPE) when starting on a vCMP guest
967745-4 3-Major   Last resort pool error for the modify command for Wide IP
922297-4 3-Major   TMM does not start when using more than 11 interfaces with more than 11 vCPUs
877109-5 3-Major   Unspecified input can break intended functionality in iHealth proxy
838901-1 3-Major   TMM receives invalid rx descriptor from HSB hardware
829821-4 3-Major   Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
829317-1 3-Major   Memory leak in icrd_child due to concurrent REST usage
945109-5 4-Minor   Freetype Parser Skip Token Vulnerability CVE-2015-9382


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
938233-4 2-Critical   An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
922317-1 2-Critical   Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections
920265 2-Critical   TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option.
876801-1 2-Critical   Tmm crash: invalid route type
718189-2 2-Critical   Unspecified IP traffic can cause low-memory conditions
926929-1 3-Major   RFC Compliance Enforcement lacks configuration availability
889601-5 3-Major   OCSP revocation not properly checked
888517-4 3-Major   Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.
858701-4 3-Major   Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x
809597-1 3-Major   Memory leak in icrd_child observed during REST usage
784565-4 3-Major   VLAN groups are incompatible with fast-forwarded flows
763093-1 3-Major   LRO packets are not taken into account for ifc_stats (VLAN stats)
773253-2 4-Minor   The BIG-IP may send VLAN failsafe probes from a disabled blade
724746-1 4-Minor   Incorrect RST message after 'reject' command
693901-4 4-Minor   Active FTP data connection may change source port on client-side


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
858973-4 3-Major   DNS request matches less specific WideIP when adding new wildcard wideips
712335-1 4-Minor   GTMD may intermittently crash under unusual conditions.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
980809-4 2-Critical   ASM REST Signature Rule Keywords Tool Hardening
962341-3 2-Critical   BD crash while processing JSON content
941621-4 3-Major   Brute Force breaks server's Post-Redirect-Get flow
929001-5 3-Major   ASM form handling improvements
846057-1 3-Major   UCS backup archive may include unnecessary files
673272-5 3-Major   Search by "Signature ID is" does not return results for some signature IDs
824093-1 4-Minor   Parameters payload parser issue


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
981385-5 3-Major   AVRD does not send HTTP events to BIG-IQ DCD
949593-1 3-Major   Unable to load config if AVR widgets were created under '[All]' partition
933777-3 3-Major   Context use and syntax changes clarification


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
990333-3 1-Blocking   APM may return unexpected content when processing HTTP requests


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
628645 3-Major   Classification signatures fails to update and there are no errors in the GUI



Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
975233-4 CVE-2021-22992 K52510511 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
973333-2 CVE-2021-22991 K56715231 TMM buffer-overflow vulnerability CVE-2021-22991
955145-4 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
954381-4 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
953677-4 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
950077-4 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
981169-4 CVE-2021-22994 K66851119 F5 TMUI XSS vulnerability CVE-2021-22994
959121-1 CVE-2021-23015 K74151369 Not following best practices in Guided Configuration Bundle Install worker
953729-4 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
949933-3 CVE-2021-22980 K29282483 BIG-IP APM CTU vulnerability CVE-2021-22980
941449-5 CVE-2021-22993 K55237223 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
931513-4 CVE-2021-22977 K14693346 TMM vulnerability CVE-2021-22977
921337-1 CVE-2021-22976 K88230177 BIG-IP ASM WebSocket vulnerability CVE-2021-22976
916821-5 CVE-2021-22974 K68652018 iControl REST vulnerability CVE-2021-22974
834257-5 CVE-2020-5931 K25400442 TMM may crash when processing HTTP traffic
976925-4 CVE-2021-23002 K71891773 BIG-IP APM VPN vulnerability CVE-2021-23002
939845-4 CVE-2021-23004 K31025212 BIG-IP MPTCP vulnerability CVE-2021-23004
939841-4 CVE-2021-23003 K43470422 BIG-IP MPTCP vulnerability CVE-2021-23003
937637-5 CVE-2021-23002 K71891773 BIG-IP APM VPN vulnerability CVE-2021-23002
935401-5 CVE-2021-23001 K06440657 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001
832757-4 CVE-2017-18551 K48073202 Linux kernel vulnerability CVE-2017-18551
743105-6 CVE-2021-22998 K31934524 BIG-IP SNAT vulnerability CVE-2021-22998
693360-5 CVE-2020-27721 K52035247 A virtual server status changes to yellow while still available


Functional Change Fixes

ID Number Severity Solution Article(s) Description
742860 3-Major   VE: Predictable NIC ordering based on PCI coordinates until ordering is saved.


TMOS Fixes

ID Number Severity Solution Article(s) Description
940021-1 2-Critical   Syslog-ng hang may lead to unexpected reboot
769169-1 2-Critical   BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
737322-4 2-Critical   tmm may crash at startup if the configuration load fails
703039-2 2-Critical   Empty results on /tm/sys/config-diff/stats
948769-3 3-Major   TMM panic with SCTP traffic
930741-4 3-Major   Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
927941-2 3-Major   IPv6 static route BFD does not come up after OAMD restart
913433-4 3-Major   On blade failure, some trunked egress traffic is dropped.
867181-4 3-Major   ixlv: double tagging is not working
865241-4 3-Major   Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
843597-4 3-Major   Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
842189-3 3-Major   Tunnels removed when going offline are not restored when going back online
829193-5 3-Major   REST system unavailable due to disk corruption
820845-1 3-Major   Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
759596-3 3-Major   Tcl errors in iRules 'table' command
754132-3 3-Major   A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
749007-3 3-Major   South Sudan, Sint Maarten, and Curacao country missing in GTM region list
744252-3 3-Major   BGP route map community value: either component cannot be set to 65535
933461-2 4-Minor   BGP multi-path candidate selection does not work properly in all cases.
931837-3 4-Minor   NTP has predictable timestamps
892677-3 4-Minor   Loading config file with imish adds the newline character
800193 4-Minor   Update OpenSSH to version 7 or later for disabling of DSA keys


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
726518-4 2-Critical   Tmsh show command terminated with CTRL-C can cause TMM to crash.
705768-5 2-Critical   The dynconfd process may core and restart with multiple DNS name servers configured
949145-3 3-Major   Improve TCP's response to partial ACKs during loss recovery
879413-4 3-Major   Statsd fails to start if one or more of its *.info files becomes corrupted
860005-4 3-Major   Ephemeral nodes/pool members may be created for wrong FQDN name
857845-5 3-Major   TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule
851045-4 3-Major   LTM database monitor may hang when monitored DB server goes down
814761-3 3-Major   PostgreSQL monitor fails on second ping with count != 1
805017-3 3-Major   DB monitor marks pool member down if no send/recv strings are configured
803233-4 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
772545-1 3-Major   Tmm core in SSLO environment
759056-1 3-Major   stpd memory leak on secondary blades in a multi-blade system
747077-1 3-Major   Potential crash in TMM when updating pool members
745682-2 3-Major   Failed to parse X-Forwarded-For header in HTTP requests
722707-4 3-Major   mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
720440-1 3-Major   Radius monitor marks pool members down after 6 seconds
714642-1 3-Major   Ephemeral pool-member state on the standby is down
705387 3-Major   HTTP/2, ALPN and SSL
686062-1 3-Major   The dynconfd daemon uses UDP ports inefficiently
608952-4 3-Major   MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
824365-1 4-Minor   Need informative messages for HTTP iRule runtime validation errors
822025-4 4-Minor   HTTP response not forwarded to client during an early response
808409-1 4-Minor   Unable to specify if giaddr will be modified in DHCP relay chain
801705-2 4-Minor   When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
738032-2 4-Minor   BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
859717-4 5-Cosmetic   ICMP-limit-related warning messages in /var/log/ltm


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
918169-3 2-Critical   The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
921625-5 3-Major   The certs extend function does not work for GTM/DNS sync group
921549-7 3-Major   The gtmd process does not receive updates from local big3d.
852101-4 3-Major   Monitor fails.
853585-5 4-Minor   REST Wide IP object presents an inconsistent lastResortPool value


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
940249-4 2-Critical   Sensitive data is not masked after "Maximum Array/Object Elements" is reached
927617-4 2-Critical   'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
825413-1 2-Critical   /var/lib/mysql can run out of disk space with ASM provisioned
940897-4 3-Major   Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
918933-4 3-Major K88162221 The BIG-IP ASM system may not properly perform signature checks on cookies
904053-5 3-Major   Unable to set ASM Main Cookie/Domain Cookie hashing to Never
742549-1 3-Major   Cannot create non-ASCII entities in non-UTF ASM policy using REST
767941-2 4-Minor   Gracefully handle policy builder errors


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
743826-3 3-Major   Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
727031-1 1-Blocking   TMM restart in B2250 vCMP systems, and ping/monitor failures in non-B2250 vCMP systems.
896709-1 2-Critical   Add support for Restart Desktop for webtop in VMware VDI
976501-4 3-Major   Failed to establish VPN connection
924929 3-Major   Logging improvements for VDI plugin
914649-1 3-Major   Support USB redirection through VVC (VMware virtual channel) with BlastX
760629-2 3-Major   Remove Obsolete APM keys in BigDB
739570-2 3-Major   Unable to install EPSEC package
554228-7 3-Major   OneConnect does not work when WEBSSO is enabled/configured.


Service Provider Fixes

ID Number Severity Solution Article(s) Description
939529-4 3-Major   Branch parameter not parsed properly when topmost via header received with comma separated values


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
755854-1 3-Major   TMM crash due to missing classification category



Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
943125-4 CVE-2021-23010 K18570111 ASM bd may crash while processing WebSocket traffic
935721-3 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
933741-5 CVE-2021-22979 K63497634 BIG-IP FPS XSS vulnerability CVE-2021-22979
933297 CVE-2020-5949 K20984059 FTP virtual server passive data channels do not pass traffic
932065-4 CVE-2021-22978 K87502622 iControl REST vulnerability CVE-2021-22978
917509-1 CVE-2020-27718 K58102101 BIG-IP ASM vulnerability CVE-2020-27718
912221-3 CVE-2020-12662
CVE-2020-12663
K37661551 CVE-2020-12662 & CVE-2020-12663
911761-5 CVE-2020-5948 K42696541 F5 TMUI XSS vulnerability CVE-2020-5948
908673-2 CVE-2020-27717 K43850230 TMM may crash while processing DNS traffic
891457-5 CVE-2020-5939 K75111593 NIC driver may fail while transmitting data
882189-4 CVE-2020-5897 K20346072 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897
882185-4 CVE-2020-5897 K20346072 BIG-IP Edge Client Windows ActiveX
881317-3 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
881293-4 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
879745-5 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic
879025-6 CVE-2020-5913 K72752002 When processing TLS traffic, LTM may not enforce certificate chain restrictions
846917-5 CVE-2019-10744 K47105354 lodash Vulnerability: CVE-2019-10744
839453-2 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
788057-1 CVE-2020-5921 K00103216 MCPD may crash while processing syncookies
946581 CVE-2020-27713 K37960100 TMM vulnerability CVE-2020-27713
928037-4 CVE-2020-27729 K15310332 APM Hardening
917005-3 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619
912969-5 CVE-2020-27727 K50343630 iAppsLX REST vulnerability CVE-2020-27727
909837-3 CVE-2020-5950 K05204103 TMM may consume excessive resources when AFM is provisioned
905125-4 CVE-2020-27726 K30343902 Security hardening for APM Webtop
904937-5 CVE-2020-27725 K25595031 Excessive resource consumption in zxfrd
898949-4 CVE-2020-27724 K04518313 APM may consume excessive resources while processing VPN traffic
889557-3 CVE-2019-11358 K20455158 jQuery Vulnerability CVE-2019-11358
881445-4 CVE-2020-5898 K69154630 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
880361-4 CVE-2021-22973 K13323323 iRules LX vulnerability CVE-2021-22973
856961-4 CVE-2018-12207 K17269881 INTEL-SA-00201 MCE vulnerability CVE-2018-12207
848405-1 CVE-2020-5933 K26244025 TMM may consume excessive resources while processing compressed HTTP traffic
842717-3 CVE-2020-5855 K55102004 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
831777-2 CVE-2020-27723 K42933418 Tmm crash in Ping access use case
816413-4 CVE-2019-1125 K31085564 CVE-2019-1125: Spectre SWAPGS Gadget
811965-3 CVE-2020-27722 K73657294 Some VDI use cases can cause excessive resource consumption
778049-6 CVE-2018-13405 K00854051 Linux Kernel Vulnerability: CVE-2018-13405
751036-3 CVE-2020-27721 K52035247 Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
888493-5 CVE-2020-5928 K40843345 ASM GUI Hardening
852929-2 CVE-2020-5920 K25160703 AFM WebUI Hardening
818213-6 CVE-2019-10639 K32804955 CVE-2019-10639: KASLR bypass using connectionless protocols
818177-1 CVE-2019-12295 K06725231 CVE-2019-12295 Wireshark Vulnerability
773693-3 CVE-2020-5892 K15838353 CVE-2020-5892: APM Client Vulnerability
682352-2 CVE-2017-3735 K21462542 OpenSSL vulnerability CVE-2017-3735
834533-4 CVE-2019-15916 K57418558 Linux kernel vulnerability CVE-2019-15916


Functional Change Fixes

ID Number Severity Solution Article(s) Description
890229-4 3-Major   Source port preserve setting is not honored
738330-1 3-Major   /mgmt/toc endpoint issue after configuring remote authentication
657912-3 3-Major   PIM can be configured to use a floating self IP address
745465-3 4-Minor   The tcpdump file does not provide the correct extension


TMOS Fixes

ID Number Severity Solution Article(s) Description
749738-2 1-Blocking   After upgrade to 13.1.3.3 or 13.1.3.4, B2250 blades may fail to detect HSB and have restarting chmand
910201-5 2-Critical   OSPF - SPF/IA calculation scheduling might get stuck infinitely
896217-5 2-Critical   BIG-IP GUI unresponsive
860517-4 2-Critical   MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
829677-4 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
812237-3 2-Critical   i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD
810593-4 2-Critical K10963690 Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade
796601-6 2-Critical   Invalid parameter in errdefsd while processing hostname db_variable
770989-1 2-Critical   Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.
769817 2-Critical   BFD fails to propagate sessions state change during blade restart
769581 2-Critical   Timeout when sending many large iControl Rest requests
706521-5 2-Critical K21404407 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
649205-1 2-Critical   Failure of mcpd during setup of HA communication
924493-5 3-Major   VMware EULA has been updated
915825-5 3-Major   Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
908021-3 3-Major   Management and VLAN MAC addresses are identical
898705-2 3-Major   IPv6 static BFD configuration is truncated or missing
888497-5 3-Major   Cacheable HTTP Response
887089-5 3-Major   Upgrade can fail when filenames contain spaces
871657-3 3-Major   Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
867013-5 3-Major   Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
858197-4 3-Major   Merged crash when memory exhausted
846441-4 3-Major   Flow-control is reset to default for secondary blade's interface
846137-5 3-Major   The icrd returns incorrect route names in some cases
814585-5 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
810821-4 3-Major   Management interface flaps after rebooting the device
810381-1 3-Major   The SNMP max message size check is being incorrectly applied.
808281 3-Major   OVA/Azure template sets '/var' partition with not enough space
802685-4 3-Major   Unable to configure performance HTTP virtual server via GUI
802281-4 3-Major   Gossip shows active even when devices are missing
797829-3 3-Major   The BIG-IP system may fail to deploy new or reconfigure existing iApps
795649-2 3-Major   Loading UCS from one iSeries model to another causes FPGA to fail to load
788577 3-Major   BFD sessions may be reset after CMP state change
783113 3-Major   BGP sessions remain down upon new primary slot election
767737-3 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
755197-1 3-Major   UCS creation might fail during frequent config save transactions
754971-1 3-Major   OSPF inter-process redistribution might break OSPF route redistribution of various types.
751021-3 3-Major   One or more TMM instances may be left without dynamic routes.
750194-2 3-Major   Moderate: net-snmp security update
746704-1 3-Major   Syslog-ng Memory Leak
745261-1 3-Major   The TMM process may crash in some tunnel cases
740589-3 3-Major   Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
737098-3 3-Major   ASM Sync does not work when the configsync IP address is an IPv6 address
725985-1 3-Major   REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured
720569-1 3-Major   Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition
707320-2 3-Major   Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
705655-2 3-Major   Virtual address not responding to ICMP when ICMP Echo set to Selective
699091-2 3-Major   SELinux denies console access for remote users.
658716-1 3-Major   Failure of mcpd when closing out CMI connection
658715-1 3-Major   Mcpd crash
615934-3 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
605675-2 3-Major   Sync requests can be generated faster than they can be handled
489572-3 3-Major K60934489 Sync fails if file object is created and deleted before sync to peer BIG-IP
902417-5 4-Minor   Configuration error caused by Drafts folder in a deleted custom partition
890277-1 4-Minor   Full config sync to a device group operation takes a long time when there are a large number of partitions.
864757-1 4-Minor   Traps that were disabled are enabled after configuration save
831293-2 4-Minor   SNMP address-related GET requests slow to respond.
804309-3 4-Minor   [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
801637-1 4-Minor   Cmp_dest on C2200 platform may give incorrect results
779857-4 4-Minor   Misleading GUI error when installing a new version in another partition
692165-1 4-Minor   A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
591732-3 4-Minor   Local password policy not enforced when auth source is set to a remote type.
583084-10 4-Minor K15101680 iControl produces 404 error while creating records successfully
714176-4 5-Cosmetic   UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
941089-4 2-Critical   TMM core when using Multipath TCP
851857-4 2-Critical   HTTP 100 Continue handling does not work when it arrives in multiple packets
687603-2 2-Critical K36243347 tmsh query for dns records may cause tmm to crash
951033-1 3-Major   Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'
915689-5 3-Major   HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
915605-4 3-Major K56251674 Image install fails if iRulesLX is provisioned and /usr mounted read-write
915281-6 3-Major   Do not rearm TCP Keep Alive timer under certain conditions
909757 3-Major   HTTP CONNECT method with a delayed payload can cause a connection to be closed
892385-3 3-Major   HTTP does not process WebSocket payload when received with server HTTP response
862597-3 3-Major   Improve MPTCP's SYN/ACK retransmission handling
828601-4 3-Major   IPv6 Management route is preferred over IPv6 tmm route
818853-5 3-Major   Duplicate MAC entries in FDB
810445-3 3-Major   PEM: ftp-data not classified or reported
807821-3 3-Major   ICMP echo requests occasionally go unanswered
790845-1 3-Major   An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
786517-1 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
783617-4 3-Major   Virtual server resets connections when all pool members are marked disabled
766169-3 3-Major   Replacing all VLAN interfaces resets VLAN MTU to a default value
758631-2 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
758599-4 3-Major   IPv6 Management route is preferred over IPv6 tmm route
758437-4 3-Major   SYN w/ data disrupts stat collection in Fast L4
758436-2 3-Major   Optimistic ACKs degrade Fast L4 statistics
758041-4 3-Major   Pool Members may not be updated accurately when multiple identical database monitors configured
745923-4 3-Major   Connection flow collision can cause packets to be sent with source and/or destination port 0
745663-2 3-Major   During traffic forwarding, nexthop data may be missed at large packet split
724824-4 3-Major   Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
710930-1 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
681814-1 3-Major   Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded
522241-2 3-Major   Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete
814037-1 4-Minor   No virtual server name in Hardware Syncookie activation logs.
781225-3 4-Minor   HTTP profile Response Size stats incorrect for keep-alive connections
726983-4 4-Minor   Inserting multi-line HTTP header not handled correctly


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
960749-4 1-Blocking   TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
960437-4 2-Critical   The BIG-IP system may initially fail to resolve some DNS queries
919553-4 2-Critical   GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
783125-4 2-Critical   iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
781829-4 3-Major   GTM TCP monitor does not check the RECV string if server response string not ending with \n
760471-4 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.
758772-4 3-Major   DNS Cache RRSET Evictions Stat not increasing
757464-3 3-Major   DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
708421-2 3-Major K52142743 DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
700118-1 3-Major   rrset statistics unavailable
529896-1 3-Major   DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared
643455-1 4-Minor   Update TTL for equally trusted records only


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
903453 2-Critical   TMM crash following redirect when Proactive Bot Defense is used
941853-3 3-Major   Logging Profiles do not disassociate from virtual server when multiple changes are made
900797-5 3-Major   Brute Force Protection (BFP) hash table entry cleanup
900793-3 3-Major K32055534 APM Brute Force Protection resources do not scale automatically
900789-5 3-Major   Alert before Brute Force Protection (BFP) hash are fully utilized
848445-4 3-Major K86285055 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer
833685-1 3-Major   Idle async handlers can remain loaded for a long time doing nothing
722337-3 3-Major   Always show violations in request log when post request is large
692279-1 3-Major   Request logging is briefly suspended after policy re-assignment
424588-1 3-Major   iRule command [DOSL7::profile] returns empty value
935293-1 4-Minor   'Detected Violation' Field for event logs not showing
882769-5 4-Minor   Request Log: wrong filter applied when searching by Response contains or Response does not contain


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
722392-2 2-Critical   AVR: analytics statistics are displayed even if they are disabled
908065-5 3-Major   Logrotation for /var/log/avr blocked by files with .1 suffix
902485-1 3-Major   Incorrect pool member concurrent connection value
838685-1 3-Major   DoS report exist in per-widget but not under individual virtual
721408-4 3-Major   Possible to create Analytics overview widgets in '[All]' partition
866613-2 4-Minor   Missing MaxMemory Attribute


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
833049-3 3-Major   Category lookup tool in GUI may not match actual traffic categorization
766017-2 4-Minor   [APM][LocalDB] Local user database instance name length check inconsistencies
679751-3 4-Minor   Authorization header can cause a connection reset


Service Provider Fixes

ID Number Severity Solution Article(s) Description
815877-4 3-Major   Information Elements with zero-length value are rejected by the GTP parser
845461-1 5-Cosmetic   MRF DIAMETER: additional details to log event to assist debugging


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
703165-5 3-Major   shared memory leakage


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
783289-3 2-Critical   PEM actions not applied in VE bigTCP.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
943889 2-Critical   Reopening the publisher after a failed publishing attempt
876581-5 3-Major   JavaScript engine file is empty if the original HTML page cached for too long
940401-4 5-Cosmetic   Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
913441 2-Critical   Tmm cores while doing Hitless Upgrade while there are active flows
745733-1 3-Major   TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup
689614-1 3-Major   If DNS is not configured and management proxy is setup correctly, Webroot database fails to download


Device Management Fixes

ID Number Severity Solution Article(s) Description
767613-3 3-Major   Restjavad can keep partially downloaded files open indefinitely



Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
900757-5 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895525-5 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
909237-3 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability
909233-3 CVE-2020-8616 K97810133 DNS Hardening
905905-4 CVE-2020-5904 K31301245 TMUI CSRF vulnerability CVE-2020-5904
895993-5 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895981-5 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895881-4 CVE-2020-5903 K43638305 BIG-IP TMUI XSS vulnerability CVE-2020-5903
883717-4 CVE-2020-5914 K37466356 BD crash on specific server cookie scenario
852445-5 CVE-2019-6477 K15840535 Big-IP : CVE-2019-6477 BIND Vulnerability
841577-6 CVE-2020-5922 K20606443 iControl REST hardening
838677-5 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
837773-4 CVE-2020-5912 K12936322 Restjavad Storage and Configuration Hardening
830401-5 CVE-2020-5877 K54200228 TMM may crash while processing TCP traffic with iRules
819197-6 CVE-2019-13135 K20336394 BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-5 CVE-2019-13136 K03512441 BIGIP: CVE-2019-13136 ImageMagick vulnerability
818709-4 CVE-2020-5858 K36814487 TMSH does not follow current best practices
778077-1 CVE-2019-6680 K53183580 Virtual to virtual chain can cause TMM to crash
767373-3 CVE-2019-8331 K24383845 CVE-2019-8331: Bootstrap Vulnerability
750292-4 CVE-2019-6592 K54167061 TMM may crash when processing TLS traffic
886085-1 CVE-2020-5925 K45421311 BIG-IP TMM vulnerability CVE-2020-5925
872673-4 CVE-2020-5918 K26464312 TMM can crash when processing SCTP traffic
868349-5 CVE-2020-5935 K62830532 TMM may crash while processing iRules with MQTT commands
860477-6 CVE-2020-5906 K82518062 SCP hardening
859089-3 CVE-2020-5907 K00091341 TMSH allows SFTP utility access
858025-5 CVE-2021-22984 K33440533 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984
832885-5 CVE-2020-5923 K05975972 Self-IP hardening
829121-5 CVE-2020-5886 K65720640 State mirroring default does not require TLS
829117-5 CVE-2020-5885 K17663061 State mirroring default does not require TLS
811789-4 CVE-2020-5915 K57214921 Device trust UI hardening
789921-4 CVE-2020-5881 K03386032 TMM may restart while processing VLAN traffic
761112-5 CVE-2019-6683 K76328112 TMM may consume excessive resources when processing FastL4 traffic
756458-1 CVE-2018-18559 K28241423 Linux kernel vulnerability: CVE-2018-18559
745103-4 CVE-2018-7159 K27228191 NodeJS Vulnerability: CVE-2018-7159
715969-1 CVE-2017-5703 K19855851 CVE-2017-5703: Unsafe Opcodes exposed in Intel SPI based products
823893-4 CVE-2020-5890 K03318649 Qkview may fail to completely sanitize LDAP bind credentials
746091-3 CVE-2019-19151 K21711352 TMSH Vulnerability: CVE-2019-19151
717276-5 CVE-2020-5930 K20622530 TMM Route Metrics Hardening
759536-4 CVE-2019-8912 K31739796 Linux kernel vulnerability: CVE-2019-8912


Functional Change Fixes

ID Number Severity Solution Article(s) Description
819397-3 1-Blocking K50375550 TMM does not enforce RFC compliance when processing HTTP traffic
858229-2 3-Major K22493037 XML with sensitive data gets to the ICAP server
691499-1 3-Major   GTP::ie primitives in iRule to be certified
617929-4 3-Major   Support non-default route domains


TMOS Fixes

ID Number Severity Solution Article(s) Description
747099-1 1-Blocking   AWS Cloud VE instance cannot connect to the metadata server to obtain licensing details.
841333-3 2-Critical   TMM may crash when tunnel used after returning from offline
792285-3 2-Critical   TMM crashes if the queuing message to all HSL pool members fails
780817 2-Critical   TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
767013-4 2-Critical   Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
762205-1 2-Critical   IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
882557-5 3-Major   TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
866925-1 3-Major   The TMM pages used and available can be viewed in the F5 system stats MIB
865225-2 3-Major   100G modules may not work properly in i15000 and i15800 platforms
842125-2 3-Major   Unable to reconnect outgoing SCTP connections that have previously aborted
812981-2 3-Major   MCPD: memory leak on standby BIG-IP device
807005-3 3-Major   Save-on-auto-sync is not working as expected with large configuration objects
804477-2 3-Major   Add HSB register logging when parts of the device becomes unresponsive
800185-2 3-Major   Saving a large encrypted UCS archive may fail and might trigger failover
762073-1 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
760439-2 3-Major   After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
753860-1 3-Major   Virtual server config changes causing incorrect route injection.
749153-1 3-Major   Cannot create LTM policy from GUI using iControl
742628-5 3-Major   A tmsh session initiation adds increased control plane pressure
739872-2 3-Major   The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
738943-5 3-Major   imish command hangs when ospfd is enabled
738881-2 3-Major   Qkview does not collect any data under certain conditions that cause a timeout
734846-3 3-Major   Redirection to logon summary page does not occur after session timeout
701529-1 3-Major   Configuration may not load or not accept vlan or tunnel names as "default" or "all"
688399-4 3-Major   HSB failure results in continuous TMM restarts
648621-5 3-Major   SCTP: Multihome connections may not expire
641450-5 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
625901-2 3-Major   SNAT pools allow members in different partitions to be assigned, but this causes a load failure
748940-1 4-Minor   iControl REST cert creation not working for non-Common folder
743815-3 4-Minor   vCMP guest observes connflow reset when a CMP state change occurs.
726317-4 4-Minor   Improved debugging output for mcpd
722230-5 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
816273-4 1-Blocking   L7 Policies may execute CONTAINS operands incorrectly.
715032-5 1-Blocking K73302459 iRulesLX Hardening
853329 2-Critical   HTTP explicit proxy can crash TMM when used with classification profile
841469-3 2-Critical   Application traffic may fail after an internal interface failure on a VIPRION system.
831325-3 2-Critical K10701310 HTTP PSM detects more issues with Transfer-Encoding headers
826601-3 2-Critical   Prevent receive window shrinkage for looped flows that use a SYN cookie
813561-1 2-Critical   MCPD crashes when assigning an iRule that uses a proc
812525-5 2-Critical K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
757578-4 2-Critical   RAM cache is not compatible with verify-accept
696908-1 2-Critical   Updating iRule causes TMM to crash
690291-1 2-Critical   tmm crash
858301-4 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
858297-4 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
858289-4 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
858285-4 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
796993-3 3-Major   Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
788753-1 3-Major   GATEWAY_ICMP monitor marks node down with wrong error code
778517-2 3-Major K91052217 Large number of in-TMM monitors results in delayed processing
776229-4 3-Major   iRule 'pool' command no longer accepts pool members with ports that have a value of zero
761185-4 3-Major K50375550 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
760679 3-Major   Memory corruption when using C3D on certain platforms
759480-2 3-Major   HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
758872-2 3-Major   TMM memory leak
756494-1 3-Major   For in-tmm monitoring: multiple instances of the same agent are running on the Standby device
753805-1 3-Major   BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
716167-1 3-Major   The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
686059-2 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
751586-5 4-Minor   Http2 virtual does not honour translate-address disabled
747585-2 4-Minor   TCP Analytics supports ANY protocol number
594064-5 4-Minor K57004151 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
807177-1 2-Critical   HTTPS monitoring is not caching SSL sessions correctly
802961-1 3-Major   The 'any-available' prober selection is not as random as in earlier versions
778365-1 3-Major   dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
774481-3 3-Major   DNS Virtual Server creation problem with Dependency List
756470-3 3-Major   Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.
746348-1 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
704198-3 3-Major K29403988 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
744280-1 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
803813-3 2-Critical   TMM may experience high latency when processing WebSocket traffic
754109-3 2-Critical   ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive
854177-2 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
850673-4 3-Major   BD sends bad ACKs to the bd_agent for configuration
846493 3-Major   ASM CAPTCHA is not working the first time when a request contains sensitive parameters
783505 3-Major   ASU is very slow on device with hundreds of policies due to table checksums
697269-1 3-Major   Request logging is briefly suspended after policy creation
689987-3 3-Major   Requests are not logged on new virtual servers after UCS load while ASM is running
681010-2 3-Major K33572148 'Referer' is not masked when 'Query String' contains sensitive parameter
673522-1 3-Major   RST when using Bot Defense profile and surfing to a long URL on related domain
629628-1 3-Major   Request Events Missing Due to Policy Builder Restart


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
838709-2 2-Critical   Enabling DoS stats also enables page-load-time
828937-4 2-Critical K45725467 Some systems can experience periodic high IO wait due to AVR data aggregation
870957-2 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
863161-5 3-Major   Scheduled reports are sent via TLS even if configured as non encrypted
833113-1 3-Major   Avrd core when sending large messages via https
830073-5 3-Major   AVRD may core when restarting due to data collection device connection timeout
700035-5 3-Major   /var/log/avr/monpd.disk.provision not rotate


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
885241 2-Critical   TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event.
871761-2 2-Critical   Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
747192-2 2-Critical   Small memory leak while creating Access Policy items
660913-4 2-Critical   For ActiveSync client type, browscap info provided is incorrect.
850277-5 3-Major   Memory leak when using OAuth
803825 3-Major   WebSSO does not support large NTLM target info length
744407-5 3-Major   While the client has been closed, iRule function should not try to check on a closed session


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
833213-5 3-Major   Conditional requests are served incorrectly with AAM policy in webacceleration profile


Service Provider Fixes

ID Number Severity Solution Article(s) Description
814097-4 2-Critical   Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
811105-3 2-Critical   MRF SIP-ALG drops SIP 183 and 200 OK messages
766405-3 2-Critical   MRF SIP ALG with SNAT: Fix for potential crash on next-active device
745397-3 2-Critical   Virtual server configured with FIX profile can leak memory.
882273-1 3-Major   MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
866021-4 3-Major   Diameter Mirror connection lost on the standby due to "process ingress error"
842625-1 3-Major   SIP message routing remembers a 'no connection' failure state forever
824149-1 3-Major   SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
815529-4 3-Major   MRF outbound messages are dropped in per-peer mode
811033-3 3-Major   MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
804313-4 3-Major   MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
803809-1 3-Major   SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
782353-8 3-Major   SIP MRF via header shows TCP Transport when TLS is enabled
754658-1 3-Major   Improved matching of response messages uses end-to-end ID
754617-1 3-Major   iRule 'DIAMETER::avp read' command does not work with 'source' option
746731-3 3-Major   BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
744275-3 3-Major   BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
727288-3 3-Major   Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
696348-2 3-Major   "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
676709-3 3-Major K37604585 Diameter virtual server has different behavior of connection-prime when persistence is on/off
836357-1 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
793013 4-Minor   MRF DIAMETER: Implement sweeper for pending request messages queue
788513-4 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
786981-1 4-Minor   Pending GTP iRule operation maybe aborted when connection is expired
753790 4-Minor   Allow 'DIAMETER::persist reset' command in EGRESS events
711641-1 4-Minor   MRF DIAMETER: Add log events to log when stale messages are removed from pending request queue
793005-4 5-Cosmetic   'Current Sessions' statistic of MRF/Diameter pool may be incorrect


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
852289-6 3-Major K23278332 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
751116-3 3-Major   DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring


Device Management Fixes

ID Number Severity Solution Article(s) Description
839597-2 3-Major   Restjavad fails to start if provision.extramb has a large value



Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release


Functional Change Fixes

None


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
803645-1 3-Major   GTMD daemon crashes



Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
818429-2 CVE-2020-5857 K70275209 TMM may crash while processing HTTP traffic
808301-1 CVE-2019-6678 K04897373 TMM may crash while processing IP traffic
805837-4 CVE-2019-6657 K22441651 REST does not follow current design best practices
795437-2 CVE-2019-6677 K06747393 Improve handling of TCP traffic for iRules
795197-3 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
781377-1 CVE-2019-6681 K93417064 tmrouted may crash while processing Multicast Forwarding Cache messages
780601-4 CVE-2020-5873 K03585731 SCP file transfer hardening
769589-4 CVE-2019-6974 K11186236 CVE-2019-6974: Linux Kernel Vulnerability
762453 CVE-2020-5872 K63558580 Hardware cryptography acceleration may fail
757357 CVE-2019-6676 K92002212 TMM may crash while processing traffic
636400-1 CVE-2019-6665 K26462555 CPB (BIG-IP->BIGIQ log node) Hardening
810537-3 CVE-2020-5883 K12234501 TMM may consume excessive resources while processing iRules
809165-4 CVE-2020-5854 K50046200 TMM may crash will processing connector traffic
808525-4 CVE-2019-6686 K55812535 TMM may crash while processing Diameter traffic
795797-4 CVE-2019-6658 K21121741 AFM WebUI Hardening
788773-4 CVE-2019-9515 K50233772 HTTP/2 Vulnerability: CVE-2019-9515
788769-4 CVE-2019-9514 K01988340 HTTP/2 Vulnerability: CVE-2019-9514
782529-4 CVE-2019-6685 K30215839 iRules does not follow current design best practices
781449-4 CVE-2019-6672 K14703097 Increase efficiency of sPVA DoS protection on wildcard virtual servers
777737-2 CVE-2019-6671 K39225055 TMM may consume excessive resources when processing IP traffic
773673-4 CVE-2019-9512 K98053339 HTTP/2 Vulnerability: CVE-2019-9512
768981-4 CVE-2019-6670 K05765031 VCMP Hypervisor Hardening
761144-6 CVE-2019-6684 K95117754 Broadcast frames may be dropped
761014-4 CVE-2019-6669 K11447758 TMM may crash while processing local traffic
758018-3 CVE-2019-6661 K61705126 APD/APMD may consume excessive resources
725551-4 CVE-2019-6682 K40452417 ASM may consume excessive resources
636453-9 CVE-2016-10009 K31440025 OpenSSH vulnerability CVE-2016-10009
789893-4 CVE-2019-6679 K54336216 SCP file transfer hardening
779177-4 CVE-2019-19150 K37890841 Apmd logs "client-session-id" when access-policy debug log level is enabled
749324-2 CVE-2012-6708 K62532311 jQuery Vulnerability: CVE-2012-6708
738236-2 CVE-2019-6688 K25607522 UCS does not follow current best practices


Functional Change Fixes

ID Number Severity Solution Article(s) Description
724556-2 2-Critical   icrd_child spawns more than maximum allowed times (zombie processes)
769193-1 3-Major   Added support for faster congestion window increase in slow-start for stretch ACKs
759135-5 3-Major   AVR report limits are locked at 1000 transactions
788269-1 4-Minor   Adding toggle to disable AVR widgets on device-groups


TMOS Fixes

ID Number Severity Solution Article(s) Description
725950 1-Blocking   Regcomp() leaks memory if passed an invalid regex.
831549 2-Critical   Marketing name does not display properly for BIG-IP i10010 (C127)
765533-4 2-Critical K58243048 Sensitive information logged when DEBUG logging enabled
749388 2-Critical   'table delete' iRule command can cause TMM to crash
747203-4 2-Critical   Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding
686996-1 2-Critical   TMM core under heavy load with PEM
809205-3 3-Major   CVE-2019-3855: libssh2 Vulnerability
794501-4 3-Major   Duplicate if_indexes and OIDs between interfaces and tunnels
793121-1 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
788557 3-Major   BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
788301-3 3-Major K58243048 SNMPv3 Hardening
777261-2 3-Major   When SNMP cannot locate a file it logs messages repeatedly
764873-4 3-Major   An accelerated flow transmits packets to a dated, down pool member.
761993-4 3-Major   The nsm process may crash if it detects a nexthop mismatch
759735-1 3-Major   OSPF ASE route calculation for new external-LSA delayed
758781-1 3-Major   iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
758527-4 3-Major K39604784 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
758119-4 3-Major K58243048 qkview may contain sensitive information
747592-2 3-Major   PHP vulnerability CVE-2018-17082
745825-3 3-Major   The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
741902-3 3-Major   sod does not validate message length vs. received packet length
740413-3 3-Major   Sod not logging Failover Condition messages
738445-2 3-Major   IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
724109-4 3-Major   Manual config-sync fails after pool with FQDN pool members is deleted
700712-1 3-Major   MariaDB binary logging takes up disk space
687115-2 3-Major   SNMP performance can be impacted by a long list of allowed-addresses
683135-2 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
680917-1 3-Major   Invalid monitor rule instance identifier
815425 4-Minor   RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x
755018-4 4-Minor   Egress traffic processing may be stopped on one or more VE trunk interfaces
484683-3 4-Minor   Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
800305-4 2-Critical   VDI::cmp_redirect generates flow with random client port
787825-3 2-Critical K58243048 Database monitors debug logs have plaintext password printed in the log file
739927-3 2-Critical   Bigd crashes after a specific combination of logging operations
693491-1 2-Critical   ASM with Web Acceleration Profile can rarely cause TMM to core
813673-1 3-Major   The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT
788325-4 3-Major K39794285 Header continuation rule is applied to request/response line
781753-1 3-Major   WebSocket traffic is transmitted with unknown opcodes
773421-2 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
770477-3 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
761030-1 3-Major   tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
758992-1 3-Major   The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
757827-3 3-Major   Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
755727-3 3-Major   Ephemeral pool members not created after DNS flap and address record changes
749294-2 3-Major   TMM cores when query session index is out of boundary
747907-1 3-Major   Persistence records leak while the HA mirror connection is down
743257-1 3-Major   Fix block size insecurity init and assign
742237-2 3-Major   CPU spikes appear wider than actual in graphs
739638-2 3-Major   BGP failed to connect with neighbor when pool route is used
726734-1 3-Major   DAGv2 port lookup stringent may fail
726176-4 3-Major   Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
716952-2 3-Major   With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
704450-3 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
693582-1 3-Major   Monitor node log not rotated for certain monitor types
689361-1 3-Major   Configsync can change the status of a monitored pool member
687887-1 3-Major   Unexpected result from multiple changes to a monitor-related object in a single transaction
676990-2 3-Major   No way to enable SNAT of host traffic
676557-1 3-Major   Binary data marshalled to TCL may be converted to UTF8
636842-3 3-Major K51472519 A FastL4 virtual server may drop a FIN packet when mirroring is enabled
601189-3 3-Major   The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
769309-3 4-Minor   DB monitor reconnects to server on every probe when count = 0
760683-2 4-Minor   RST from non-floating self-ip may use floating self-ip source mac-address
754003-1 4-Minor K73202036 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
747628-3 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
744210-1 4-Minor   DHCPv6 does not have the ability to override the hop limit from the client.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
772233-1 3-Major   IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
761032-4 3-Major K36328238 TMSH displays TSIG keys
699512-1 3-Major   UDP packet may be dropped when queued in parallel with another packet
672491-5 3-Major K10990182 net resolver uses internal IP as source if matching wildcard forwarding virtual server


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
813945-1 2-Critical   PB core dump while processing many entities
775105-1 2-Critical   False positive on bot defense logs
812341-1 3-Major   Patch or Delete commands take a long time to complete when modifying an ASM signature set.
800453-1 3-Major K72252057 False positive virus violations
783513-1 3-Major   ASU is very slow on device with hundreds of policies due to logging profile handling
739618-1 3-Major   When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
727107-2 3-Major   Request Logs are not stored locally due to shmem pipe blockage


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
756102-3 2-Critical   TMM can crash with core on ABORT signal due to non-responsive AVR code
797785-3 3-Major   AVR reports no ASM-Anomalies data.
792265-1 3-Major   Traffic logs does not include the BIG-IQ tags
781581-4 3-Major   Monpd uses excessive memory on requests for network_log data
703196-5 3-Major   Reports for AVR are missing data
696191-1 3-Major   AVR-related disk partitions can get full during upgrade


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
811145-4 2-Critical   VMware View resources with SAML SSO are not working
784989-4 2-Critical   TMM may crash with panic message: Assertion 'cookie name exists' failed
777173-4 2-Critical   Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
725505-2 2-Critical   SNAT settings in network resource are not applied after FastL4 profile is updated
618641-1 2-Critical   In rare cases VDI plugin might leak memory or crash while processing client connections
815753-4 3-Major   TMM leaks memory when explicit SWG is configured with Kerberos authentication
799149 3-Major   Authentication fails with empty password
798261-4 3-Major   APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
788417-3 3-Major   Remote Desktop client on macOS may show resource auth token on credentials prompt
787477-1 3-Major   Export fails from partitions with '-' as second character
768025-1 3-Major   SAML requests/responses fail with "failed to find certificate"
766577-4 3-Major   APMD fails to send response to client and it already closed connection.
725040-3 3-Major   Auto-update fails for F5 Helper Applications on Linux
723278-1 3-Major   Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6
697590-4 3-Major   APM iRule ACCESS::session remove fails outside of Access events
653210-1 3-Major   Rare resets during the login process
643935-2 3-Major   Rewriting may cause an infinite loop while processing some objects
719589-3 4-Minor   GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic
684414-2 4-Minor   Retrieving too many groups is causing out of memory errors in TMUI and VPE


Service Provider Fixes

ID Number Severity Solution Article(s) Description
813657 3-Major   MRF SIP ALG with SNAT incorrectly detects ingress queue full
811745-4 3-Major   Failover between clustered DIAMETER devices can cause mirror connections to be disconnected


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
787901 2-Critical   While deleting a DoS profile, tmm might core in sPVA
778869-1 2-Critical K72423000 ACLs and other AFM features (e.g., IPI) may not function as designed
747922-2 2-Critical   With AFM enabled, during bootup, there is a small possibility of a tmm crash
761345-1 3-Major   Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
738284-4 3-Major   Creating or deleting rule list results in warning message: Schema object encode failed
679722-1 3-Major   Configuration sync failure involving self IP references


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
753014-1 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy
747065-3 3-Major   PEM iRule burst of session ADDs leads to missing sessions


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
804185-3 3-Major   Some WebSafe request signatures may not work as expected


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
803477-1 3-Major   BaDoS State file load failure when signature protection is off
767045 4-Minor   TMM cores while applying policy
711708-1 4-Minor   Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation'


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
674795-2 4-Minor   tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.



Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
688627-1 3-Major   OPT-0043 40G optical transceiver cannot be unbundled into 4x10G



Cumulative fixes from BIG-IP v13.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
809377-4 CVE-2019-6649 K05123525 AFM ConfigSync Hardening
771873-3 CVE-2019-6642 K40378764 TMSH Hardening
767653-2 CVE-2019-6660 K23860356 Malformed HTTP request can result in endless loop in an iRule script
758065-2 CVE-2019-6667 K82781208 TMM may consume excessive resources while processing FIX traffic
757023-4 CVE-2018-5743 K74009656 BIND vulnerability CVE-2018-5743
756538-1 CVE-2019-6645 K15759349 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
754103-2 CVE-2019-6644 K75532331 iRulesLX NodeJS daemon does not follow best security practices
739971-2 CVE-2018-5391 K74374841 Linux kernel vulnerability: CVE-2018-5391
726393-4 CVE-2019-6643 K36228121 DHCPRELAY6 can lead to a tmm crash
715923-1 CVE-2018-15317 K43625118 When processing TLS traffic TMM may terminate connections unexpectedly
757455-1 CVE-2019-6647 K87920510 Excessive resource consumption when processing REST requests
773649-4 CVE-2019-6656 K23876153 APM Client Logging


Functional Change Fixes

ID Number Severity Solution Article(s) Description
749704-3 4-Minor   GTPv2 Serving-Network field with mixed MNC digits


TMOS Fixes

ID Number Severity Solution Article(s) Description
774445-3 1-Blocking K74921042 BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2
769809-2 2-Critical   The vCMP guests 'INOPERATIVE' after upgrade
760408-1 2-Critical K23438711 System Integrity Status: Invalid after BIOS update
757722-1 2-Critical   Unknown notify message types unsupported in IKEv2
756402-1 2-Critical   Re-transmitted IPsec packets can have garbled contents
756071-1 2-Critical   MCPD crash
753650 2-Critical   The BIG-IP system reports frequent kernel page allocation failures.
748205-1 2-Critical   SSD bay identification incorrect for RAID drive replacement
734539-3 2-Critical   The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
708968-2 2-Critical   OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
671741-3 2-Critical   LCD on iSeries devices can lock at red 'loading' screen.
648270-3 2-Critical   mcpd can crash if viewing a fast-growing log file through the GUI
756153-2 3-Major   Add diskmonitor support for MySQL /var/lib/mysql
749785-1 3-Major   nsm can become unresponsive when processing recursive routes
746266-1 3-Major   A vCMP guest VLAN MAC mismatch across blades.
735565-1 3-Major   BGP neighbor peer-group config element not persisting
723553-1 3-Major   BIG-IP installations on RAID systems (old style) may not boot
720610 3-Major   Updatecheck logs bogus 'Update Server unavailable' on every run
716166-4 3-Major   Dynamic routing not added when conflicting self IPs exist
709544-2 3-Major   VCMP guests in HA configuration become Active/Active during upgrade
705037-2 3-Major K32332000 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
702310-1 3-Major   The ':l' and ':h' options are not available on the tmm interface in tcpdump
693388-2 3-Major   Log additional HSB registers when device becomes unresponsive
667618-1 3-Major   Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
620954-5 3-Major   Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
721526-2 4-Minor   tcpdump fails to write verbose packet data to file
691171-1 4-Minor   static and dynamically learned blackhole route from ZebOS cannot be deleted


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
759968 1-Blocking   Distinct vCMP guests are able to cluster with each other.
757441-2 2-Critical   Specific sequence of packets causes Fast Open to be effectively disabled
757391-3 2-Critical   Datagroup iRule command class can lead to memory corruption
756450-2 2-Critical   Traffic using route entry that's more specific than existing blackhole route can cause core
755585-3 2-Critical   mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
746710-2 2-Critical   Use of HTTP::cookie after HTTP:disable causes TMM core
742184-1 2-Critical   TMM memory leak
740228-1 2-Critical   TMM crash while sending a DHCP Lease Query to a DHCP server
724214-3 2-Critical   TMM core when using Multipath TCP
667779-1 2-Critical   iRule commands may cause the TMM to crash in very rare situations.
794493 3-Major   Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true
790205-2 3-Major   Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
760771-3 3-Major   FastL4-steered traffic might cause SSL resume handshake delay
760550-3 3-Major   Retransmitted TCP packet has FIN bit set
757442-1 3-Major   A missed SYN cookie check causes crash at the standby TMM in HA mirroring system
754349 3-Major   FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4
753594-3 3-Major   In-TMM monitors may have duplicate instances or stop monitoring
753514-1 3-Major   Large configurations containing LTM Policies load slowly
749414-2 3-Major   Invalid monitor rule instance identifier error
746922-4 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
726001-1 3-Major   Rapid datagroup updates can cause type corruption
720219 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
719304-2 3-Major   Inconsistent node ICMP monitor operation for IPv6 nodes
712919-1 3-Major K54802336 Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
705112-2 3-Major   DHCP server flows are not re-established after expiration
675367-2 3-Major K95393925 The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication
604811-2 3-Major   Under certain conditions TMM may crash while processing OneConnect traffic
273104-1 3-Major   Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
759721-4 3-Major K03332436 DNS GUI does not follow best practices
754901-3 3-Major   Frequent zone update notifications may cause TMM to restart
750213-2 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
726412-2 4-Minor   Virtual server drop down missing objects on pool creation


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
781637-4 3-Major   ASM brute force counts unnecessary failed logins for NTLM
781605-1 3-Major   Fix RFC issue with the multipart parser
781069-4 3-Major   Bot Defense challenge blocks requests with long Referer headers
773553-4 3-Major   ASM JSON parser false positive.
769981-3 3-Major   bd crashes in a specific scenario
764373-1 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
763001-2 3-Major K70312000 Web-socket enforcement might lead to a false negative
761941-3 3-Major   ASM does not remove CSRT token query parameter before forwarding a request to the backend server
761231-4 3-Major K79240502 Bot Defense Search Engines getting blocked after configuring DNS correctly
739900-1 3-Major   All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates
713051 3-Major   PB generates a suggestion to add a disallowed filtetype with empty name.
686763-1 3-Major   asm_start is consuming too much memory
686500-1 3-Major   Adding user defined signature on device with many policies is very slow
675673-1 3-Major   Policy history files should be limited by settings in a configuration file.
768761-4 4-Minor   Improved accept action description for suggestions to disable signature/enable metacharacter in policy
761553-4 4-Minor   Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
761549-4 4-Minor   Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
750689-1 4-Minor   Request Log: Accept Request button available when not needed
749184-4 4-Minor   Added description of subviolation for the suggestions that enabled/disabled them
747560-3 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities
695878-4 4-Minor   Signature enforcement issue on specific requests
613728-2 4-Minor   Import/Activate Security policy with 'Replace policy associated with virtual server' option fails
769061-4 5-Cosmetic   Improved details for learning suggestions to enable violation/sub-violation


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
753485-2 2-Critical K50285521 AVR global settings are being overridden by high availability (HA) peers
771025-2 3-Major   AVR send domain names as an aggregate
688544-1 3-Major   SWG reports on BIG-IQ show same series as 'Allowed' and 'Blocked' at the same time


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
760130-1 2-Critical   [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
753370-1 2-Critical   RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
745600-3 2-Critical   Tmm crash and core using iRule
741535-1 2-Critical   Memory leak when using SAML or Form-based Client-initiated SSO
723402-2 2-Critical   Apmd crashes running command: tmsh restart sys service all
686282-2 2-Critical   APMD intermittently crash when processing access policies
783817-4 3-Major   UI becomes unresponsive when accessing Access active session information
775621-4 3-Major   urldb memory grows past the expected ~3.5GB
765621-1 3-Major   POST request being rejected when using OAuth Resource Server mode
760974-1 3-Major   TMM SIGABRT while evaluating access policy
759638-1 3-Major   APM current active and established session counts out of sync after failover
754542-4 3-Major   TMM may crash when using RADIUS Accounting agent
750823-3 3-Major   Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
750631-1 3-Major   There may be a latency between session termination and deletion of its associated IP address mapping
750170-1 3-Major   SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request
749161-1 3-Major   Problem sync policy contains non-ASCII characters
747725-2 3-Major   Kerberos Auth agent may override settings that manually made to krb5.conf
744532-2 3-Major   Websso fails to decrypt secured session variables
600985-3 3-Major   Network access tunnel data stalls
770621-1 4-Minor   [Portal Access] HTTP 308 redirect does not get rewritten
737603-1 4-Minor   Apmd leaks memory when executing per-session policy via iRule


Service Provider Fixes

ID Number Severity Solution Article(s) Description
759077-4 3-Major   MRF SIP filter queue sizes not configurable
748253-3 3-Major   Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
745628-3 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-3 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
745404-2 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
701680-2 3-Major   MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds
747909-3 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
763121-1 2-Critical   Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
757359-3 2-Critical   pccd crashes when deleting a nested Address List
752363 2-Critical   Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
777733-1 3-Major   DoS profile default values cause config load failure on upgrade
771173-1 3-Major   FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.
757306-2 3-Major   SNMP MIBS for AFM NAT do not yet exist


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726665-2 2-Critical   tmm core dump due to SEGFAULT
760438-1 3-Major   PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
759192-1 3-Major   TMM core during display of PEM session under some specific conditions
756311-1 3-Major   High CPU during erroneous deletion
753163-2 3-Major   PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
775013-4 3-Major   TIME EXCEEDED alert has insufficient data for analysis


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
752803-2 2-Critical   CLASSIFICATION_DETECTED running reject can lead to a tmm core



Cumulative fixes from BIG-IP v13.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
807477-9 CVE-2019-6650 K04280042 ConfigSync Hardening
797885-4 CVE-2019-6649 K05123525 ConfigSync Hardening
796469-2 CVE-2019-6649 K05123525 ConfigSync Hardening
810557-9 CVE-2019-6649 K05123525 ASM ConfigSync Hardening
799617-4 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-4 CVE-2019-6649 K05123525 ConfigSync Hardening
794389-9 CVE-2019-6651 K89509323 iControl REST endpoint response inconsistency
794413-9 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471


Functional Change Fixes

ID Number Severity Solution Article(s) Description
744937-9 3-Major K00724442 BIG-IP DNS and GTM DNSSEC security exposure


TMOS Fixes

ID Number Severity Solution Article(s) Description
760622-2 3-Major   Allow Device Certificate renewal from BIG-IP Configuration Utility
760363-2 3-Major   Update Alias Address field with default placeholder text


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
807445 3-Major   Replaced ISC_TRUE and ISC_FALSE with true and false



Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-3 CVE-2018-5744 K00040234 BIND Update
756774-4 CVE-2019-6612 K24401914 Aborted DNS queries to a cache may cause a TMM crash
754944-3 CVE-2019-6626 K00432398 AVR reporting UI does not follow best practices
754345-3 CVE-2019-6625 K79902360 WebUI does not follow best security practices
753975 CVE-2019-6666 K92411323 TMM may crash while processing HTTP traffic with webacceleration profile
753776-1 CVE-2019-6624 K07127032 TMM may consume excessive resources when processing UDP traffic
749879-4 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
748502-3 CVE-2019-6623 K72335002 TMM may crash when processing iSession traffic
737731-2 CVE-2019-6622 K44885536 iControl REST input sanitization
737574-2 CVE-2019-6621 K20541896 iControl REST input sanitization
737565-2 CVE-2019-6620 K20445457 iControl REST input sanitization
726327-2 CVE-2018-12120 K37111863 NodeJS debugger accepts connections from any host
791369-4 CVE-2019-6662 K01049383 The REST framework may reflect client data in error logs
757027-3 CVE-2019-6465 K01713115 BIND Update
757026-3 CVE-2018-5745 K25244852 BIND Update
753796-2 CVE-2019-6640 K40443301 SNMP does not follow best security practices
750460-3 CVE-2019-6639 K61002104 Subscriber management configuration GUI
750187-3 CVE-2019-6637 K29149494 ASM REST may consume excessive resources
745713-1 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic
745387-3 CVE-2019-6618 K07702240 Resource-admin user roles can no longer get bash access
745371-2 CVE-2019-6636 K68151373 AFM GUI does not follow best security practices
745257-3 CVE-2018-14634 K20934447 Linux kernel vulnerability: CVE-2018-14634
745165-3 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
742226-2 CVE-2019-6635 K11330536 TMSH platform_check utility does not follow best security practices
710857-2 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage
703835-2 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-3 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
702469-3 CVE-2019-6633 K73522927 Appliance mode hardening in scp
698376-3 CVE-2019-6614 K46524395 Non-admin users have limited bash commands and can only write to certain directories
673842-4 CVE-2019-6632 K01413496 VCMP does not follow best security practices


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
752835-3 2-Critical K46971044 Mitigate mcpd out of memory error with auto-sync enabled.
750586-1 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
707013 2-Critical   vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
699515-1 2-Critical   nsm cores during update of nexthop for ECMP recursive route
621260-4 2-Critical   mcpd core on iControl REST reference to non-existing pool
760222-5 3-Major   SCP fails unexpected when FIPS mode is enabled
757414 3-Major   GUI Network Map slow page load with large configuration
756088-1 3-Major   The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
754567 3-Major   Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file
751011-1 3-Major   ihealth.sh script and qkview locking mechanism not working
750447-1 3-Major   GUI VLAN list page loading slowly with 50 records per screen
750318-1 3-Major   HTTPS monitor does not appear to be using cert from server-ssl profile
748187-2 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
740345-1 3-Major   TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
725791-4 3-Major K44895409 Potential HW/HSB issue detected
723794-3 3-Major   PTI (Meltdown) mitigation should be disabled on AMD-based platforms
722380-2 3-Major   The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
721805 3-Major   Traffic Policy edit to datagroup errors on adding ASM disable action
720819-2 3-Major   Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720269-2 3-Major   TACACS audit logging may append garbage characters to the end of log strings
714626-2 3-Major   When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
701898-1 3-Major   Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups
698619-2 3-Major   Disable port bridging on HSB ports for non-vCMP systems
681009-1 3-Major   Large configurations can cause memory exhaustion during live-install
581921-3 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
697766-1 4-Minor   Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
687368-1 4-Minor   The Configuration utility may calculate and display an incorrect HA Group Score
686111-1 4-Minor K89363245 Searching and Reseting Audit Logs not working as expected


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
753912 2-Critical K44385170 UDP flows may not be swept
752930-1 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
745533-4 2-Critical   NodeJS Vulnerability: CVE-2016-5325
680564-1 2-Critical   "MCP Message:" seen on boot up with Best License
756270-2 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
750843-1 3-Major   HTTP data re-ordering when receiving data while iRule parked
750200-1 3-Major   DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749689-1 3-Major   HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
747968-2 3-Major   DNS64 stats not increasing when requests go through DNS cache resolver
747617-1 3-Major   TMM core when processing invalid timer
742078-2 3-Major   Incoming SYNs are dropped and the connection does not time out.
738523-2 3-Major   SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
727292-1 3-Major   SSL in proxy shutdown case does not deliver server TCP FIN
712664-2 3-Major   IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
710564 3-Major   DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
709952-1 3-Major   Disallow DHCP relay traffic to traverse between route domains
699979-2 3-Major   Support for Safenet Client Software v7.x
698437-1 3-Major   Internal capacity increase
688553-3 3-Major   SASP GWM monitor may not mark member UP as expected
599567-3 3-Major   APM assumes SNAT automap, does not use SNAT pool
746077-1 4-Minor   If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
664618-1 4-Minor   Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
658382-2 5-Cosmetic   Large numbers of ERR_UNKNOWN appearing in the logs


Performance Fixes

ID Number Severity Solution Article(s) Description
735832-1 2-Critical   RAM Cache traffic fails on B2150


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756094-3 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log
749508-3 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
749222-3 3-Major   dname compression offset overflow causes bad compression pointer
748902-7 3-Major   Incorrect handling of memory allocations while processing DNSSEC queries
746877-3 3-Major   Omitted check for success of memory allocation for DNSSEC resource record
737332-3 3-Major   It is possible for DNSX to serve partial zone information for a short period of time
748177-3 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
759360 2-Critical   Apply Policy fails due to policy corruption from previously enforced signature
758961 2-Critical K58243048 During brute force attack, the attempted passwords may be logged
723790-1 2-Critical   Idle asm_config_server handlers consumes a lot of memory
760878-2 3-Major   Incorrect enforcement of explicit global parameters
755005-3 3-Major   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
754365-3 3-Major   Updated flags for countries that changed their flags since 2010
751710-2 3-Major   False positive cookie hijacking violation
749109-1 3-Major   CSRF situation on BIGIP-ASM GUI
746146-2 3-Major   AVRD can crash with core when disconnecting/reconnecting on HTTPS connection
739945-2 3-Major   JavaScript challenge on POST with 307 breaks application
738647-2 3-Major   Add the login detection criteria of 'status code is not X'
721399-2 3-Major   Signature Set cannot be modified to Accuracy = 'All' after another value
717525-1 3-Major   Behavior for classification in manual learning mode
691945-1 3-Major   Security Policy Configuration Changes When Disabling Learning
761921-3 4-Minor   avrd high CPU utilization due to perpetual connection attempts
758336-1 4-Minor   Incorrect recommendation in Online Help of Proactive Bot Defense


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
763349-1 2-Critical   AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
756205-3 2-Critical   TMSTAT offbox statistics are not continuous
764665-1 3-Major   AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
763005-2 3-Major   Aggregated Domain Names in DNS statistics are shown as random domain name
760356-4 3-Major   Users with Application Security Administrator role cannot delete Scheduled Reports
753446-1 3-Major   avrd process crash during shutdown if connected to BIG-IQ
738614-2 3-Major   'Internal error' appears on Goodput GUI page
738197-2 3-Major   IP address from XFF header is not taken into account when there are trailing spaces after IP address
737863-1 3-Major   Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
718655 3-Major   DNS profile measurement unit name is incorrect.
700322-2 3-Major   Upgrade may fail on a multi blade system when there are scheduled reports in configuration
754330-1 4-Minor   Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
752592-2 2-Critical   VMware Horizon PCoIP clients may fail to connect shortly after logout
704587-2 2-Critical   Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules
660826-3 2-Critical   BIG-IQ Deployment fails with customization-templates
758764-4 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
757992-1 3-Major   RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
757781-1 3-Major   Portal Access: cookie exchange may be broken sometimes
755507-3 3-Major   [App Tunnel] 'URI sanitization' error
755475-3 3-Major   Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
749057-3 3-Major   VMware Horizon idle timeout is ignored when connecting via APM
738430-1 3-Major   APM is not able to do compliance check on iOS devices running F5 Access VPN client
734291-2 3-Major   Logon page modification fails to sync to standby
696835-1 3-Major   Secondary Authentication or SSO fail after changing AD or LDAP password
695985-2 3-Major   Access HUD filter has URL length limit (4096 bytes)
656784-1 3-Major K98510679 Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM


Service Provider Fixes

ID Number Severity Solution Article(s) Description
704555-2 2-Critical   Core occurs if DIAMETER::persist reset is called if no persistence key is set.
752822-3 3-Major   SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
751179-3 3-Major   MRF: Race condition may create to many outgoing connections to a peer
749603-3 3-Major   MRF SIP ALG: Potential to end wrong call when BYE received
748043-3 3-Major   MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
747187-3 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
744949-3 3-Major   MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
751869 2-Critical   Possible tmm crash when using manual mode mitigation in DoS Profile
757279 3-Major   LDAP authenticated Firewall Manager role cannot edit firewall policies
753893-1 3-Major   Inconsistent validation for firewall address-list's nested address-list causes load failure
748081-2 3-Major   Memory leak in Behavioral DoS module
710262-1 3-Major   Firewall is not updated when adding new rules


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
739272-1 3-Major   Incorrect zombie counts in PBA stats with long PBA block-lifetimes


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
752782-3 3-Major   'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
760961 2-Critical   TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts
757088-3 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
752047-2 2-Critical   iRule running reject in CLASSIFICATION_DETECTED event can cause core
761273-1 3-Major   wr_urldbd creates sparse log files by writing from the previous position after logrotate.


Device Management Fixes

ID Number Severity Solution Article(s) Description
761300 3-Major K61105950 Errors in REST token requests may log sensitive data



Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
744035-4 CVE-2018-15332 K12130880 APM Client Vulnerability: CVE-2018-15332
739970-2 CVE-2018-5390 K95343321 Linux kernel vulnerability: CVE-2018-5390
738119-2 CVE-2019-6589 K23566124 SIP routing UI does not follow best practices
745358-3 CVE-2019-6607 K14812883 ASM GUI does not follow best practices
737910-2 CVE-2019-6609 K18535734 Security hardening on the following platforms
737442-2 CVE-2019-6591 K32840424 Error in APM Hosted Content when set to public access
658557-3 CVE-2019-6606 K35209601 The snmpd daemon may leak memory when processing requests.
530775-3 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output
701785-2 CVE-2017-18017 K18352029 Linux kernel vulnerability: CVE-2017-18017


Functional Change Fixes

ID Number Severity Solution Article(s) Description
744685-1 2-Critical   BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
744188 2-Critical   First successful auth iControl REST requests will now be logged in audit and secure log files
748851-1 3-Major   Bot Detection injection include tags which may cause faulty display of application
725878-2 3-Major   AVR does not collect all of APM TMStats
700827-4 3-Major   B2250 blades may lose efficiency when source ports form an arithmetic sequence.
667257-4 3-Major   CPU Usage Reaches 100% With High FastL4 Traffic


TMOS Fixes

ID Number Severity Solution Article(s) Description
682837-2 1-Blocking   Compression watchdog period too brief.
744331 2-Critical   OpenSSH hardening
743790-3 2-Critical   BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus
741423-2 2-Critical   Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
738887-3 2-Critical   BIG-IP SNMPD vulnerability CVE-2019-6608
726487-2 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
723298-2 2-Critical   BIND upgrade to version 9.11.4
713380 2-Critical K23331143 Multiple B4450 blades in the same chassis run into inconsistent DAG state
712738-1 2-Critical   fpdd may core dump when the system is going down
710277-1 2-Critical   IKEv2 further child_sa validity checks
697424-1 2-Critical   iControl-REST crashes on /example for firewall address-lists
688148-3 2-Critical   IKEv1 racoon daemon SEGV during phase-two SA list iteration
680556-1 2-Critical   Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
677937-3 2-Critical K41517253 APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
668041-2 2-Critical K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
751009-1 3-Major   Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
748206 3-Major   Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
745809 3-Major   The /var partition may become 100% full, requiring manual intervention to clear space
743803-2 3-Major   IKEv2 potential double free of object when async request queueing fails
737536-1 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
737437-2 3-Major   IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
737397-3 3-Major   User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
724143-1 3-Major   IKEv2 connflow expiration upon ike-peer change
723579-4 3-Major   OSPF routes missing
722691 3-Major   Available datagroup list does not contain datagroups with the correct type.
721016 3-Major   vcmpd fails updating VLAN information on vcmp guest
720110-2 3-Major   0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
718817-2 3-Major   Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
718405-1 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
718397-1 3-Major   IKEv2: racoon2 appends spurious trailing null byte to ID payloads
710666-1 3-Major   VE with interface(s) marked down may report high cpu usage
706104-3 3-Major   Dynamically advertised route may flap
705442-1 3-Major   GUI Network Map objects search on Virtual Server IP Address and Port does not work
698947-2 3-Major   BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
693884-1 3-Major   ospfd core on secondary blade during network unstability
693106-1 3-Major   IKEv1 newest established phase-one SAs should be found first in a search
686926-2 3-Major   IPsec: responder N(cookie) in SA_INIT response handled incorrectly
686124-1 3-Major K83576240 IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
680838-2 3-Major   IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
678925-1 3-Major   Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
678380-2 3-Major K26023811 Deleting an IKEv1 peer in current use could SEGV on race conditions.
676897-3 3-Major K25082113 IPsec keeps failing to reconnect
676092-3 3-Major   IPsec keeps failing to reconnect
674145-1 3-Major   chmand error log message missing data
670197-1 3-Major   IPsec: ASSERT 'BIG-IP_conn tag' failed
652502-2 3-Major   snmpd returns 'No Such Object available' for ltm OIDs
639619-5 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
598085-1 3-Major   Expected telemetry is not transmitted by sFlow on the standby-mode unit.
491560-2 3-Major   Using proxy for IP intelligence updates
738985-2 4-Minor   BIND vulnerability: CVE-2018-5740
689491 4-Minor   cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
689211-3 4-Minor   IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
680856-2 4-Minor   IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
713491-2 5-Cosmetic   IKEv1 logging shows spi of deleted SA with opposite endianess


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
744269-2 2-Critical   dynconfd restarts if FQDN template node deleted while IP address change in progress
744117-5 2-Critical K18263026 The HTTP URI is not always parsed correctly
743857 2-Critical K21942600 Clientssl accepts non-SSL traffic when cipher-group is configured
742627-2 2-Critical   SSL session mirroring may cause memory leakage if HA channel is down
741919 2-Critical   HTTP response may be dropped following a 100 continue message.
740963-2 2-Critical   VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
740490-1 2-Critical   Configuration changes involving HTTP2 or SPDY may leak memory
739003-1 2-Critical   TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms
738945-2 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
738046-2 2-Critical   SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
737758-2 2-Critical   MPTCP Passthrough and VIP-on-VIP can lead to TMM core
734276-2 2-Critical   TMM may leak memory when SSL certificates with VDI or EAM in use
727206 2-Critical   Memory corruption when using SSL Forward Proxy on certain platforms
720136-1 2-Critical   Upgrade may fail on mcpd when external netHSM is used
718210-2 2-Critical   Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
716714-1 2-Critical   OCSP should be configured to avoid TMM crash.
702792-1 2-Critical K82327396 Upgrade creates Server SSL profiles with invalid cipher strings
685254-2 2-Critical K14013100 RAM Cache Exceeding Watchdog Timeout in Header Field Search
513310-5 2-Critical   TMM might core when a profile is changed.
849861 3-Major   TMM may crash with FastL4 and HTTP profile using fallback host and iRule command
752078 3-Major   Header Field Value String Corruption
739963-2 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739379-2 3-Major   Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
739349-1 3-Major   LRO segments might be erroneously VLAN-tagged.
738521-1 3-Major   i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
726319-2 3-Major   'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
724564-1 3-Major   A FastL4 connection can fail with loose-init and hash persistence enabled
724327-1 3-Major   Changes to a cipher rule do not immediately have an effect
721621-1 3-Major   Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
720799-2 3-Major   Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
717896-2 3-Major   Monitor instances deleted in peer unit after sync
717100-3 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716716-2 3-Major   Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
714559-2 3-Major   Removal of HTTP hash persistence cookie when a pool member goes down.
713690-3 3-Major   IPv6 cache route metrics are locked
711981-5 3-Major   BIG-IP system accepts larger-than-egress MTU, PMTU update
710028-2 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
708068-2 3-Major   Tcl commands like "HTTP::path -normalize" do not return normalized path.
707691-4 3-Major   BIG-IP handles some pathmtu messages incorrectly
706102-2 3-Major   SMTP monitor does not handle all multi-line banner use cases
701678-2 3-Major   Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
685519-1 3-Major   Mirrored connections ignore the handshake timeout
683697-1 3-Major K00647240 SASP monitor may use the same UID for multiple HA device group members
674591-3 3-Major K37975308 Packets with payload smaller than MSS are being marked to be TSOed
504522-1 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
719247-2 4-Minor K10845686 HTTP::path and HTTP::query iRule functions cannot be set to a blank string
618884-6 4-Minor   Behavior when using VLAN-Group and STP


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
739846-3 2-Critical   Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
749774-3 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-3 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records
744707-4 3-Major   Crash related to DNSSEC key rollover
726255-2 3-Major   dns_path lingering in memory with last_access 0 causing high memory usage
723288-2 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
710246-2 3-Major   DNS-Express was not sending out NOTIFY messages on VE
702457-2 3-Major   DNS Cache connections remain open indefinitely
717113-2 4-Minor   It is possible to add the same GSLB Pool monitor multiple times


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
750922-3 2-Critical   BD crash when content profile used for login page has no parse parameters set
726537-1 2-Critical   Rare TMM crash when Single Page Application is enabled on DoSL7
576123-4 2-Critical K23221623 ASM policies are created as inactive policies on the peer device
750356-3 3-Major   Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
747777-1 3-Major   Extractions are learned in manual learning mode
747550-1 3-Major   Error 'This Logout URL already exists!' when updating logout page via GUI
745802-3 3-Major   Brute Force CAPTCHA response page truncates last digit in the support id
744347-2 3-Major   Protocol Security logging profiles cause slow ASM upgrade and apply policy
743961-3 3-Major   Signature Overrides for Content Profiles do not work after signature update
738864-1 3-Major   javascript functions in href are learned from response as new URLs
738211-3 3-Major   pabnagd core when centralized learning is turned on
734228-1 3-Major   False-positive illegal-length violation can appear
726377-1 3-Major   False-positive cookie hijacking violation
721752-2 3-Major   Null char returned in REST for Suggestion with more than MAX_INT occurrences
705925-1 3-Major   Websocket Message Type not displayed in Request Log
701792-2 3-Major   JS Injection into cached HTML response causes TCP RST on the fictive URLs
696333-1 3-Major   Threat campaign filter does not return campaign if filter contains quotation marks
690215-2 3-Major   Missing requests in request log
676416-4 3-Major   BD restart when switching FTP profiles
676223-4 3-Major   Internal parameter in order not to sign allowed cookies
663535-2 3-Major   Sending ASM cookies with "secure" attribute even without client-ssl profile
605649-2 3-Major K28782793 The cbrd daemon runs at 100% CPU utilization
748999-1 4-Minor   invalid inactivity timeout suggestion for cookies
747905-1 4-Minor   'Illegal Query String Length' violation displays wrong length
745531-1 4-Minor   Puffin Browser gets blocked by Bot Defense
739345 4-Minor   Reporting invalid signature id after specific signature upgrade
685743-5 4-Minor   When changing internal parameter 'request_buffer_size' in large request violations might not be reported
665470-3 4-Minor   Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
746941 2-Critical   Memory leak in avrd when BIG-IQ fails to receive stats information
739446-2 2-Critical   Resetting SSL-socket correctly for AVR connection
737813-1 2-Critical   BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address
749464 3-Major   Race condition while BIG-IQ updates common file
749461 3-Major   Race condition while modifying analytics global-settings
746823 3-Major   AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members
745027 3-Major   AVR is doing extra activity of DNS data collection even when it should not
744595-1 3-Major   DoS-related reports might not contain some of the activity that took place
744589-1 3-Major   Missing data for Firewall Events Statistics
741767-2 3-Major   ASM Resource :: CPU Utilization statistics are in wrong scale
740086 3-Major   AVR report ignore partitions for Admin users
716782-2 3-Major   AVR should add new field to the events it sends: Microtimestamp


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
753368 1-Blocking   Unable to import access policy with pool
747621-2 2-Critical   Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used
744556-1 2-Critical K01226413 Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3
714716-2 2-Critical K10248311 Apmd logs password for acp messages when in debug mode
754346-1 3-Major   Access policy was not found while creating configuration snapshot.
750496-1 3-Major   TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP
746771-1 3-Major   APMD recreates config snapshots for all access profiles every minute
746768-1 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
745654-2 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
745574-3 3-Major   URL is not removed from custom category when deleted
743437-1 3-Major   Portal Access: Issue with long 'data:' URL
743150-1 3-Major   Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client
739744-1 3-Major   Import of Policy using Pool with members is failing
719079-1 3-Major   Portal Access: same-origin AJAX request may fail under some conditions.
718136-2 3-Major   32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux


Service Provider Fixes

ID Number Severity Solution Article(s) Description
742829-3 3-Major   SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
741951-2 3-Major   Multiple extensions in SIP NOTIFY request cause message to be dropped.
699431-3 3-Major   Possible memory leak in MRF under low memory


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-3 1-Blocking K52868493 LibSSH: CVE-2018-10933
753028-1 3-Major   AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
747926 3-Major   Rare TMM restart due to NULL pointer access during AFM ACL logging


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744516-1 2-Critical   TMM panics after a large number of LSN remote picks
744959-1 3-Major   SNMP OID for sysLsnPoolStatTotal not incremented in stats
727212-1 3-Major   Subscriber-id query using full length IPv6 address fails.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
748976 3-Major   DataSafe Logging Settings page is missing when DataSafe license is active
742037-3 3-Major   FPS live updates do not install when minor version is different
741449-1 4-Minor   alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
726039 5-Cosmetic   Information is not updated after installing FPS live update via GUI


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
748813-1 2-Critical   tmm cores under stress test on virtual server with DoS profile with admd enabled
748121-1 2-Critical   admd livelock under CPU starvation
741761-1 2-Critical   admd might fail the heartbeat, resulting in a core
704236-1 2-Critical   TMM crash when attaching FastL4 profile
702936-1 2-Critical   TMM SIGSEGV under specific conditions.
653573-4 2-Critical   ADMd not cleaning up child rsync processes
741993-1 3-Major   The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured.
741752-1 3-Major   [BADOS] state file is not saved when virtual server reuses a self IP of the device


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
724847 3-Major K95010813 DNS traffic does not get classified for AFM port misuse case



Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745783-3 3-Major   Anti-fraud: remote logging of login attempts


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
684370-1 3-Major   APM now supports VMware Workspace ONE integration with VIDM as ID Provider
683741-1 3-Major   APM now supports VMware Workspace ONE integration with vIDM as ID Provider
635509-1 3-Major   APM does not support Vmware'e Blast UDP



Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
739947-1 CVE-2019-6610 K42465020 TMM may crash while processing APM traffic
737443-5 CVE-2018-5546 K54431371 BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546
737441-5 CVE-2018-5546 K54431371 Disallow hard links to svpn log files
726089-2 CVE-2018-15312 K44462254 Modifications to AVR metrics page
725815-1 CVE-2018-15320 K72442354 vlangroup usage may cause a excessive resource consumption
724339-1 CVE-2018-15314 K04524282 Unexpected TMUI output in AFM
724335-1 CVE-2018-15313 K21042153 Unexpected TMUI output in AFM
722677-4 CVE-2019-6604 K26455071 BIG-IP HSB vulnerability CVE-2019-6604
722387-3 CVE-2019-6596 K97241515 TMM may crash when processing APM DTLS traffic
722091-3 CVE-2018-15319 K64208870 TMM may crash while processing HTTP traffic
717888 CVE-2018-15323 K26583415 TMM may leak memory when a virtual server uses the MQTT profile.
717742-5 CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 K44923228 Oracle Java SE vulnerability CVE-2018-2783
707990-2 CVE-2018-15315 K41704442 Unexpected TMUI output in SSL Certificate Instance page
704184-6 CVE-2018-5529 K52171282 APM MAC Client create files with owner only read write permissions
701253-5 CVE-2018-15318 K16248201 TMM core when using MPTCP
693810-6 CVE-2018-5529 K52171282 CVE-2018-5529: APM Linux Client Vulnerability
741858-1 CVE-2018-15324 K52206731 TMM may crash while processing Portal Access requests
734822-3 CVE-2018-15325 K77313277 TMSH improvements
725801-4 CVE-2017-7889 K80440915 CVE-2017-7889: Kernel Vulnerability
725635-2 CVE-2018-3665 K21344224 CVE-2018-3665: Intel Lazy FPU Vulnerability
724680-4 CVE-2018-0732 K21665601 OpenSSL Vulnerability: CVE-2018-0732
721924-2 CVE-2018-17539 K17264695 BIG-IP ARM BGP vulnerability CVE-2018-17539
719554-2 CVE-2018-8897 K17403481 Linux Kernel Vulnerability: CVE-2018-8897
716900-2 CVE-2019-6594 K91026261 TMM core when using MPTCP
710705-2 CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 K34035645 Multiple Wireshark vulnerabilities
705799-2 CVE-2018-15325 K77313277 TMSH improvements
699453-4 CVE-2018-15327 K20222812 Web UI does not follow current best coding practices
699452-4 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices
712876-2 CVE-2017-8824 K15526101 CVE-2017-8824: Kernel Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
734527-1 3-Major   BGP 'capability graceful-restart' for peer-group not properly advertised when configured
715750-2 3-Major K41515225 The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.


TMOS Fixes

ID Number Severity Solution Article(s) Description
693611-3 1-Blocking K76313256 IKEv2 ike-peer might crash on stats object during peer modification update
743810-1 2-Critical   AWS: Disk resizing in m5/c5 instances fails silently.
743082-1 2-Critical   Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members
739507 2-Critical   Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check
739505 2-Critical   Automatic ISO digital signature checking not required when FIPS license active
739285-1 2-Critical   GUI partially missing when VCMP is provisioned
725696-1 2-Critical   A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted
723722-2 2-Critical   MCPD crashes if several thousand files are created between config syncs.
721350-2 2-Critical   The size of the icrd_child process is steadily growing
717785-1 2-Critical   Interface-cos shows no egress stats for CoS configurations
716391-2 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
711683-2 2-Critical   bcm56xxd crash with empty trunk in QinQ VLAN
707003-3 2-Critical   Unexpected syntax error in TMSH AVR
706423-1 2-Critical   tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
703669-2 2-Critical   Eventd restarts on NULL pointer access
703045-1 2-Critical   If using TMSH commands with deprecated attributes in iApp, the upgrade will fail.
700386-2 2-Critical   mcpd may dump core on startup
693996-5 2-Critical K42285625 MCPD sync errors and restart after multiple modifications to file object in chassis
692158-1 2-Critical   iCall and CLI script memory leak when saving configuration
691589-4 2-Critical   When using LDAP client auth, tamd may become stuck
690819-1 2-Critical   Using an iRule module after a 'session lookup' may result in crash
689437-1 2-Critical K49554067 icrd_child cores due to infinite recursion caused by incorrect group name handling
689002-3 2-Critical   Stackoverflow when JSON is deeply nested
658410-2 2-Critical   icrd_child generates a core when calling PUT on ltm/data-group/internal/
652877-5 2-Critical   Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
638091-6 2-Critical   Config sync after changing named pool members can cause mcpd on secondary blades to restart
739126 3-Major   Multiple VE installations may have different sized volumes
733585-3 3-Major   Merged can use %100 of CPU if all stats snapshot files are in the future
727467-1 3-Major   Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
726409-4 3-Major   Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
722682-2 3-Major   Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load
721740-2 3-Major   CPU stats are not correctly recorded when snapshot files have timestamps in the future
720713-2 3-Major   TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
720461-2 3-Major   qkview prompts for password on chassis
718525-1 3-Major   PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
714974-2 3-Major   Platform-migrate of UCS containing QinQ fails on VE
714903-2 3-Major   Errors in chmand
714654-2 3-Major   Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
713813-2 3-Major   Node monitor instances not showing up in GUI
712102-2 3-Major K11430165 customizing or changing the HTTP Profile's IPv6 field hides the field or the row
710232-2 3-Major   platform-migrate fails when LACP trunks are in use
709444-2 3-Major   "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
709192-1 3-Major   GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
707740-4 3-Major   Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
707509-1 3-Major   Initial vCMP guest creations can fail if certain hotfixes are used
707391-2 3-Major   BGP may keep announcing routes after disabling route health injection
706804-1 3-Major   SNMP trap destination configuration of network option is missing "default" keyword
706354-2 3-Major   OPT-0045 optic unable to link
706169-3 3-Major   tmsh memory leak
705456-1 3-Major   Enabling HTTP-to-HTTPS redirection in a vCMP guest can prevent some Host-Guest Management features from working
704755-1 3-Major   EUD_M package could not be installed on 800 platforms
704512-1 3-Major   Automated upload of qkview to iHealth can time out resulting in error
704336-1 3-Major   Updating 3rd party device cert not copied correctly to trusted certificate store
702227-3 3-Major   Memory leak in TMSH load sys config
700757-1 3-Major   vcmpd may crash when it is exiting
700576-1 3-Major   GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"
700426 3-Major K58033284 Switching partitions while viewing objects in GUI can result in empty list
700250-3 3-Major K59327012 qkviews for secondary blade appear to be corrupt
698875-1 3-Major   Qkview Security Hardening
698084-3 3-Major K03776801 IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs
696731-3 3-Major K94062594 The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
693578-2 3-Major   switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
692189-1 3-Major   errdefsd fails to generate a core file on request.
692179-1 3-Major   Potential high memory usage from errdefsd.
691609-1 3-Major   1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address
690890-1 3-Major   Running sod manually can cause issues/failover
689375-1 3-Major K01512833 Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
688406-1 3-Major K14513346 HA-Group Score showing 0
687905-2 3-Major K72040312 OneConnect profile causes CMP redirected connections on the HA standby
687534-1 3-Major   If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
684391-3 3-Major   Existing IPsec tunnels reload. tmipsecd creates a core file.
684218-1 3-Major   vADC 'live-install' Downgrade from v13.1.0 is not possible
681782-6 3-Major   Unicast IP address can be configured in a failover multicast configuration
679347-2 3-Major K44117473 ECP does not work for PFS in IKEv2 child SAs
678488-1 3-Major K59332320 BGP default-originate not announced to peers if several are peering over different VLANs
677485-1 3-Major   Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error
671712-2 3-Major   The values returned for the ltmUserStatProfileStat table are incorrect.
670528-4 3-Major K20251354 Warnings during vCMP host upgrade.
651413-4 3-Major K34042229 tmsh list ltm node does not return an error when node does not exist
642923-6 3-Major   MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
617643-2 3-Major   iControl.ForceSessions enabled results in GUI error on certain pages
551925-4 3-Major   Misdirected UDP traffic with hardware acceleration
464650-6 3-Major   Failure of mcpd with invalid authentication context.
727297-3 4-Minor   GUI TACACS+ remote server list should accept hostname
725612-1 4-Minor   syslog-ng does not send any messages to the remote servers after reconfiguration
719770-2 4-Minor   tmctl -H -V and -l options without values crashed
714749-2 4-Minor   cURL Vulnerability: CVE-2018-1000120
713947-1 4-Minor   stpd repeatedly logs "hal sendMessage failed"
713932-1 4-Minor   Commands are replicated to PostgreSQL even when not in use.
707631-2 4-Minor   The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
707267 4-Minor   REST Framework HTTP header limit size increased to 8 KB
701826 4-Minor   qkview upload to ihealth fails or unable to untar qkview file
691491-5 4-Minor K13841403 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
685582-7 4-Minor   Incorrect output of b64 unit key hash by command f5mku -f
683029-1 4-Minor   Sync of virtual address and self IP traffic groups only happens in one direction
679135-2 4-Minor   IKEv1 and IKEv2 cannot share common local address in tunnels
678388-1 4-Minor K00050055 IKEv1 racoon daemon is not restarted when killed multiple times
550526-2 4-Minor K84370515 Some time zones prevent configuring trust with a peer device using the GUI.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
722594-2 1-Blocking   TCP flow may not work as expected if double tagging is used
737445-2 2-Critical   Use of TCP Verified Accept can disable server-side flow control
727044-2 2-Critical   TMM may crash while processing compressed data
726239-4 2-Critical   interruption of traffic handling as sod daemon restarts TMM
725545-1 2-Critical   Ephemeral listener might not be set up correctly
724906-1 2-Critical   sasp_gwm monitor leaks memory over time
724868-1 2-Critical   dynconfd memory usage increases over time
724213-1 2-Critical K74431483 Modified ssl_profile monitor param not synced correctly
722893-1 2-Critical K30764018 TMM can restart without a stack trace or core file after becoming disconnected from MCPD.
716213-1 2-Critical   BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
713612-1 2-Critical   tmm might restart if the HTTP passthrough on pipeline option is used
710221-2 2-Critical K67352313 Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
673664-1 2-Critical   TMM crashes when sys db Crypto.HwAcceleration is disabled.
635191-2 2-Critical   Under rare circumstances TMM may crash
727222-1 3-Major   206 Partial Content responses from ramcache have malformed Content-Range header
723300-2 3-Major   TMM may crash when tracing iRules containing nameless listeners on internal virtual servers
722363-2 3-Major   Client fails to connect to server when using PVA offload at Established
721261-1 3-Major   v12.x Policy rule names containing slashes are not migrated properly
720293-3 3-Major   HTTP2 IPv4 to IPv6 fails
719600-2 3-Major   TCP::collect iRule with L7 policy present may result in connection reset
717346-2 3-Major K13040347 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
715883 3-Major   Tmm crash due to invalid cookie attribute
715785-2 3-Major   Incorrect encryption error for monitors during sync or upgrade
715756-2 3-Major   Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
715467-2 3-Major   Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
714384-3 3-Major   DHCP traffic may not be forwarded when BWC is configured
707951-2 3-Major   Stalled mirrored flows on HA next-active when OneConnect is used.
704764-3 3-Major   SASP monitor marks members down with non-default route domains
703580-1 3-Major   TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
703266-2 3-Major   Potential MCP memory leak in LTM policy compile code
702450-1 3-Major   The validation error message generated by deleting certain object types referenced by a policy action is incorrect
701690-1 3-Major K53819652 Fragmented ICMP forwarded with incorrect icmp checksum
700696-1 3-Major   SSID does not cache fragmented Client Certificates correctly via iRule
699273-1 3-Major   TMM Core During FTP Monitor Use
695925-1 3-Major   Tmm crash when showing connections for a CMP disabled virtual server
691785-1 3-Major   The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
691224-3 3-Major K59327001 Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
690778-1 3-Major K53531153 Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
688629-1 3-Major K52334096 Deleting data-group in use by iRule does not trigger validation error
685110-1 3-Major K05430133 With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
681757-3 3-Major K32521651 Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
681673-4 3-Major   tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
679613-1 3-Major K23531420 i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
672312-3 3-Major   IP ToS may not be forwarded to serverside with syncookie activated
602708-4 3-Major K84837413 Traffic may not passthrough CoS by default
716922-2 4-Minor   Reduction in PUSH flags when Nagle Enabled
712637-2 4-Minor   Host header persistence not implemented
700433-1 4-Minor K10870739 Memory leak when attaching an LTM policy to a virtual server
697988-3 4-Minor K34554754 During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%
693966-1 4-Minor   TCP sndpack not reset along with other tcp profile stats
688557-1 4-Minor K50462482 Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
495242-4 4-Minor   mcpd log messages: Failed to unpublish LOIPC object


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
718885-3 2-Critical K25348242 Under certain conditions, monitor probes may not be sent at the configured interval
723792-2 3-Major   GTM regex handling of some escape characters renders it invalid
719644-2 3-Major   If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
737500-2 2-Critical   Apply Policy and Upgrade time degradation when there are previous enforced rules
726090-1 2-Critical   No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
724414-2 2-Critical   ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
724032-1 2-Critical   Searching Request Log for value containing backslash does not return expected result
721741-3 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
704143-1 2-Critical   BD memory leak
701856-1 2-Critical   Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
740719-2 3-Major   ASM CSP header parser does not honor unsafe-inline attribute within script-src directive


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
737867-1 3-Major   Scheduled reports are being incorrectly displayed in different partitions


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
739716-2 1-Blocking   APM Subroutine loops without finishing
740777-1 2-Critical   Secondary blades mcp daemon restart when subroutine properties are configured
739674-1 2-Critical   TMM might core in SWG scenario with per-request policy.
722013 2-Critical   MCPD restarts on all secondary blades post config-sync involving APM customization group
713820-1 2-Critical   Pass in IP address to urldb categorization engine
739939-1 3-Major   Ping Access Agent Module leaks memory in TMM.
739190 3-Major   Policies could be exported with not patched /Common partition
738582-1 3-Major   Ping Access Agent Module leaks memory in TMM.
738397-1 3-Major   SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
737355-1 3-Major   HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
737064-2 3-Major   ACCESS::session iRule commands may not work in serverside events
726895 3-Major K02205915 VPE cannot modify subroutine settings
726616-1 3-Major   TMM crashes when a session is terminated
726592-1 3-Major   Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
725867-2 3-Major   ADFS proxy does not fetch configuration for non-floating virtual servers
725412-1 3-Major   APM does not follow current best practices for HTTP headers
724571-1 3-Major   Importing access profile takes a long time
722969-2 3-Major   Access Policy import with 'reuse' enabled instead rewrites shared objects
722423-1 3-Major   Analytics agent always resets when Category Lookup is of type custom only
720757-1 3-Major   Without proper licenses Category Lookup always fails with license error in Allow Ending
713655-2 3-Major   RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
711427-2 3-Major   Edge Browser does not launch F5 VPN App
710884-1 3-Major   Portal Access might omit some valid cookies when rewriting HTTP request.
701800-2 3-Major K29064506 SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
701056-1 3-Major   User is not able to reset their Active Directory password
698984-1 3-Major   Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned
696669-1 3-Major   Users cannot change or reset RSA PIN
696544-1 3-Major   APM end users can not change/reset password when auth agents are included in per-req policy
671323-1 3-Major   Reset PIN Fail if Token input field is not 'password' field
734595-2 4-Minor   sp-connector is not being deleted together with profile
721375-1 4-Minor   Export then import of config with RSA server in it might fail


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
706642-2 2-Critical   wamd may leak memory during configuration changes and cluster events


Service Provider Fixes

ID Number Severity Solution Article(s) Description
709383-2 3-Major   DIAMETER::persist reset non-functional
706750-1 3-Major   Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash.
691048-1 3-Major K34553736 Support DIAMETER Experimental-Result AVP response
688942-5 3-Major   ICAP: Chunk parser performs poorly with very large chunk


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
724532-2 2-Critical   SIG SEGV during IP intelligence category match in TMM
720045-1 2-Critical   IP fragmented UDP DNS request and response packets dropped as DNS Malformed
710755-1 2-Critical   TMM crash when route information becomes stale and the system accesses stale information.
698333-1 2-Critical K43392052 TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)
694849-1 2-Critical   TMM crash when packet sampling is turned for DNS BDOS signatures.
672514-1 2-Critical   Local Traffic/Virtual Server/Security page crashed
630137-2 2-Critical   Dynamic Signatures feature can fill up /config partition impacting system stability
726154-2 3-Major   TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
704528-2 3-Major   tmm may run out of memory during IP shunning
704369-2 3-Major   TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled
696201-1 3-Major   Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation
686376-2 3-Major   Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
707054-1 4-Minor   SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162
699454-4 4-Minor   Web UI does not follow current best coding practices


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-3 3-Major   PEM content insertion in a compressed response may truncate some data
721704-1 3-Major   UDP flows are not deleted after subscriber deletion
709670-2 3-Major   iRule triggered from RADIUS occasionally fails to create subscribers.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
721570-1 1-Blocking K20285019 TMM core when trying to log an unknown subscriber
734446-2 2-Critical   TMM crash after changing LSN pool mode from PBA to NAPT
688246-1 2-Critical   An invalid mode in the LSN::persistence command causes TMM crash
708830-2 3-Major   Inbound or hairpin connections may get stuck consuming memory.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
738669-2 3-Major   Login validation may fail for a large request with early server response
737368-1 3-Major   Fingerprint cookie large value may result in tmm core.


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
739277 2-Critical   TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
720585-1 3-Major   Signatures generated by Behavioral DOS algorithm can create false-positive signatures
689540-1 3-Major   The same DOS attack generates new signatures even if there are signatures generated during previous attacks.


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
726303-1 3-Major   Unlock 10 million custom db entry limit


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
726872-2 3-Major   iApp LX directory disappears after upgrade or restoring from UCS



Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v13.1.1 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
693359-1 1-Blocking   AWS M5 and C5 instance families are supported


TMOS Fixes

ID Number Severity Solution Article(s) Description
721364 1-Blocking   BIG-IP per-application VE BYOL license does not support three wildcard virtual servers
716469 1-Blocking   OpenSSL 1.0.1l fails with 512 bit DSA keys
697615-1 1-Blocking K65013424 Neurond may restart indefinitely after boot, with neurond_i2c_config message
675921-2 1-Blocking   Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
723130-1 2-Critical K13996 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
700086-1 2-Critical   AWS C5/M5 Instances do not support BIG-IP VE
696732-3 2-Critical K54431534 tmm may crash in a compression provider
721985 3-Major   PAYG License remains inactive as dossier verification fails.
721512 3-Major   Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6.
721342 3-Major   No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
720961-1 3-Major   Upgrading in Intelligence Community AWS environment may fail
720756-1 3-Major   SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720651-2 3-Major   Running Guest Changed to Provisioned Never Stops
720104-1 3-Major   BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
719396-1 3-Major K34339214 DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
717832 3-Major   Remove unneeded files from UCS backup directories
714303-1 3-Major K25057050 X520 virtual functions do not support MAC masquerading
712266-1 3-Major   Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
697616-2 3-Major   Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
680086 3-Major   BMC firmware fails md5sum check
673996-2 3-Major   Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms
680388-1 4-Minor   f5optics should not show function name in non-debug log messages
653759-1 4-Minor   Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update
720391-2 5-Cosmetic   BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
737550 2-Critical   State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade
701538-2 2-Critical   SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
720460-1 3-Major   Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly
694778-1 3-Major   Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
686631-2 3-Major   Deselect a compression provider at the end of a job and reselect a provider for a new job
679494-1 3-Major   Change the default compression strategy to speed
495443-9 3-Major K16621 ECDH negotiation failures logged as critical errors.
679496-2 4-Minor   Add 'comp_req' to the output of 'tmctl compress'


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
717909 2-Critical   tmm can abort on sPVA flush if the HSB flush does not succeed
701637 2-Critical   Crash in bcm56xxd during TMM failover
644822 2-Critical K19245372 FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
702738-1 3-Major K32181540 Tmm might crash activating new blob when changing firewall rules
698182 3-Major   Upgrading from 13.1.1 to newer release might cause config to not be copied over
697516 3-Major   Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled



Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
716992-2 CVE-2018-5539 K75432956 The ASM bd process may crash
710244-3 CVE-2018-5536 K27391542 Memory Leak of access policy execution objects
710140-1 CVE-2018-5527 K20134942 TMM may consume excessive resources when processing SSL Intercept traffic
709688-3 CVE-2017-3144
CVE-2018-5732
CVE-2018-5733
K08306700 dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
695072-2 CVE-2016-8399
CVE-2017-1000111
CVE-2017-1000112
CVE-2017-11176
CVE-2017-14106
CVE-2017-7184
CVE-2017-7541
CVE-2017-7542
CVE-2017-7558
K23030550 CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558
693744-4 CVE-2018-5531 K64721111 CVE-2018-5531: vCMP vulnerability
651741-2 CVE-2017-5970, K60104355 CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop
717900-2 CVE-2018-5528 K27044729 TMM crash while processing APM data
710827-2 CVE-2019-6598 K44603900 TMUI dashboard daemon stability issue
710148-2 CVE-2017-1000111
CVE-2017-1000112
K60250153 CVE-2017-1000111 & CVE-2017-1000112
709256-2 CVE-2017-9074
CVE-2017-7542
K61223103 CVE-2017-9074: Local Linux Kernel Vulnerability
705476-2 CVE-2018-15322 K28003839 Appliance Mode does not follow design best practices
698813-2 CVE-2018-5538 K45435121 When processing DNSX transfers ZoneRunner does not enforce best practices
688625-5 CVE-2017-11628 K75543432 PHP Vulnerability CVE-2017-11628
662850-6 CVE-2015-2716 K50459349 Expat XML library vulnerability CVE-2015-2716
714879-3 CVE-2018-15326 K34652116 APM CRLDP Auth passes all certs


Functional Change Fixes

ID Number Severity Solution Article(s) Description
685020-3 3-Major   Enhancement to SessionDB provides timeout


TMOS Fixes

ID Number Severity Solution Article(s) Description
708956-1 1-Blocking K51206433 During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
719597 2-Critical   HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
715820-1 2-Critical   vCMP in HA configuration with VIPRION chassis might cause unstable data plane
712401-1 2-Critical   Enhanced administrator lock/unlock for Common Criteria compliance
676203-3 2-Critical   Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
665362-2 2-Critical   MCPD might crash if the AOM restarts
581851-6 2-Critical K16234725 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
711249-1 3-Major   NAS-IP-Address added to RADIUS packet unexpectedly
710976-1 3-Major   Network Map might take a long time to load
708484-2 3-Major   Network Map might take a long time to load
707445-3 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
705818-1 3-Major   GUI Network Map Policy with forward Rule to Pool, Pool does not show up
704804-1 3-Major   The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-1 3-Major   NAS-IP-Address is sent with the bytes in reverse order
704247-2 3-Major   BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
701249-1 3-Major   RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
700895-1 3-Major K34944451 GUI Network Map objects in subfolders are not being shown
696260-1 3-Major K53103420 GUI Network Map as Start Screen presents database error
694696-5 3-Major   On multiblade Viprion, creating a new traffic-group causes the device to go Offline
694547-2 3-Major K74203532 TMSH save sys config creates unneeded generate_config processes.
689730-3 3-Major   Software installations from v13.1.0 might fail
687658 3-Major   Monitor operations in transaction will cause it to stay unchecked
686906-2 3-Major   Fragmented IPv6 packets not handled correctly on Virtual Edition
674455-5 3-Major   Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
678254-1 4-Minor   Error logged when restarting Tomcat


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
721571-1 2-Critical   State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade
718071-1 2-Critical   HTTP2 with ASM policy not passing traffic
715747 2-Critical   TMM may restart when running traffic through custom SSLO deployments.
709828-2 2-Critical   fasthttp can crash with Large Receive Offload enabled
707244-3 2-Critical   iRule command clientside and serverside may crash tmm
707207-1 2-Critical   iRuleLx returning undefined value may cause TMM restart
700597-1 2-Critical   Local Traffic Policy on HTTP/2 virtual server no longer matches
700056-1 2-Critical   MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
690756-1 2-Critical   APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated
571651-4 2-Critical   Reset Nitrox3 crypto accelerator queue if it becomes stuck.
713951-5 3-Major   tmm core files produced by nitrox_diag may be missing data
713934-2 3-Major   Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
712819-2 3-Major   'HTTP::hsts preload' iRule command cannot be used
712475-3 3-Major K56479945 DNS zones without servers will prevent DNS Express reading zone data
712437-3 3-Major K20355559 Records containing hyphens (-) will prevent child zone from loading correctly
711281-5 3-Major   nitrox_diag may run out of space on /shared
710996-2 3-Major   VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
709133-2 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
709132-1 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
707961-2 3-Major K50013510 Unable to add policy to virtual server; error = Failed to compile the combined policies
707109-1 3-Major   Memory leak when using C3D
704381-5 3-Major   SSL/TLS handshake failures and terminations are logged at too low a level
702151-1 3-Major   HTTP/2 can garble large headers
700889-3 3-Major K07330445 Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-4 3-Major   Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
699598-2 3-Major   HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
696755 3-Major   HTTP/2 may truncate a response body when served from cache
693308-1 3-Major   SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
689089-1 3-Major   VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
688744-1 3-Major K11793920 LTM Policy does not correctly handle multiple datagroups
686890-1 3-Major   X509_EXTENSION memory blocks leak when C3D forges the certificate.
682944-1 3-Major   key-id missing for installed netHSM key for standby BIG-IP system in high availability (HA) setup
682283-2 3-Major   Malformed HTTP/2 request with invalid Content-Length value is served against RFC
678872-3 3-Major   Inconsistent behavior for virtual-address and selfip on the same ip-address
673399-3 3-Major   HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
653201-2 3-Major   Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
713533-2 4-Minor   list self-ip with queries does not work
708249-2 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
692095-1 4-Minor K65311501 bigd logs monitor status unknown for FQDN Node/Pool Member
678801-4 4-Minor   WS::enabled returned empty string
677958-4 4-Minor   WS::frame prepend and WS::frame append do not insert string in the right place.


Performance Fixes

ID Number Severity Solution Article(s) Description
698992-1 3-Major   Performance degraded


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
713066-1 2-Critical K10620131 Connection failure during DNS lookup to disabled nameserver can crash TMM
707310-2 2-Critical   DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
721895 3-Major   Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
715448-2 3-Major   Providing LB::status with a GTM Pool name in a variable caused validation issues
710032-1 3-Major   'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system.
706128-2 3-Major   DNSSEC Signed Zone Transfers Can Leak Memory
703545-1 3-Major   DNS::return iRule "loop" checking disabled


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
718152 2-Critical K14591455 ASM GUI request log does not load on cluster
716788-2 2-Critical   TMM may crash while response modifications are being performed within DoSL7 filter
713390-1 2-Critical   ASM Signature Update cannot be performed on hourly billing cloud instance
685230-3 2-Critical   memory leak on a specific server scenario
606983-2 2-Critical   ASM errors during policy import
719459-2 3-Major   Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
719005-1 3-Major   Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation
717756-2 3-Major   High CPU usage from asm_config_server
716940-2 3-Major   Traffic Learning screen graphs shows data for the last day only
715128-1 3-Major   Simple mode Signature edit does not escape semicolon
713282-1 3-Major   Remote logger violation_details field does not appear when virtual server has more than one remote logger
712362-3 3-Major   ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
711405-1 3-Major K14770331 ASM GUI Fails to Display Policy List After Upgrade
710327-1 3-Major   Remote logger message is truncated at NULL character.
707147-1 3-Major   High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-2 3-Major   False positive illegal multipart violation
706665-2 3-Major   ASM policy is modified after pabnagd restart
704643-1 3-Major   Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
702008-1 3-Major   ASM REST: Missing DB Cleanup for some tables
700143-2 3-Major   ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
691897-3 3-Major   Names of the modified cookies do not appear in the event log
687759-1 3-Major   bd crash
686765-2 3-Major   Database cleaning failure may allow MySQL space to fill the disk entirely
674256-2 3-Major K60745057 False positive cookie hijacking violation
675232-6 4-Minor   Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
710315-1 2-Critical   AVR-profile might cause issues when loading a configuration or when using config sync
698226-1 2-Critical   Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly
696642-1 2-Critical   monpd core is sometimes created when the system is under heavy load.
721474-1 3-Major   AVR does not send all SSLO statistics to offbox machine.
715110 3-Major   AVR should report 'resolutions' in module GtmWideip
712118 3-Major   AVR should report on all 'global tags' in external logs
706361 3-Major   IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0
696212-1 3-Major   monpd does not return data for multi-dimension query
648242-2 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports
649161-2 4-Minor K42340304 AVR caching mechanism not working properly


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
720214-1 2-Critical   NTLM Authentication might fail if Strict Update in iApp is modified
720189-1 2-Critical   VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download
719149-2 2-Critical   VDI plugin might hang while processing native RDP connections
716747-2 2-Critical   TMM my crash while processing APM or SWG traffic
715250-1 2-Critical   TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
713156-1 2-Critical   AGC cannot do redeploy in Exchange and ADFS use cases
710116-1 2-Critical   VPN clients experience packet loss/disconnection
694078-1 2-Critical   In rare cases, TMM may crash with high APM traffic
720695-1 3-Major   Export then import of APM access Profile/Policy with advanced customization is failing
719192 3-Major   In VPE Agent VMware View Policy shows no properties
715207-3 3-Major   coapi errors while modifying per-request policy in VPE
714961-1 3-Major   antserver creates large temporary file in /tmp directory
714700-2 3-Major   SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy
713111-1 3-Major   When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging.
710305-1 3-Major   When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging.
709274-1 3-Major   RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0
699267-2 3-Major   LDAP Query may fail to resolve nested groups
658278-1 3-Major   Network Access configuration with Layered-VS does not work with Edge Client


Service Provider Fixes

ID Number Severity Solution Article(s) Description
703515-3 2-Critical K44933323 MRF SIP LB - Message corruption when using custom persistence key
692310-2 3-Major K69250459 ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
677473-3 2-Critical   MCPD core is generated on multiple add/remove of Mgmt-Rules


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
711570-3 3-Major   PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
663874-2 3-Major K77173309 Off-box HSL logging does not work with PEM in SPAN mode.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
719186-2 3-Major   Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
716318-2 3-Major   Engine/Signatures automatic update check may fail to find/download the latest update


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
714334-1 2-Critical   admd stops responding and generates a core while under stress.
718772-2 3-Major   The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)
718685-1 3-Major   The measured number of pending requests is two times higher than actual one
701288-1 3-Major   Server health significantly increases during DoSL7 TPS prevention


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
693694-1 3-Major   tmsh::load within IApp template results in unpredicted behavior



Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
716392-1 1-Blocking   Support for 24 vCMP guests on a single 4450 blade
712429 1-Blocking   Serverside packets excluded from DoS stats
704552 3-Major   Support for ONAP site licensing


TMOS Fixes

ID Number Severity Solution Article(s) Description
707100 2-Critical   Potentially fail to create user in AzureStack
706688 2-Critical   Automatically add additional certificates to BIG-IP system in C2S and IC environments
709936 3-Major   Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
707585-1 3-Major   Use native driver for 82599 NICs instead of UNIC
703869 3-Major   Waagent updated to 2.2.21


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
713273 2-Critical   BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart
715153-1 3-Major   AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
716746 3-Major   Possible tmm restart when disabling single endpoint vector while attack is ongoing
712710 3-Major   TMM may halt and restart when threshold mode is set to stress-based mitigation


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
699103-1 3-Major   tmm continuously restarts after provisioning AFM



Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
709972-6 CVE-2017-12613 K52319810 CVE-2017-12613: APR Vulnerability
707186-1 CVE-2018-5514 K45320419 TMM may crash while processing HTTP/2 traffic
702232-1 CVE-2018-5517 K25573437 TMM may crash while processing FastL4 TCP traffic
693312-1 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
688516-1 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
686305-1 CVE-2018-5534 K64552448 TMM may crash while processing SSL forward proxy traffic
589233-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
714369 CVE-2018-5526 K62201098 ADM may fail when processing HTTP traffic
714350 CVE-2018-5526 K62201098 BADOS mitigation may fail
710314-1 CVE-2018-5537 K94105051 TMM may crash while processing HTML traffic
706176-1 CVE-2018-5512 K51754851 TMM crash can occur when using LRO
706086-3 CVE-2018-5515 K62750376 PAM RADIUS authentication subsystem hardening
703940-2 CVE-2018-5530 K45611803 Malformed HTTP/2 frame consumes excessive system resources
699346-3 CVE-2018-5524 K53931245 NetHSM capacity reduces when handling errors
688011-7 CVE-2018-5520 K02043709 Dig utility does not apply best practices
688009-7 CVE-2018-5519 K46121888 Appliance Mode TMSH hardening
677088-2 CVE-2018-15321 K01067037 BIG-IP tmsh vulnerability CVE-2018-15321
708653-1 CVE-2018-15311 K07550539 TMM may crash while processing TCP traffic
632875-5 CVE-2018-5516 K37442533 Non-Administrator TMSH users no longer allowed to run dig


Functional Change Fixes

ID Number Severity Solution Article(s) Description
708389 3-Major   BADOS monitoring with Grafana requires admin privilege
680850-2 3-Major K48342409 Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.


TMOS Fixes

ID Number Severity Solution Article(s) Description
694897-2 1-Blocking   Unsupported Copper SFP can trigger a crash on i4x00 platforms.
708054-1 2-Critical   Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-1 2-Critical   bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
706087 2-Critical   Entry for SSL key replaced by config-sync causes tmsh load config to fail
703761-2 2-Critical   Disable DSA keys for public-key and host-based authentication in Common Criteria mode
696113-3 2-Critical   Extra IPsec reference added per crypto operation overflows connflow refcount
692683-1 2-Critical   Core with /usr/bin/tmm.debug at qa_device_mgr_uninit
690793-1 2-Critical K25263287 TMM may crash and dump core due to improper connflow tracking
689577-3 2-Critical K45800333 ospf6d may crash when processing specific LSAs
688911-1 2-Critical K94296004 LTM Policy GUI incorrectly shows conditions with datagroups
563661-1 2-Critical   Datastor may crash
704282-2 3-Major   TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
703298-2 3-Major   Licensing and phonehome_upload are not using the sync'd key/certificate
701626-2 3-Major K16465222 GUI resets custom Certificate Key Chain in child client SSL profile
698429-1 3-Major   Misleading log error message: Store Read invalid store addr 0x3800, len 10
693964-1 3-Major   Qkview utility may generate invalid XML in files contained in Qkview
691497-2 3-Major   tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
691210-1 3-Major   Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.
687353-1 3-Major K35595105 Qkview truncates tmstat snapshot files
631316-2 3-Major K62532020 Unable to load config with client-SSL profile error
514703-3 4-Minor   gtm listener cannot be listed across partitions


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
709334-1 2-Critical   Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-1 2-Critical K33319853 TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-1 2-Critical   Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707246-1 2-Critical   TMM would crash if SSL Client profile could not load cert-key-chain successfully
706631-2 2-Critical   A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-2 2-Critical   The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-1 2-Critical   memory corruption can occur when using certain certificates
704435-1 2-Critical   Client connection may hang when NTLM and OneConnect profiles used together
703914-2 2-Critical   TMM SIGSEGV crash in poolmbr_conn_dec.
703191-2 2-Critical   HTTP2 requests may contain invalid headers when sent to servers
701244-1 2-Critical K81742541 An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT
701202-3 2-Critical K35023432 SSL memory corruption
700393-3 2-Critical K53464344 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
697259-2 2-Critical K14023450 Different versioned vCMP guests on the same chassis may crash.
694656-1 2-Critical K05186205 Routing changes may cause TMM to restart
686228-1 2-Critical K23243525 TMM may crash in some circumstances with VLAN failsafe
680074-2 2-Critical   TMM crashes when serverssl cannot provide certificate to backend server.
667770-1 2-Critical K12472293 SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore
648320-5 2-Critical K38159538 Downloading via APM tunnels could experience performance downgrade.
705794-2 3-Major   Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
701147-2 3-Major K36563645 ProxySSL does not work properly with Extended Master Secret and OCSP
700057-4 3-Major   LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
693910-4 3-Major   Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693244-2 3-Major   BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
690042-1 3-Major K43412307 Potential Tcl leak during iRule suspend operation
689561-1 3-Major   HTTPS request hangs when multiple virtual https servers shares the same ip address
686972-4 3-Major   The change of APM log settings will reset the SSL session cache.
685615-4 3-Major K24447043 Incorrect source mac for TCP Reset with vlangroup for host traffic
677525-2 3-Major   Translucent VLAN group may use unexpected source MAC address
663821-1 3-Major K41344010 SNAT Stats may not include port FTP traffic
653976-4 3-Major K00610259 SSL handshake fails if server certificate contains multiple CommonNames
594751-1 3-Major K90535529 LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
710424-2 2-Critical   Possible SIGSEGV in GTMD when GTM persistence is enabled.
678861-1 2-Critical   DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
710870 2-Critical   Temporary browser challenge failure after installing older ASU
711011-2 3-Major   'API Security' security policy template changes
683241-1 3-Major K70517410 Improve CSRF token handling


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
710947-1 2-Critical   AVR does not send errdef for entity DosIpLogReporting.
710110-1 2-Critical   AVR does not publish DNS statistics to external log when usr-offbox is enabled.
711929-1 3-Major   AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
679221-2 1-Blocking   APMD may generate core file or appears locked up after APM configuration changed
708005-1 2-Critical K12423316 Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
703208-1 2-Critical   PingAccessAgent causes TMM core
702278-2 2-Critical   Potential XSS security exposure on APM logon page.
700522-1 2-Critical   APMD may unexpectedly restart when worker threads are stuck
700090-2 2-Critical   tmm crash during execution of a per-request policy when modified during execution.
699686-1 2-Critical   localdbmgr can occasionally crash during shutdown
697452-1 2-Critical   Websso crashes because of bad argument in logging
712924-1 3-Major   In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
703793-3 3-Major   tmm restarts when using ACCESS::perflow get' in certain events
703171-1 3-Major   High CPU usage for apmd, localdbmgr and oauth processes
702487-3 3-Major   AD/LDAP admins with spaces in names are not supported
684937-3 3-Major K26451305 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-3 3-Major K22904904 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
681415-3 3-Major   Copying of profile with advanced customization or images might fail
678427-1 3-Major K03138339 Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice
675775-4 3-Major   TMM crashes inside dynamic ACL building session db callback
671597-3 3-Major   Import, export, copy and delete is taking too long on 1000 entries policy
673717-3 4-Minor   VPE loading times can be very long


Service Provider Fixes

ID Number Severity Solution Article(s) Description
701889-1 2-Critical   Setting log.ivs.level or log-config filter level to informational causes crash
679114-4 3-Major   Persistence record expires early if an error is returned for a BYE command


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
708888-1 2-Critical K79814103 Some DNS truncated responses may not be processed by BIG-IP
667353 2-Critical   Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
702705-2 2-Critical   Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile
699531-1 2-Critical   Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-1 2-Critical   TMM core may be seen when using Application reporting with flow filter in PEM
711093-1 3-Major   PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-3 3-Major   Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-1 3-Major   Increase PEM HSL reporting buffer size to 4K.
677494-1 3-Major   Flow filter with Periodic content insertion action could leak insert content record
677148-1 3-Major   Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific
676346-2 3-Major   PEM displays incorrect policy action counters when the gate status is disabled.
648802-1 3-Major   Required custom AVPs are not included in an RAA when reporting an error.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
710701-1 3-Major   "Application Layer Encryption" option is not saved in DataSafe GUI
709319-2 3-Major   Post-login client-side alerts are missing username in bigIQ
706835 3-Major   When cloning a profile, URL parameters are not shown
706771-1 3-Major   FPS ajax-mapping property may be set even when it should be blocked
706651-1 3-Major   Cloning URL does not clone "Description" field
706276-1 4-Minor   Unnecessary pop-up appears


Device Management Fixes

ID Number Severity Solution Article(s) Description
708305-2 3-Major   Discover task may get stuck in CHECK_IS_ACTIVE step
705593-5 4-Minor   CVE-2015-7940: Bouncy Castle Java Vulnerability



Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
633441-1 3-Major   Datasync Background Tasks running even without features requiring it


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
708189 4-Minor   OAuth Discovery Auto Pilot is implemented


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
708840 3-Major   13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured



Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
705161-1 CVE-2018-5505 K23520761 BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505
703517 CVE-2018-5505 K23520761 BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505
700556-1 CVE-2018-5504 K11718033 TMM may crash when processing WebSockets data
699012-1 CVE-2018-5502 K43121447 TMM may crash when processing SSL/TLS data
698080-3 CVE-2018-5503 K54562183 TMM may consume excessive resources when processing with PEM
695901-1 CVE-2018-5513 K46940010 TMM may crash when processing ProxySSL data
691504-1 CVE-2018-5503 K54562183 PEM content insertion in a compressed response may cause a crash.
704580-1 CVE-2018-5549 K05018525 apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
701447-1 CVE-2017-5754 K91229003 CVE-2017-5754 (Meltdown)
701445-1 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003 CVE-2017-5753 (Spectre Variant 1)
701359-4 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145
699455-4 CVE-2018-5523 K50254952 SAML export does not follow best practices
699451-3 CVE-2018-5511 K30500703 OAuth reports do not follow best practices
676457-5 CVE-2017-6153 K52167636 TMM may consume excessive resource when processing compressed data
640766-2 CVE-2016-10088
CVE-2016-9576
K05513373 Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576
636986-1 CVE-2021-22982 K72708443 big3d agent vulnerability CVE-2021-22982


Functional Change Fixes

ID Number Severity Solution Article(s) Description
686389-1 3-Major   APM does not honor per-farm HTML5 client disabling at the View Connection Server
678524-1 3-Major   Join FF02::2 multicast group when router-advertisement is configured
693007-1 4-Minor   Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC


TMOS Fixes

ID Number Severity Solution Article(s) Description
707226 1-Blocking   DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
700315-2 1-Blocking K26130444 Ctrl+C does not terminate TShark
667148-3 1-Blocking K02500042 Config load or upgrade can fail when loading GTM objects from a non-/Common partition
706998-3 2-Critical   Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication
692890-3 2-Critical   Adding support for BIG-IP 800 in 13.1.x
685458-7 2-Critical K44738140 merged fails merging a table when a table row has incomplete keys defined.
665354-1 2-Critical K31190471 Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
703848-1 3-Major   Possible memory leak when reusing statistics rows in tables
702520-2 3-Major K53330514 Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.
694740-3 3-Major   BIG-IP reboot during a TMM core results in an incomplete core dump
692753-1 3-Major   shutting down trap not sent when shutdown -r or shutdown -h issued from shell
689691-2 3-Major   iStats line length greater than 4032 bytes results in corrupted statistics or merge errors
686029-2 3-Major   A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
669462-2 3-Major   Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
589083-6 3-Major   TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
699281-1 4-Minor   Version format of hypervisor bundle matches Version format of ISO
685475-1 4-Minor K93145012 Unexpected error when applying hotfix


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
706534-1 1-Blocking   L7 connection mirroring may not be fully mirrored on standby BigIP
698424-1 1-Blocking K11906514 Traffic over a QinQ VLAN (double tagged) will not pass
700862-1 2-Critical K15130240 tmm SIGFPE 'valid node'
699298-2 2-Critical   13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.
698461-1 2-Critical   Tmm may crash in fastl4 TCP
692970-2 2-Critical   Using UDP port 67 for purposes other than DHCP might cause TMM to crash
691095-1 2-Critical   CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes
687635-1 2-Critical K58002142 Tmm becomes unresponsive and might restart
687205-2 2-Critical   Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
681175-3 2-Critical K32153360 TMM may crash during routing updates
674576-3 2-Critical   Outage may occur with VIP-VIP configurations
452283-5 2-Critical   An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
440620-1 2-Critical   New connections may be reset when a client reuses the same port as it used for a recently closed connection
704073-1 3-Major K24233427 Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
702439 3-Major K04964898 Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
698916-1 3-Major   TMM crash with HTTP/2 under specific condition
698379-2 3-Major K61238215 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
698000-3 3-Major K04473510 Connections may stop passing traffic after a route update
695707-5 3-Major   BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
691806-1 3-Major K61815412 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
689449-1 3-Major   Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
688571-2 3-Major K40332712 Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
688570-5 3-Major   BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
686307-3 3-Major K10665315 Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065-2 3-Major   RESOLV::lookup iRule command can trigger crash with slow resolver
682104-3 3-Major   HTTP PSM leaks memory when looking up evasion descriptions
680264-2 3-Major   HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
677666-2 3-Major   /var/tmstat/blades/scripts segment grows in size.
664528-2 3-Major K53282793 SSL record can be larger than maximum fragment size (16384 bytes)
251162-1 3-Major K11564 The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
685467-1 4-Minor K12933087 Certain header manipulations in HTTP profile may result in losing connection.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
699135-1 2-Critical   tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
692941-1 2-Critical   GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
691287-1 2-Critical   tmm crashes on iRule with GTM pool command
682335-1 2-Critical   TMM can establish multiple connections to the same gtmd
580537-3 2-Critical   The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-5 2-Critical   Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
705503-3 3-Major   Context leaked from iRule DNS lookup
703702 3-Major   Fixed iControl REST not listing GTM Listeners
700527-3 3-Major   cmp-hash change can cause repeated iRule DNS-lookup hang
699339-3 3-Major K24634702 Geolocation upgrade files fail to replicate to secondary blades
696808-1 3-Major   Disabling a single pool member removes all GTM persistence records
691498-3 3-Major   Connection failure during iRule DNS lookup can crash TMM
690166-1 3-Major   ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
687128-1 3-Major   gtm::host iRule validation for ipv4 and ipv6 addresses
680069-1 3-Major K81834254 zxfrd core during transfer while network failure and DNS server removed from DNS zone config
679149-1 3-Major   TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
667469-3 3-Major K35324588 Higher than expected CPU usage when using DNS Cache
636997-1 4-Minor   big3d may crash
636994-1 4-Minor   big3d may crash
636992-1 4-Minor   big3d may crash
636982-1 4-Minor   big3d may crash


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
705774-1 3-Major   Add a set of disallowed file types to RDP template
703833-1 3-Major   Some bot detected features might not work as expected on Single Page Applications
702946-3 3-Major   Added option to reset staging period for signatures
701841-2 3-Major   Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
701327-2 3-Major   failed configuration deletion may cause unwanted bd exit
700812-1 3-Major   asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
700726-2 3-Major   Search engine list was updated, and fixing case of multiple entries
698919-3 3-Major   Anti virus false positive detection on long XML uploads
697756-1 3-Major   Policy with CSRF URL parameter cannot be imported as binary policy file
697303-1 3-Major   BD crash
696265-5 3-Major K60985582 BD crash
696073-2 3-Major   BD core on a specific scenario
695563-1 3-Major   Improve speed of ASM initialization on first startup
694922-5 3-Major   ASM Auto-Sync Device Group Does Not Sync
693780-1 3-Major   Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices
693663-1 3-Major   Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode
691477-2 3-Major   ASM standby unit showing future date and high version count for ASM Device Group
679384-3 3-Major K85153939 The policy builder is not getting updates about the newly added signatures.
678293-2 3-Major K25066531 Uncleaned policy history files cause /var disk exhaustion
665992-2 3-Major K40510140 Live Update via Proxy No Longer Works
608988-1 3-Major   Error when deleting multiple ASM Policies


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
703233 3-Major   Some filters don't work in Security->Reporting->URL Latencies page


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
707676-1 2-Critical   Memory leak in Machine Certificate Check agent of the apmd process
700724-2 2-Critical   Client connection with large number of HTTP requests may cause tmm to restart
692557-1 2-Critical   When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
690116-1 2-Critical   websso daemon might crash when logging set to debug
689591-2 2-Critical   When pingaccess SDK processes certain POST requests from the client, the TMM may restart
677368-2 2-Critical   Websso crash due to uninitialized member in websso context object while processing a log message
631286-3 2-Critical   TMM Memory leak caused by APM URI cache entries
703429-2 3-Major   Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
702263-1 3-Major   An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading.
702222-1 3-Major   RADIUS and SecurID Auth fails with empty password
701740-1 3-Major   apmd leaks memory when updating Access V2 policy
701737-1 3-Major   apmd may leak memory on destroying Kerberos cache
701736-1 3-Major   Memory leak in Machine Certificate Check agent of the apmd process
701639-1 3-Major   Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.
697636-3 3-Major   ACCESS is not replacing headers while replacing POST body
695953-1 3-Major   Custom URL Filter object is missing after load sys config TMSH command
694624-1 3-Major   SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
693844-1 3-Major K58335157 APMD may restart continuously and cannot come up
692307-3 3-Major   User with 'operator' role may not be able to view some session variables
687937-1 3-Major   RDP URIs generated by APM Webtop are not properly encoded
685862-1 3-Major   BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message
684583-1 3-Major   Buitin Okta Scopes Request object uses client -id and client-secret
684325-1 3-Major   APMD Memory leak when applying a specific access profile
683389-3 3-Major   Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
683297-2 3-Major   Portal Access may use incorrect back-end for resources referenced by CSS
682500-2 3-Major   VDI Profile and Storefront Portal Access resource do not work together
678851-3 3-Major   Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
675866-4 3-Major   WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
671627-3 3-Major K06424790 HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
632646-1 3-Major   APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629334-1 3-Major   Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly
612792-1 3-Major   Support RDP redirection for connections launched from APM Webtop on iOS
612118-2 3-Major   Nexthop explicit proxy is not used for the very first connection to communicate with the backend.
536831-1 3-Major   APM PAM module does not handle local-only users list correctly


Service Provider Fixes

ID Number Severity Solution Article(s) Description
698338-1 2-Critical   Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
689343-2 2-Critical   Diameter persistence entries with bi-directional flag created with 10 sec timeout
685708-4 2-Critical   Routing via iRule to a host without providing a transport from a transport-config created connection cores
700571-4 3-Major   SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-1 3-Major   High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
674747-4 3-Major K30837366 sipdb cannot delete custom bidirectional persistence entries.
656901-3 3-Major   MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
704207-1 2-Critical   DNS query name is not showing up in DNS AVR reporting
692328-1 2-Critical   Tmm core due to incorrect memory allocation
703959 3-Major   Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI
631418-1 3-Major   Packets dropped by HW grey list may not be counted toward AVR.


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
696383-1 2-Critical   PEM Diameter incomplete flow crashes when sweeped
694717-1 2-Critical   Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-1 2-Critical K23164003 TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-1 3-Major   PEM Diameter incomplete flow crashes when TCL resumed
695968-1 3-Major   Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-1 3-Major   CCA without a request type AVP cannot be tracked in PEM.
694318-1 3-Major   PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-1 3-Major   PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-1 3-Major   Potential memory leak if PEM Diameter sessions are not created successfully.
642068-4 3-Major   PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
624231-4 3-Major   No flow control when using content-insertion with compression
680729-1 4-Minor K64307999 DHCP Trace log incorrectly marked as an Error log.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
697363-1 2-Critical   FPS should forward all XFF header values
705559-1 3-Major   FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request
662311-1 3-Major   CS alerts should contain actual client IP address in XFF header


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
671716-1 3-Major   UCS version check was too strict for IPS hitless upgrade



Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
702419 3-Major   Protocol Inspection needs add-on license to work


TMOS Fixes

ID Number Severity Solution Article(s) Description
660239-6 4-Minor   When accessing the dashboard, invalid HTTP headers may be present


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
677919-4 3-Major   Enhanced Data Manipulation AJAX Support



Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
681955-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 K23565223 Apache CVE-2017-9788
673595-9 CVE-2017-3167 CVE-2017-3169 K34125394 Apache CVE-2017-3167
694274-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 K23565223 [RHSA-2017:3195-01] Important: httpd security update - EL6.7
672124-6 CVE-2018-5541 K12403422 Excessive resource usage when BD is processing requests
679861 CVE-2019-6655 K31152411 Weak Access Restrictions on the AVR Reporting Interface
673607-9 CVE-2017-3169 K83043359 Apache CVE-2017-3169
672667-6 CVE-2017-7679 K75429050 CVE-2017-7679: Apache vulnerability
641101-7 CVE-2016-8743 K00373024 httpd security and bug fix update CVE-2016-8743
684033-3 CVE-2017-9798 K70084351 CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
661939-2 CVE-2017-2647 K32115847 Linux kernel vulnerability CVE-2017-2647


Functional Change Fixes

ID Number Severity Solution Article(s) Description
685056 3-Major   VE OVAs is not the supported platform to run VMware guest OS customization
670103-1 3-Major   No way to query logins to BIG-IP in TMUI
681385-2 4-Minor   Forward proxy forged cert lifespan can be configured from days into hours.


TMOS Fixes

ID Number Severity Solution Article(s) Description
700247 2-Critical K60053504 APM Client Software may be missing after doing fresh install of BIG-IP VE
693979 3-Major   Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document
683131-1 3-Major   Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present
682213-1 3-Major K31623549 TLS v1.2 support in IP reputation daemon
669585-1 3-Major   The tmsh sys log filter is unable to display information in uncompressed log files.
668826-1 3-Major   File named /root/.ssh/bigip.a.k.bak is present but should not be
668276-1 3-Major   BIG-IP does not display failed login attempts since last login in GUI
668273-1 3-Major K12541531 Logout button not available in Configuration Utility when using Client Cert LDAP
471237-4 3-Major K12155235 BIG-IP VE instances do not work with an encrypted disk in AWS.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
699624-1 2-Critical   Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade
463097-5 3-Major   Clock advanced messages with large amount of data maintained in DNS Express zones


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
672504-2 2-Critical K52325625 Deleting zones from large databases can take excessive amounts of time.
667542-6 2-Critical   DNS Express does not correctly process multi-message DNS IXFR updates.
645615-6 2-Critical K70543226 zxfrd may fail and restart after multiple failovers between blades in a chassis.
655233-2 3-Major K93338593 DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-2 3-Major K57853542 DNS Express responses missing SOA record in NoData responses if CNAMEs present
646615-2 4-Minor   Improved default storage size for DNS Express database


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
699720-1 2-Critical   ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-5 2-Critical   Rare BD crash in a specific scenario
686108-1 2-Critical   User gets blocking page instead of captcha during brute force attack
684312-1 2-Critical K54140729 During Apply Policy action, bd agent crashes, causing the machine to go Offline
698940-1 3-Major   Add new security policy template for API driven systems - "API Security"
690883-1 3-Major   BIG-IQ: Changing learning mode for elements does not always take effect
686517-2 3-Major   Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
686470-1 3-Major   Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
686452-1 3-Major   File Content Detection Formats are not exported in Policy XML
685964-1 3-Major   cs_qualified_urls bigdb does not cause configured URLs to be qualified.
685771-1 3-Major   Policies cannot be created with SAP, OWA, or SharePoint templates
685207-1 3-Major   DoS client side challenge does not encode the Referer header.
685164-1 3-Major K34646484 In partitions with default route domain != 0 request log is not showing requests
683508-1 3-Major K00152663 WebSockets: umu memory leak of binary frames when remote logger is configured
680353-1 3-Major   Brute force sourced based mitigation is not working as expected
674494-4 3-Major K77993010 BD memory leak on specific configuration and specific traffic
668184-2 3-Major   Huge values are shown in the AVR statistics for ASM violations
694073-3 4-Minor   All signature update details are shown in 'View update history from previous BIG-IP versions' popup
685193-1 4-Minor   If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
697421 3-Major   Monpd core when trying to restart
688813-2 3-Major K23345645 Some ASM tables can massively grow in size.
686510-1 3-Major   If tmm was restarted during an attack, the attack might appear ongoing in GUI
683474 3-Major   The case-sensitive problem during comparison of 2 Virtual Servers
679088-1 3-Major   Avr reporting and analytics does not display statistics of many source regions


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
684852-1 2-Critical   Obfuscator not producing deterministic output
692123 3-Major   GET parameter is grayed out if MobileSafe is not licensed


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
700320 2-Critical   tmm core under stress when BADOS configured and attack signatures enabled
691462-1 3-Major   Bad actors detection might not work when signature mitigation blocks bad traffic
687987 3-Major   Presentation of signatures in human-readable format
687986 3-Major   High CPU consumption during signature generation, not limited number of signatures per virtual server
687984 3-Major   Attacks with randomization of HTTP headers parameters generates too many signatures


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
698396-1 2-Critical   Config load failed after upgrade from 12.1.2 to 13.x or 14.x



Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
686190-1 2-Critical   LRO performance impact with BWC and FastL4 virtual server
667173-1 2-Critical   13.1.0 cannot join a device group with 13.1.0.1
683114-2 3-Major   Need support for 4th element version in Update Check


Performance Fixes

ID Number Severity Solution Article(s) Description
685628-1 1-Blocking   Performance regression on B4450 blade
673832-1 1-Blocking   Performance impact for certain platforms after upgrading to 13.1.0.
696525-1 2-Critical   B2250 blades experience degraded performance.

 

Cumulative fix details for BIG-IP v13.1.4.1 that are included in this release

996381-5 : ASM attack signature may not match as expected

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.


995629-1 : Loading UCS files may hang if ASM is provisioned

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
UCS load might fail.

Workaround:
If you encounter this, run 'load sys config default' and de-provision ASM. The UCS file should then load successfully.


994801-5 : SCP file transfer hardening

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
Administrative user with SCP access.

Impact:
users with with SCP access but without shell access can run arbitrary commands

Workaround:
None

Fix:
The SCP file transfer system now follows current best practices.


990333-3 : APM may return unexpected content when processing HTTP requests

Component: Access Policy Manager

Symptoms:
APM may return unexpected content when processing HTTP requests

Conditions:
APM profile should be configured for virtual

Impact:
Unexpected content returned to clients

Workaround:
when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {

   if {[HTTP::uri] starts_with "/public/images/customization/" && ([HTTP::path] contains ".." || [HTTP::path] contains "%2") } {
     set removeDots [string map [list ".." "" ".%2e" "" ".%2E" "" "%2e." "" "%2E." "" "%2e%2e" "" "%2E%2e" "" "%2e%2E" "" ] [HTTP::uri]]
     HTTP::redirect http://[HTTP::host]$removeDots
# log local0. "Redirect to [HTTP::host]$removeDots"
  }
}

Fix:
APM now processes HTTP requests as expected


989009-5 : BD daemon may crash while processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, the BD daemon may crash while processing WebSocket traffic.

Conditions:
- ASM enabled
- WebSocket profile enabled

Impact:
BD daemon crash leading to a failover event

Workaround:
N/A

Fix:
The BD daemon now processes WebSocket traffic as expected.


981385-5 : AVRD does not send HTTP events to BIG-IQ DCD

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.


981169-4 : F5 TMUI XSS vulnerability CVE-2021-22994

Solution Article: K66851119


980809-4 : ASM REST Signature Rule Keywords Tool Hardening

Component: Application Security Manager

Symptoms:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Conditions:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Impact:
The ASM REST Signature Rule Keywords Tool does not follow current best practices.

Workaround:
N/A.

Fix:
The ASM REST Signature Rule Keywords Tool now follows current best practices.


980125-5 : BD Daemon may crash while processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, the WAF daemon may crash while processing WebSocket traffic.

Conditions:
- ASM enabled
- WebSocket profile enabled

Impact:
WAF crash resulting in a failover event.

Workaround:
N/A

Fix:
WAF now processes WebSocket traffic as expected.


976925-4 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: K71891773


976501-4 : Failed to establish VPN connection

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.


975233-4 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Solution Article: K52510511


973333-2 : TMM buffer-overflow vulnerability CVE-2021-22991

Solution Article: K56715231


973261-5 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.


968733-4 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Solution Article: K42202505


968421-5 : ASM attack signature doesn't matched

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.


968349-4 : TMM crashes with unspecified message

Component: Service Provider

Symptoms:
TMM crashes with unspecified message

Conditions:
Requires specific iRule for gtp processing.

Impact:
TMM crashes with core and restarts. Traffic disrupted while TMM restarts.

Workaround:
None.

Fix:
TMM handles unspecified message properly.


967905-1 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.


967745-4 : Last resort pool error for the modify command for Wide IP

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.


965485-1 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Solution Article: K41523201


962433-2 : HTTP::retry for a HEAD request fails to create new connection

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.


962341-3 : BD crash while processing JSON content

Component: Application Security Manager

Symptoms:
Under certain conditions, BD may crash while processing JSON content

Conditions:
- ASM enabled
- JSON content profile enabled

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A


962177-4 : Results of POLICY::names and POLICY::rules commands may be incorrect

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.


960749-4 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.


960437-4 : The BIG-IP system may initially fail to resolve some DNS queries

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6.
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.


959121-1 : Not following best practices in Guided Configuration Bundle Install worker

Solution Article: K74151369


955145-4 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


954381-4 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


953729-4 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Solution Article: K56142644 K45056101


953677-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488 K70031188


951033-1 : Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'

Component: Local Traffic Manager

Symptoms:
Virtual server resets all the connections for rstcause 'VIP disabled (administrative)', after all the conditions are met.

Once it happens, the virtual server starts resetting all the incoming connections for rstcause 'VIP disabled (administrative)'. This continues even after the connection limit is deactivated.

Conditions:
-- There is at least one pool member that is DISABLED.
-- Other pool members have a connection limit configured.
-- A configuration change occurs while the connection limit is activated, and the change lowers the connection limit value, for example, the value is changed from 10 to 5.

Impact:
A virtual server continues resetting new connections.

Workaround:
Use Forced offline instead of disabled to prevent this issue.

Fix:
The BIG-IP system no longer continually resets new connections when the connection limit is lowered while it is being enforced.


950917-3 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------


950077-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488 K70031188


950017-4 : TMM may crash while processing SCTP traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing SCTP traffic. After this crash logs will show the message: "flow not in use".

Conditions:
- SCTP profile enabled

Impact:
TMM crashing leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes SCTP traffic as expected.


949933-3 : BIG-IP APM CTU vulnerability CVE-2021-22980

Solution Article: K29282483


949889-1 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Solution Article: K04107324


949593-1 : Unable to load config if AVR widgets were created under '[All]' partition

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.


949145-3 : Improve TCP's response to partial ACKs during loss recovery

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.


948769-3 : TMM panic with SCTP traffic

Component: TMOS

Symptoms:
TMM panics and generates a core file. The panic message is "balanced nodes".

Conditions:
SCTP enabled virtual server

Impact:
Traffic interrupted while TMM restarts

Workaround:
Ensure that you have a route to the server's alternate address (like a default route since the remote server might not be under direct control) or
On versions earlier than 13.0 make sure that auto-lasthop is enabled for the virtual server (either via global, vlan or virtual setting)

Fix:
TMM now handles SCTP traffic properly


948573-3 : Wr_urldbd list of valid TLDs needs to be updated

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.


946581 : TMM vulnerability CVE-2020-27713

Solution Article: K37960100


945109-5 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Component: TMOS

Symptoms:
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.

Conditions:
An attacker may leverage this vulnerability by creating a crafted input file causing low confidentiality.

Impact:
In ps_parser_skip_PS_token(), lack of proper validation may lead the reading cursor holding the current position being processed to go beyond the end of the text content. This further causes an out of bounds read skip_comment() function and unexpected data may be exposed as a result of the over-read.

Workaround:
N/A

Fix:
Updated Freetype to patch for CVE-2015-9382


943913-5 : ASM attack signature does not match

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.

Workaround:
N/A

Fix:
ASM now processes traffic as expected.


943889 : Reopening the publisher after a failed publishing attempt

Component: Fraud Protection Services

Symptoms:
TMM crashes repeatedly on SIGSEGV.

Conditions:
This can occur after a HSL disconnect and re-connect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system publishes data to HSL publisher on a second attempt successfully (after a reconnect).


943125-4 : ASM bd may crash while processing WebSocket traffic

Solution Article: K18570111


942701-4 : TMM may consume excessive resources while processing HTTP traffic

Component: Local Traffic Manager

Symptoms:
When processing HTTP traffic, TMM may consume excessive resources.

When BIGIP handles HTTP traffic, it provides a possibility to compress payload. Under certain conditions TMM may consume its memory inefficiently, resulting in OOM situations.

Conditions:
- Virtual server with http and httpcompression profiles.
- Undisclosed conditions at backend server.

Impact:
TMM exhausts its memory and may deny legitimate traffic or delay processing traffic.

Workaround:
Remove httpcompression profile from a virtual's configuration.

Fix:
TMM now processes HTTP traffic as expected.


941853-3 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.


941621-4 : Brute Force breaks server's Post-Redirect-Get flow

Component: Application Security Manager

Symptoms:
Brute Force breaks server's Post-Redirect-Get flow

Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.

Impact:
Brute Force breaks server's Post-Redirect-Get flow

Workaround:
None

Fix:
Support PRG mechanism in brute force mitigations.


941449-5 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Solution Article: K55237223


941089-4 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.


940897-4 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.


940401-4 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.


940249-4 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.


940021-1 : Syslog-ng hang may lead to unexpected reboot

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.

The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.

Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).

Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.

Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.

Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.


939845-4 : BIG-IP MPTCP vulnerability CVE-2021-23004

Solution Article: K31025212


939841-4 : BIG-IP MPTCP vulnerability CVE-2021-23003

Solution Article: K43470422


939529-4 : Branch parameter not parsed properly when topmost via header received with comma separated values

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.


938233-4 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Component: Local Traffic Manager

Symptoms:
BIG-IP exhibits gradual and linear increase in memory accumulation (high xfrag accumulation) leading to high CPU utilization.

Impact:
This may start affecting BIG-IPs capacity to serve other incoming requests as CPU utilization tends towards maximum limit.

Fix:
BIG-IP no longer shows the known issues of high memory (xfrag) accumulation that leads to the high CPU utilization.


937637-5 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: K71891773


937365-5 : LTM UI does not follow best practices

Component: TMOS

Symptoms:
The SCTP component of LTM WebUI does not follow current best practices.

Conditions:
- Authenticated LTM WebUI user

Impact:
LTM WebUI does not follow current best practices.

Workaround:
None

Fix:
TMUI now follows best practices.


935721-3 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291


935433-5 : iControl SOAP Hardening

Component: TMOS

Symptoms:
Under certain condition, iControl SOAP does not follow current best practices.

Conditions:
- Undisclosed conditions.

Impact:
iControl SOAP doe not follow current best practices.

Workaround:
N/A

Fix:
iControl SOAP now follows current best practices.


935401-5 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Solution Article: K06440657


935293-1 : 'Detected Violation' Field for event logs not showing

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.


933777-3 : Context use and syntax changes clarification

Component: Application Visibility and Reporting

Symptoms:
There are 2 issues:
1) tmsh analytics commands related to server side connections changed in 14.x
2)"max-tps" is non-cumulative and cannot be used in this context

Conditions:
Using tmsh analytics commands in BIG-IP v14.x and higher

Impact:
1) tmsh commands (related to server side connections) should be written differently in 14.x+
2)The "max-tps" measure is not applicable in the 'client-ip' context

Workaround:
There are 2 issues:
1)tmsh display name changed from total-server-side-conns to server-side-conns etc (14.x+)
2)Change the "max-tps" attribute "commutative" from false to true and change the merge formula from SUM to MAX

Fix:
Change the "max-tps" attribute "commutative" from false to true and change the merge formula from SUM to MAX


933741-5 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Solution Article: K63497634


933461-2 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.


933297 : FTP virtual server passive data channels do not pass traffic

Solution Article: K20984059


932697-1 : BIG-IP TMM vulnerability CVE-2021-23000

Solution Article: K34441555


932485-1 : Incorrect sum(hits_count) value in aggregate tables

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.


932065-4 : iControl REST vulnerability CVE-2021-22978

Solution Article: K87502622


931837-3 : NTP has predictable timestamps

Component: TMOS

Symptoms:
No known symptoms.

Conditions:
Ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 are vulnerable.

Two main prerequisites for this to be exploited.

1. Having the BIG-IP act as an NTP server.
2. Sources for BIG-IP's time being unreliable/unauthenticated upstream NTP servers

Impact:
A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. An attacker who can send a large number of packets with the spoofed IPv4 address of the upstream server can use this flaw to modify the victim's clock by a limited amount or cause ntpd to exit.

Workaround:
Redhat suggested the following mitigations:

1. Have enough trustworthy sources of time.

2. If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.

3. Use NTP packet authentication where appropriate.

4. Pay attention to error messages logged by ntpd.

5. Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.

6. If you must get unauthenticated time over IPv4 on a hostile network, Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.


931513-4 : TMM vulnerability CVE-2021-22977

Solution Article: K14693346


930741-4 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.


929001-5 : ASM form handling improvements

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.


928685-4 : ASM Brute Force mitigation not triggered as expected

Component: Application Security Manager

Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.

Conditions:
- ASM enabled
- Brute Force mitigation enabled

Impact:
Brute Force mitigation is not triggered as expected.

Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:

when ASM_REQUEST_DONE

{
    if { [catch { HTTP::username } ] } {
     
     log local0. "ERROR: bad username";
     
     ASM::raise bad_auth_header_custom_violation 
   
   }
}

Fix:
Brute Force mitigation is now triggered as expected.


928037-4 : APM Hardening

Solution Article: K15310332


927941-2 : IPv6 static route BFD does not come up after OAMD restart

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.


927617-4 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Component: Application Security Manager

Symptoms:
A valid request that should be passed to the backend server is blocked.

Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.

-- The cookie header that contain the valid cookie value is encoded to base64.

Impact:
A request is blocked that should not be.

Workaround:
Disable 'Base64 Decoding' for the desired cookie.

Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.


926929-1 : RFC Compliance Enforcement lacks configuration availability

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that require certain constructions after a header name may not function.

Workaround:
None.

Fix:
A configuration item is introduced to manage any RFC compliance option when enforcement is turned on:

HTTP profile option enforcement.allow-ws-header-name; prior releases Tmm.HTTP.RFC.AllowWSHeaderName DB key (necessarily a global flag, rather than per-profile control).


924929 : Logging improvements for VDI plugin

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.


924493-5 : VMware EULA has been updated

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.


922317-1 : Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections

Component: Local Traffic Manager

Symptoms:
-- Stalled serverside connections visible in connection table.
-- No traffic going out towards pool member.
-- Sometimes tmm crashes may occur.

Conditions:
The LSN::persistence_entry Tcl command is used inside of an iRule triggered by a serverside event, e.g., SERVER_CONNECTED.

Impact:
-- Traffic not reaching pool members.
-- System disruption while tmm restarts in case of crash.

Workaround:
Do not use the LSN::persistence_entry command in iRules triggered by serverside events.

Fix:
Traffic now reaches pool members, no stalled connections occur, and crashes are eliminated.


922297-4 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

You see the following log entries in /var/log/tmm:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.

Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).


921625-5 : The certs extend function does not work for GTM/DNS sync group

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.


921549-7 : The gtmd process does not receive updates from local big3d.

Component: Global Traffic Manager (DNS)

Symptoms:
Oversized server.crt file causes gtmd (other devices in a same syncgroup) from receiving from local big3d.

Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.

Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.

Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.


921337-1 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Solution Article: K88230177


920265 : TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option.

Component: Local Traffic Manager

Symptoms:
TMM crashes and produces a core dump.

Conditions:
This issue occurs when:

- You initially enable the transparent-nexthop setting on a virtual server.
- You then disable the option.
- You then disable auto-lasthop for the virtual server.
- The virtual server receives traffic.

Impact:
Traffic is impacted while TMM restarts.

Workaround:
There is no workaround that you can instantiate to prevent this issue. However, if you are aware that you have already performed the necessary configuration changes to cause this issue to occur, and TMM has not crashed yet, you can delete the virtual server and recreate it (with the intended/final configuration) to prevent the crash.

Fix:
TMM no longer crashes after modifying a virtual server as described under Conditions.


919553-4 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.


918933-4 : The BIG-IP ASM system may not properly perform signature checks on cookies

Solution Article: K88162221

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221


918597-1 : Under certain conditions, deleting a topology record can result in a crash.

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.


918169-3 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.


917509-1 : BIG-IP ASM vulnerability CVE-2020-27718

Solution Article: K58102101


917005-3 : ISC BIND Vulnerability: CVE-2020-8619

Solution Article: K19807532


916821-5 : iControl REST vulnerability CVE-2021-22974

Solution Article: K68652018


915825-5 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.


915689-5 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.


915605-4 : Image install fails if iRulesLX is provisioned and /usr mounted read-write

Solution Article: K56251674

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume as one of the following:

-- Could not access configuration source.
-- Unable to get hosting system product info.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr


915305-2 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.


915281-6 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.


914649-1 : Support USB redirection through VVC (VMware virtual channel) with BlastX

Component: Access Policy Manager

Symptoms:
USB is unavailable after opening VMware View Desktop.

Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client

Impact:
USB is unavailable after opening VMware View Desktop

Workaround:
None.

Fix:
USB is now available after opening VMware View Desktop


913829-2 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.

Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.

Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.

You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.


913441 : Tmm cores while doing Hitless Upgrade while there are active flows

Component: Traffic Classification Engine

Symptoms:
Tmm cores.

Conditions:
Addition of new flows to existing lib while Hitless Upgrade is in progress.

Impact:
Tmm core while doing app detection for new flows. Traffic disrupted while tmm restarts.

Workaround:
Restrict addition of new flows if a Hitless Upgrade is in progress.

Fix:
New flows are no longer added to the classification engine to any of the library if the Hitless Upgrade process is in progress.


913433-4 : On blade failure, some trunked egress traffic is dropped.

Component: TMOS

Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.

Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)

Workaround:
None.


913085-5 : Avrd core when avrd process is stopped or restarted

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

Fix:
Avrd no longer cores when avrd process is stopped or restarted.


912969-5 : iAppsLX REST vulnerability CVE-2020-27727

Solution Article: K50343630


912221-3 : CVE-2020-12662 & CVE-2020-12663

Solution Article: K37661551


912001-1 : TMM cores on secondary blades of the Chassis system.

Component: Global Traffic Manager (DNS)

Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:

tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307

Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.

Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.

Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.


911761-5 : F5 TMUI XSS vulnerability CVE-2020-5948

Solution Article: K42696541


910201-5 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.


909837-3 : TMM may consume excessive resources when AFM is provisioned

Solution Article: K05204103


909757 : HTTP CONNECT method with a delayed payload can cause a connection to be closed

Component: Local Traffic Manager

Symptoms:
If the HTTP CONNECT method is utilized and payload arrives in a later TCP segment, the HTTP connection will be closed.

Conditions:
-- HTTP profile.
-- HTTP CONNECTION with delayed payload.

Impact:
The HTTP connection is incorrectly closed.

Workaround:
None.

Fix:
Traffic containing the HTTP CONNECT method and a delayed payload no longer has its connection closed.


909237-3 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642


909233-3 : DNS Hardening

Solution Article: K97810133


908673-2 : TMM may crash while processing DNS traffic

Solution Article: K43850230


908065-5 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.


908021-3 : Management and VLAN MAC addresses are identical

Component: TMOS

Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.

Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.

Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.

Workaround:
None.

Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.


907337-5 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.

Fix:
This BD crash no longer occurs.


907245-4 : AFM UI Hardening

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, the AFM WebUI does not follow current best practices.

Conditions:
- AFM provisioned
- Authenticated AFM WebUI user

Impact:
AFM WebUI does not follow current best practices.

Workaround:
N/A

Fix:
AFM WebUI now follows current best practices


906377-5 : iRulesLX hardening

Component: TMOS

Symptoms:
Under certain conditions, iRulesLX does not follow current best practices.

Conditions:
- Authenticated administrative user

Impact:
iRulesLX does not follow current best practices.

Workaround:
N/A

Fix:
iRulesLX now follows current best practices.


905905-4 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245


905125-4 : Security hardening for APM Webtop

Solution Article: K30343902


904937-5 : Excessive resource consumption in zxfrd

Solution Article: K25595031


904053-5 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never

Component: Application Security Manager

Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.

Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.

Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.

Workaround:
Disable Learning mode for the Policy disables Cookie hashing.

Note: This affects all learning, not just Cookie hashing.

Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".


903453 : TMM crash following redirect when Proactive Bot Defense is used

Component: Application Security Manager

Symptoms:
TMM may rarely crash when Proactive Bot Defense is enabled.

Conditions:
TMM may rarely crash under specific configurations when Proactive Bot Defense is used.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None.


902485-1 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.


902417-5 : Configuration error caused by Drafts folder in a deleted custom partition

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.


900797-5 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.


900793-3 : APM Brute Force Protection resources do not scale automatically

Solution Article: K32055534

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.


900789-5 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.


900757-5 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


898949-4 : APM may consume excessive resources while processing VPN traffic

Solution Article: K04518313


898705-2 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.


896709-1 : Add support for Restart Desktop for webtop in VMware VDI

Component: Access Policy Manager

Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.

Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.

Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.

Workaround:
None.

Fix:
APM now supports restart desktop option on webtop for VMware VDI.


896217-5 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat


895993-5 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895981-5 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895881-4 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305


895525-5 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


892677-3 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted


892385-3 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.


891457-5 : NIC driver may fail while transmitting data

Solution Article: K75111593


890277-1 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.


890229-4 : Source port preserve setting is not honored

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when both of the following conditions are met:

-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
    - Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
    - Configuring a VLAN's 'CMP Hash' setting to a non-default value.
    - Using a special variable such as non-default udp.hash or tcp.hash.

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

Fix:
Now source-port preserve setting does best effort to preserve the source port.

Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.

The source-port preserve setting now does best effort to preserve the source port.


889601-5 : OCSP revocation not properly checked

Component: Local Traffic Manager

Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.

Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles

Impact:
The SSL handshake continues eve if a certificate is revoked.

Fix:
OCSP revocation checking now working properly.


889557-3 : jQuery Vulnerability CVE-2019-11358

Solution Article: K20455158


889497-1 : Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage

Component: Access Policy Manager

Symptoms:
The urldb and urldbmgrd process CPU utilization increases to over 90%.

Conditions:
-- SWG provisioned.
-- Creating an APM Event log profile and then deleting it.

Impact:
High CPU utilization by urldb and urldbmgrd.

Workaround:
Do not delete an APM Event log profile.

If an APM Event log has already been deleted, restart urldb and urldbmgrd to return CPU processing.top


888517-4 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.

Component: Local Traffic Manager

Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.

Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.

Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.

Workaround:
Correct the underlying networking/virtualization issue.

Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.


888497-5 : Cacheable HTTP Response

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.


888493-5 : ASM GUI Hardening

Solution Article: K40843345


888341-3 : HA Group failover may fail to complete Active/Standby state transition

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:

-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
HA Group failover configured.

Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:

 o VLAN failsafe failover.
 o Gateway failsafe failover.
 o Failover triggered by loss of network failover heartbeat packets.
 o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.


888289-4 : Add option to skip percent characters during normalization

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).


887089-5 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.


886693-1 : System may become unresponsive after upgrading

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration works in the previous release, but does not work properly in the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html

Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:

-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
-- BIG-IP Virtual Edition (VE)


886085-1 : BIG-IP TMM vulnerability CVE-2020-5925

Solution Article: K45421311


885241 : TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event.

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
The 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event (for example, the CLIENTSSL_HANDSHAKE event).

The only affected versions are 13.1.3.2 and 13.1.3.3.

Impact:
The leak initially causes traffic disruption, as TMM reaps flows prematurely in an effort to free up memory. Eventually, TMM crashes, as it is unable to allocate any more memory. When this happens, redundant systems fail over. Traffic disrupted while tmm restarts.

Workaround:
Do not use the 'ACCESS::session remove' iRule command under any event that isn't an ACCESS event.

To restore TMM to a fully functional state after making all necessary configuration changes, or to temporarily work around this issue, you can restart TMM with the following command:

bigstart restart tmm


883717-4 : BD crash on specific server cookie scenario

Solution Article: K37466356


882769-5 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters


882633-5 : Active Directory authentication does not follow current best practices

Solution Article: K51213246


882557-5 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance


882273-1 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow

Component: Service Provider

Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.

Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.

Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When server is down BIG-IP keeps creating new connection to it. there is memory leak need to be fixed.


882189-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897

Solution Article: K20346072


882185-4 : BIG-IP Edge Client Windows ActiveX

Solution Article: K20346072


881445-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Solution Article: K69154630


881317-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


881293-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


880361-4 : iRules LX vulnerability CVE-2021-22973

Solution Article: K13323323


879745-5 : TMM may crash while processing Diameter traffic

Solution Article: K82530456


879413-4 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.


879025-6 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Solution Article: K72752002


877109-5 : Unspecified input can break intended functionality in iHealth proxy

Component: TMOS

Symptoms:
Unspecified input can break intended functionality in iHealth proxy

Impact:
iHealth proxy functionality will not work as intended

Workaround:
None

Fix:
iHealth proxy functions as expected


876801-1 : Tmm crash: invalid route type

Component: Local Traffic Manager

Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:

tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **

Conditions:
The issue is intermittent.

1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.

Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.


876581-5 : JavaScript engine file is empty if the original HTML page cached for too long

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

Fix:
FPS now also removes ETag headers from protected HTML pages.


872673-4 : TMM can crash when processing SCTP traffic

Solution Article: K26464312


871761-2 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.


871657-3 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.


870957-2 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.


868781-3 : TMM crashes while processing MRF traffic

Component: Service Provider

Symptoms:
TMM panic occurs when processing overflowed the MPI messages due to incorrectly calculated master key length:

../dev/mpi/mpi_mem.c:1129: Assertion "tail not past head" failed.

Conditions:
-- Message Routing Framework (MRF) traffic of type Diameter and SIP.

-- Auto-initialization enabled on peer, but can happen without auto-initialization enabled, just at a less-predictable rate.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM crash no longer occurs under these conditions.


868349-5 : TMM may crash while processing iRules with MQTT commands

Solution Article: K62830532


867181-4 : ixlv: double tagging is not working

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.

Fix:
Both VLAN tags are now present in packets.


867013-5 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.


866925-1 : The TMM pages used and available can be viewed in the F5 system stats MIB

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.


866613-2 : Missing MaxMemory Attribute

Component: Application Visibility and Reporting

Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.

Conditions:
This is encountered when viewing the System Monitor report.

Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').

Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.

Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.

Fix:
The MaxMemory attribute is now reported in System Monitor statistics.


866109-4 : JWK keys frequency does not support fewer than 60 minutes

Component: Access Policy Manager

Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:

01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.

Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.

Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.

Workaround:
Use a value of 60 minutes or higher.

Fix:
Auto discovery frequency now supported values lower than 60 minutes.


866021-4 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.


865241-4 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.


865225-2 : 100G modules may not work properly in i15000 and i15800 platforms

Component: TMOS

Symptoms:
The tuning values programmed in the switch are not correct for 100G OPT-0039 and OPT-0031 SFP modules.

Conditions:
-- Using OPT-0039 or OPT-0031 modules.

-- Running on i15000 and i15800 platforms.

Note: Use 'tmsh list net interface vendor-partnum', to identify the optic modules installed.

Impact:
You might see traffic drop.

Note: Potential issues related to incorrect tuning values come from F5-internal sources and have not been reported in production configurations.

Workaround:
None.


864757-1 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.


863917-4 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.

Component: Global Traffic Manager (DNS)

Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:

The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.

This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.

Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.

Impact:
Messages are logged that imply the system is overloaded when it is not.

Workaround:
Create a log filter to suppress the messages

sys log-config filter gtm-warn {
    level warn
    message-id 011ae116
    source gtmd
}


863161-5 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.


862597-3 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.


860517-4 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.


860477-6 : SCP hardening

Solution Article: K82518062


860005-4 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.


859717-4 : ICMP-limit-related warning messages in /var/log/ltm

Component: Local Traffic Manager

Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:

warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.

Conditions:
Viewing /var/log/ltm.

Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.

Workaround:
None.

Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.


859089-3 : TMSH allows SFTP utility access

Solution Article: K00091341


858973-4 : DNS request matches less specific WideIP when adding new wildcard wideips

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm


858701-4 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x

Component: Local Traffic Manager

Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.

-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.

Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:

Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:

  Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.

  You can check this value with the guishell command:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

    Example:
      guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
        -----------------------------------------------------------
        | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
        -----------------------------------------------------------
        | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
        | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
        | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
        | /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
        | /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

      Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.

------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:

1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.

2. Fail over Active system to Standby status:
  tmsh run sys failover standby

3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.

4. Save the config to disk:
  tmsh save sys config

5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
  tmsh load sys config

6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
  tmsh load sys config

7. Verify it worked:
  guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

  Example of a fixed config:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
      -----------------------------------------------------------
      | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
      -----------------------------------------------------------
      | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
      | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
      | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
      | /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
      | /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':

tmsh load sys config


858301-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858297-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858289-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858285-4 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858229-2 : XML with sensitive data gets to the ICAP server

Solution Article: K22493037

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.


858197-4 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

Fix:
Remove function call to drop row from table on error path where row was not successfully added.


858025-5 : BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984

Solution Article: K33440533


857845-5 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule

Component: Local Traffic Manager

Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.

Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.

Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.


856961-4 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Solution Article: K17269881


854177-2 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.


853585-5 : REST Wide IP object presents an inconsistent lastResortPool value

Component: Global Traffic Manager (DNS)

Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:

...
"lastResortPool": "aaaa \"\""
...

Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:

tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.

Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.

Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.


853329 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release prevents a condition causing this TMM crash.


852929-2 : AFM WebUI Hardening

Solution Article: K25160703


852445-5 : Big-IP : CVE-2019-6477 BIND Vulnerability

Solution Article: K15840535


852289-6 : DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector

Solution Article: K23278332

Component: Advanced Firewall Manager

Symptoms:
DNS over TCP packet is not rate-limited accurately by DoS device sweep and flood vector.

Conditions:
-- Setting the correct DNS pkt type in the DoS device sweep or flood vector.
-- Sending DNS over TCP.

Impact:
DNS over TCP is DDoS attack is not mitigated correctly.

Workaround:
Using DNS DoS vector to mitigate the attack.

Fix:
The attack mitigation by sweep and flood vector is accurate.


852101-4 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.


851857-4 : HTTP 100 Continue handling does not work when it arrives in multiple packets

Component: Local Traffic Manager

Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.

Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.

Impact:
The response is not delivered to the client. Browsers may retry the request.

Workaround:
None.

Fix:
100 Continue responses are parsed correctly by the HTTP parser if they are broken into multiple packets.


851045-4 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.


850673-4 : BD sends bad ACKs to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.

-- The policy may be incomplete in the bd causing incorrect enforcement actions.

Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.

Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).

-- A partial policy may exist in bd causing improper enforcement.

Workaround:
-- Unassign and reassign the policy.

-- if unassign/reassign does not help, export and then reimport the policy.

Fix:
Fixed inconsistency scenario between bd and bd_agent.


850277-5 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.


849861 : TMM may crash with FastL4 and HTTP profile using fallback host and iRule command

Component: Local Traffic Manager

Symptoms:
TMM may crash when FastL4 is used with an HTTP profile and an iRule command. Even if TMM does not crash, the incorrect iRule may prevent the connection from working.

Conditions:
-- A virtual server configured to use FastL4 with an HTTP profile with a fallback host.

-- The virtual server has an iRule that performs a pool pick after the connection is established.

Note: Using the pool command after the server-side connection is established is not a valid operation.

Impact:
TMM typically crashes; however, whether or not TMM crashes, the invalid use of the pool command results in connection failure.

Workaround:
Remove the invalid iRule configuration.

Fix:
This issue no longer occurs.


848445-4 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer

Solution Article: K86285055

Component: Application Security Manager

Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.

Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.

Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.

Workaround:
Can defined the parameters as global sensitive parameters.

Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer


848405-1 : TMM may consume excessive resources while processing compressed HTTP traffic

Solution Article: K26244025


846917-5 : lodash Vulnerability: CVE-2019-10744

Solution Article: K47105354


846493 : ASM CAPTCHA is not working the first time when a request contains sensitive parameters

Component: Application Security Manager

Symptoms:
ASM end users are required to type CAPTCHA letters twice to get the login request to be forwarded to the server. In addition, the original login request is not sent to the server, which results in failed logins.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Brute force enabled in the ASM policy.
-- Brute force issues CAPTCHA mitigation.

Impact:
False-positive bad logins.

Workaround:
Remove sensitive parameters from asm policy.

Impact of workaround: This results in sensitive parameters being revealed in the ASM event logs.

Fix:
CAPTCHA mechanism now works correctly along with sensitive parameters.


846441-4 : Flow-control is reset to default for secondary blade's interface

Component: TMOS

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.


846137-5 : The icrd returns incorrect route names in some cases

Component: TMOS

Symptoms:
The icrd returns an incorrect route names when a '.' (dot, or period) is present in the subPath, as it treats the subPath as an IP address and the leaf name as a subnet and considers its name as a whole. Also the subPath field is missed in the response route object. This happens only in the case of curl request.

Conditions:
-- The subPath contains a '.' in it.
-- A curl request is made.

Impact:
Result information is not compatible with actual result.

Workaround:
None.

Fix:
The system now verifies whether or not the leafname a numeric valuel, so this issue no longer occurs.


846057-1 : UCS backup archive may include unnecessary files

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/


845461-1 : MRF DIAMETER: additional details to log event to assist debugging

Component: Service Provider

Symptoms:
There are not enough details in log events when stale pending requests are removed.

Conditions:
An answer message is not received before the configured timeout has been reached.

Impact:
The set of arguments in the log message do not have enough information to debug why the message was not responded to.

Workaround:
None.

Fix:
New details have been added to help debug why the message was not responded to.


843597-4 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes. This issue can present itself in a few different ways, depending on the underlying platform. One example would be the BIG-IP failing to initialize vmxnet interfaces with messages similar to the following logged in /var/log/tmm:

 notice vmxnet3[1b:00.0]: MTU: 9198
 notice vmxnet3[1b:00.0]: Error: Activation command failed: 1

If the BIG-IP does successfully initialize its vmxnet interfaces, there can be unpredictable behavior (possibly with the hypervisor).

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- If the BIG-IP is able to initialize the vmxnet interfaces: Passing packets larger than 9000 bytes.

Impact:
The BIG-IP system may not be able to initialize the vmxnet3 interfaces on startup. If it is able to do so, then packets may be dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0

Fix:
The software now ensure that the default setting for the vmxnet3 driver MTU is 9000, which prevents the issue from occurring.


842829-5 : Multiple tcpdump vulnerabilities

Solution Article: K04367730


842717-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855

Solution Article: K55102004


842625-1 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.

Fix:
SIP message routing now recovers from a 'no connection' failure state.


842189-3 : Tunnels removed when going offline are not restored when going back online

Component: TMOS

Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.

Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.

Impact:
Failure of tunnel packet traffic.

Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.

Fix:
Tunnels removed when going offline are now restored when going back online.


842125-2 : Unable to reconnect outgoing SCTP connections that have previously aborted

Component: TMOS

Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.

Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.

Impact:
New connections are unable to be created resulting in dropped messages.

Workaround:
None.

Fix:
SCTP connections can now be halted and recreated to the same endpoint.


841577-6 : iControl REST hardening

Solution Article: K20606443


841469-3 : Application traffic may fail after an internal interface failure on a VIPRION system.

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.

Fix:
The system now includes the enhancement for the 'standalone chassis which belongs to a pool' use-case, as discussed under the Workaround section.


841333-3 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


839597-2 : Restjavad fails to start if provision.extramb has a large value

Component: Device Management

Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:

daemon.log: emerg logger: Re-starting restjavad

The system reports similar message at the command line.

No obvious cause is logged in rest logs.

Conditions:
-- System DB variable provision.extramb has an unusually high value*:
  + above ~2700-2800 MB for v12.1.0 and earlier.
  + above ~2900-3000 MB for v13.0.0 and later.

-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'

*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.

To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb

tmsh list sys db restjavad.useextramb

Impact:
This impacts the ability to use the REST API to manage the system.

Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).

To set that at command line:

tmsh modify sys db provision.extramb value 2000


If continual restarts of restjavad are causing difficulties managing the unit on the command line:

1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad

2. Reduce the large value of provision.extramb if necessary.

3. Restart the restjavad service:
tmsh start sys service restjavad

Fix:
Restjavad memory is now capped at a sensible maximum.

If provision.extramb is set to a value higher than 2500 MB it will be considered to be 2500 MB for the purposes of restjavad, and the system logs a message similar to the following in /var/log/ltm, where XXXX is the value of provision.extramb:

notice restjavad: JVM heap limit exceeded. Using maximum supported value of 2500 instead of provision.extramb XXXX.


839453-2 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354


838909-6 : BIG-IP APM Edge Client vulnerability CVE-2020-5893

Solution Article: K97733133


838901-1 : TMM receives invalid rx descriptor from HSB hardware

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.


838709-2 : Enabling DoS stats also enables page-load-time

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.

Fix:
Changed the condition that insert the JavaScript injection in case that "collect all dos stats" is enabled.


838685-1 : DoS report exist in per-widget but not under individual virtual

Component: Application Visibility and Reporting

Symptoms:
'Undefined entity dosl7_vip was used' error message is reported on widgets whenever a 'Virtual Server' filter is selected on the 'Security :: Reporting : DoS : Custom Page' GUI page.

Conditions:
-- Navigate to Security :: Reporting : DoS : Custom Page in the GUI.
-- Filter widgets results with specific 'Virtual Server'.

Impact:
GUI widgets report errors and cannot show stats.

Workaround:
This GUI fix requires modifying a single PHP file in one location, which you can do directly on your BIG-IP system with a few bash commands:

1. Backup the file '/var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php':
   $ cp /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/

2. Change permissions to allow modifying it:
   $ chmod +w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

3. Change the file to include the fix:
   $ sed -i 's/dosl7_vip/vip/g' /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php
   $ sed -i "s/ANALYTICS_MOD_DNS_DOS => 'vip'/ANALYTICS_MOD_DNS_DOS => 'dns_vip'/g" /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

4. Verify that the fix is as expected:
   $ vimdiff /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php /shared/dos_custom_overview_commons.php

   (** You should see two lines modified:
       1. ANALYTICS_MOD_DOSL7 => 'dosl7_vip' to ANALYTICS_MOD_DOSL7 => 'vip'.
       2. ANALYTICS_MOD_DNS_DOS => 'vip' to ANALYTICS_MOD_DNS_DOS => 'dns_vip')

5. Revert permissions of the file:
   $ chmod -w /var/ts/dms/amm/common/ovw/dos_custom_overview_commons.php

6. Log out and log back into the GUI, so that the new version of the file loads.

Fix:
GUI configuration for the 'Virtual Server' filter is fixed with the correct dimension name.


838677-5 : lodash library vulnerability CVE-2019-10744

Solution Article: K47105354


837773-4 : Restjavad Storage and Configuration Hardening

Solution Article: K12936322


836357-1 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.

Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.


834533-4 : Linux kernel vulnerability CVE-2019-15916

Solution Article: K57418558


834257-5 : TMM may crash when processing HTTP traffic

Solution Article: K25400442


833685-1 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.

Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.


833213-5 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.

Fix:
The BIG-IP system now respects If-Modified-Since or If-Unmodified-Since header and provides an appropriate response for the requested resource when compared to the date supplied in either header.


833113-1 : Avrd core when sending large messages via https

Component: Application Visibility and Reporting

Symptoms:
When sending large messages (>4KB) via HTTPs may cause avrd to core.

Conditions:
This typically happens when BIG-IP is managed by BIG-IQ and configuration is large and complex or traffic capturing is enabled.

Impact:
Messages to BIG-IQ are lost. In severe cases, analytics functionality may be unavailable due contiguous AVRD cores.

Workaround:
None.

Fix:
Fixed an avrd crash


833049-3 : Category lookup tool in GUI may not match actual traffic categorization

Component: Access Policy Manager

Symptoms:
Category Lookup agent has changed to include the IP in the categorization query. The BIG-IP TMUI does not do the same (Access Policy :: Secure Web Gateway : Database Settings : URL Category Lookup).

Conditions:
-- SWG or URLDB provisioned.
-- Run traffic with category lookup in the PRP and note the category produced.
-- Run the same URL through the GUI lookup tool or the command line tool.

Impact:
Some websites may be categorized differently depending on if the IP address is passed in or not.

Workaround:
None.


832885-5 : Self-IP hardening

Solution Article: K05975972


832757-4 : Linux kernel vulnerability CVE-2017-18551

Solution Article: K48073202


831777-2 : Tmm crash in Ping access use case

Solution Article: K42933418


831549 : Marketing name does not display properly for BIG-IP i10010 (C127)

Component: TMOS

Symptoms:
The /var/log/ltm log includes error messages about the marketing names errors:
Invalid marketing name.

Conditions:
-- Running BIG-IP software version 13.1.3.1.
-- Using BIG-IP i10010 (C127) platform.

Impact:
This causes errors in the logs, and affects the tmsh and LCD displays. The LCD displays C127 for the Platform Name instead of the actual platform name. The TMSH command, tmsh show sys hw, displays C127 for the Platform Name instead of the actual platform name.

Workaround:
None.

Fix:
This is fixed in version 13.1.3.2.


831325-3 : HTTP PSM detects more issues with Transfer-Encoding headers

Solution Article: K10701310

Component: Local Traffic Manager

Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.

Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.

Impact:
Traffic is not alarmed/blocked as expected.

Workaround:
None.

Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.


831293-2 : SNMP address-related GET requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.


830833-3 : HTTP PSM blocking resets should have better log messages

Component: Local Traffic Manager

Symptoms:
When reset-cause logging is turned on, or when RST packet logging is used, the reset reason used when rejecting bad HTTP PSM traffic is not descriptive.

Conditions:
This occurs under either of these conditions:

-- HTTP PSM is used, and a request is blocked.
-- Reset cause or RST packet logging is enabled.

Impact:
The reset reason given is not descriptive, making troubleshooting difficult.

Workaround:
None.

Fix:
The reset reason used when rejecting HTTP PSM traffic is more descriptive.


830401-5 : TMM may crash while processing TCP traffic with iRules

Solution Article: K54200228


830341-4 : False positives Mismatched message key on ASM TS cookie

Component: Application Security Manager

Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact

Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation

Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.

OR

2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix:
ASM system does not trigger false positives


830073-5 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.

Fix:
The AVRD HTTPS module now stops any connection attempts when shutdown sequence is in progress, so this issue no longer occurs.


829821-4 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.


829677-4 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Fix:
Increased the rest socket timeout value and shellexecutor timeout value to 6 min to fix the timeout issue of viprion worker

The fix also includes automatic removal of unused tmp files.


829317-1 : Memory leak in icrd_child due to concurrent REST usage

Component: TMOS

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
Memory slowly leaks in icrd_child.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.


829193-5 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.


829121-5 : State mirroring default does not require TLS

Solution Article: K65720640


829117-5 : State mirroring default does not require TLS

Solution Article: K17663061


828937-4 : Some systems can experience periodic high IO wait due to AVR data aggregation

Solution Article: K45725467

Component: Application Visibility and Reporting

Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.

Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.

Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.

Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).


Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.

Fix:
Set default value of avr.stats.internal.maxentitiespertable DB variable to 2148 on systems with the number of CPU cores fewer than or equal to 16.


828601-4 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.

Fix:
IPv6 routes now prioritize TMM interfaces.


826601-3 : Prevent receive window shrinkage for looped flows that use a SYN cookie

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Set the initial receive window value of the VIP to 3.

Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.


825413-1 : /var/lib/mysql can run out of disk space with ASM provisioned

Component: Application Security Manager

Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.

Conditions:
ASM provisioned

Impact:
/var/lib/mysql can run out of disk space

Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
   Note that existing brute force username and IPs reporting data will be lost.

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"

2. Add row_limit for the two tables to avoid the same issue in the future.

Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml

  PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
    row_limit: 100000
    order_by: brute_force_mitigated_username_id

  PRX.BRUTE_FORCE_MITIGATED_IPS:
    row_limit: 100000
    order_by: brute_force_mitigated_ip_id

Restart clean_db process (there is no impact of restarting this process)

# pkill -f clean_db

Wait 30 sec, and make sure the process came back

# ps aux | grep clean_db


824365-1 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.

Fix:
Informative messages are provided for HTTP iRule runtime validation errors.


824149-1 : SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured

Component: Service Provider

Symptoms:
In SIP ALG virtual with source-nat-policy assigned, if traffic processed by the virtual server does not match source-nat-policy, or if it matches source-nat-policy that does not have source-translation configured, tmm cores and restarts.

Conditions:
-- SIP ALG virtual server with an assigned source-nat-policy.
-- Traffic does not match the source-nat-policy, or traffic matches a source-nat-policy that has no source-translation configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure SIP ALG virtual so that the condition never happens. For example, apply a source attribute to the virtual server that filters out traffic that will not match the source-nat-policy. Never use a source-nat-policy that has no source-translation.


824093-1 : Parameters payload parser issue

Component: Application Security Manager

Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.

Conditions:
-- ASM in use.
-- Request contains multipart headers.

Impact:
Incorrect policy enforcement.

Workaround:
None.

Fix:
This release fixes an issue related to multipart requests.


823893-4 : Qkview may fail to completely sanitize LDAP bind credentials

Solution Article: K03318649


822025-4 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.

Fix:
The client now receives the redirect from the HTTP:respond iRule.


820845-1 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.

Component: TMOS

Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.

Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.

Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.

Workaround:
Create static ARP entries on affected endpoints.


819397-3 : TMM does not enforce RFC compliance when processing HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.

Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client

Impact:
Pool members may be exposed to non-compliant HTTP requests.

Workaround:
None.

Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

Behavior Change:
A new BigDB variable has been added.

The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.

If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.

The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.

If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.


819197-6 : BIGIP: CVE-2019-13135 ImageMagick vulnerability

Solution Article: K20336394


819189-5 : BIGIP: CVE-2019-13136 ImageMagick vulnerability

Solution Article: K03512441


819053-4 : CVE-2019-13232 unzip: overlapping of files in ZIP container

Component: TMOS

Symptoms:
CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service

Conditions:
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container

Impact:
UnZip overlapping will leading to denial of service.

Workaround:
N/A

Fix:
UnZip updated to resolve CVE-2019-13232


818853-5 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.


818709-4 : TMSH does not follow current best practices

Solution Article: K36814487


818429-2 : TMM may crash while processing HTTP traffic

Solution Article: K70275209


818213-6 : CVE-2019-10639: KASLR bypass using connectionless protocols

Solution Article: K32804955


818177-1 : CVE-2019-12295 Wireshark Vulnerability

Solution Article: K06725231


816413-4 : CVE-2019-1125: Spectre SWAPGS Gadget

Solution Article: K31085564


816273-4 : L7 Policies may execute CONTAINS operands incorrectly.

Component: Local Traffic Manager

Symptoms:
L7 Policies involving CONTAINS operands may execute incorrectly in some cases.

The policy compiler may incorrectly combine some internal states, 'forgetting' degrees of partial evaluation of a CONTAINS operation.

Conditions:
Multiple CONTAINS conditions are used on the same virtual server.

Impact:
The wrong policy actions may be triggered.

Workaround:
It may be possible to reorder the rules in a policy to restore correct operation. However, the more complex the policy, the less likely this is.

Fix:
L7 Policy CONTAINS operations are compiled correctly. Policies with CONTAINS operations no longer trigger the wrong rule actions.


815877-4 : Information Elements with zero-length value are rejected by the GTP parser

Component: Service Provider

Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.

Conditions:
Virtual server with GTP profile enabled processing GTP traffic.

Impact:
Well-formed GTP messages might get rejected.

Workaround:
Avoid sending GTP messages containing zero-length IEs.

Fix:
Zero-length IEs are now processed correctly.


815753-4 : TMM leaks memory when explicit SWG is configured with Kerberos authentication

Component: Access Policy Manager

Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.

Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.

Impact:
TMM sweeper enters aggressive mode and reaps connections.

Workaround:
None.


815529-4 : MRF outbound messages are dropped in per-peer mode

Component: Service Provider

Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.

Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.

Impact:
Outbound traffic with the same destination address may be dropped at random.

Workaround:
Change the peer connection mode to 'Per TMM'.

Fix:
Multiple outbound messages to the same destination address are no longer randomly dropped.


815425 : RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x

Component: TMOS

Symptoms:
On RAID supported BIG-IP platforms, upgrade from BIG-IP v12.1.3.5 to BIG-IP v13.1.x, RAID array member state is shown as 'undefined' in below commands, though actual RAID status is 'up'.
- array
- tmsh show sys raid

Conditions:
On RAID supported platforms, clean install of BIG-IP 12.1.x version followed by upgrade to BIG-IP 13.1.x version.

Impact:
RAID information is reported wrongly.

Fix:
RAID information is retrieved and parsed according to the new mdadm supported in BIG-IP 13.1.x version.


814761-3 : PostgreSQL monitor fails on second ping with count != 1

Component: Local Traffic Manager

Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.

When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:

Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
    at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
    at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
    at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
    at java.lang.Thread.run(Thread.java:748)

Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.

Impact:
Unable to monitor the health of postgresql server pool members accurately.

Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.

Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.


814585-5 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


814097-4 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.

Component: Service Provider

Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.

Conditions:
Converting the transport of SIP messages with the Generic Message router.

Impact:
Any code that waits for the SERVER_CONNECTED event will not run.

Fix:
SERVER_CONNECTED event is raised.


814037-1 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.


813945-1 : PB core dump while processing many entities

Component: Application Security Manager

Symptoms:
PB core dump.

Conditions:
This may happen when the system is strained and PB is processing large policies (updating many entities may happen during periodic processing, response analysis).

This is a very rarely occurring scenario.

Impact:
PB core dump and restart.

Workaround:
None.

Fix:
PB core dump no longer occurs.


813673-1 : The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT

Component: Local Traffic Manager

Symptoms:
A typical configuration of the HTTP Explicit Proxy includes four virtual servers:
-- Two virtual servers for the Explicit Proxy, one IPv4, one IPv6.
-- Two general-purpose virtual servers: one IPv4, one IPv6.

The general-purpose virtual servers allow handling of CONNECT tunneling over the HTTP-tunnel interface.

Unfortunately, if an IPv6 client tries to CONNECT to an IPv4 destination, it fails, returning a 503 status error.

This is due to the IPv6 general-purpose virtual server not being found when performing the destination lookup.

Conditions:
-- The HTTP explicit proxy is used on an IPv6 address.
-- 'default-connect-handling deny' is configured on the explicit proxy HTTP profile.
-- IPv4 and IPv6 general-purpose virtual servers exist on the HTTP-tunnel interface.
-- The client connects, and uses CONNECT to proxy to an IPv4 address.

Impact:
The client will not be able to CONNECT through the explicit proxy to an IPv4 address.

Workaround:
None.

Fix:
Mismatched IPv6 to IPv4 scenarios are supported with the HTTP Explicit Proxy.


813657 : MRF SIP ALG with SNAT incorrectly detects ingress queue full

Component: Service Provider

Symptoms:
When SIP ALG processes a non-registered subscriber SIP outbound call, the ingress queue counter may underflow. This is interpreted as ingress queue full and the rest of message will be dropped.

Conditions:
SIP ALG processes non registered subscriber SIP outbound calls (nonregister-subscriber-callout option is enabled in SIP session profile).

Impact:
SIP ALG incorrectly detects the ingress queue is full and stops processing the rest of SIP ALG traffic.

Workaround:
None

Fix:
When SIP ALG processes non registered subscriber SIP call, the ingress queue counter is handled correctly.


813561-1 : MCPD crashes when assigning an iRule that uses a proc

Component: Local Traffic Manager

Symptoms:
MCPD crashes when assigning an iRule to a Virtual Server or loading a config with an iRule assigned.

Conditions:
The iRule must uses a proc that contains three statements associated with different feature flags.

Impact:
MCPD will crash, unable to use a desired iRule.

Workaround:
None

Fix:
iRules using proc can be assigned to a Virtual Server without crashing MCPD.


812981-2 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.

Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.


812525-5 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


812341-1 : Patch or Delete commands take a long time to complete when modifying an ASM signature set.

Component: Application Security Manager

Symptoms:
When modifying an ASM signature set that is not attached to any security policy using iControl REST Patch or Delete commands, the command takes a long time to complete.

Conditions:
-- ASM provisioned.
-- Using REST API Patch or Delete command to modify an ASM signature set.

Impact:
Command takes longer (several seconds) to process on detached ASM signature sets than it takes to complete on attached signature sets.

Workaround:
None.

Fix:
Changes to signatures and signatures sets now only recompile policies that are affected by the change.


812237-3 : i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD

Component: TMOS

Symptoms:
"tmsh show sys hardware" will not display a "Name" for the Platform on i100000 series appliances with part number 505-0030.
The LCD will not display the system name.

Conditions:
i10000 series appliances with part number 505-0030 with HDVC (high voltage DC) power supplies.

Impact:
Display only. No functional impact.

The LCD and "tmsh show sys hardware" will not display the product name of i10600 or i10800 as expected.

Workaround:
None

Fix:
Display correct F5 marketing name for i10000 series appliances with high voltage DC power supplies.


811965-3 : Some VDI use cases can cause excessive resource consumption

Solution Article: K73657294


811789-4 : Device trust UI hardening

Solution Article: K57214921


811745-4 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.

Fix:
Mirror connections no longer disconnect during a failover.


811145-4 : VMware View resources with SAML SSO are not working

Component: Access Policy Manager

Symptoms:
Connections to SAML-enabled VMware View resources fail with following error in /var/log/apm:
err vdi[18581]: 019cffff:3: /pathname: {a7.C} Failed to handle View request: Can't find 'artifact' parameter.

Conditions:
VMware View resource is configured with SAML SSO method.

Impact:
Users cannot launch VMware View apps/desktops via SAML-enabled resource.

Workaround:
None.

Fix:
Can now successfully use VMware View resources with SAML SSO.


811105-3 : MRF SIP-ALG drops SIP 183 and 200 OK messages

Component: Service Provider

Symptoms:
SIP 183 and 200 OK messages are dropped after an INVITE in MRF SIP-ALG when media info is present in the Session Description Protocol.

Conditions:
- MRF SIP-ALG default configuration
- INVITE sent with media info in SDP
- Media info contains an rtcp without an IP address

Impact:
SIP calls are unable to establish media connections.

Workaround:
Ensure all RTCP attributes in the SDP have IP addresses.
Example: Change "a=rtcp:29974\r\n" to "a=rtcp:29974 IN IP4 10.10.10.10\r\n"

Fix:
Calls are able to establish media connections in MRF SIP-ALG when media info contains an RTCP with no IP information.


811033-3 : MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used

Component: Service Provider

Symptoms:
If a message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP), messages traveling from the destination to the source of the persistence entry are incorrectly delivered to the destination.

Conditions:
-- A message is routed from one transport protocol (for example TCP) to another transport protocol (for example UDP).
-- Messages are traveling from the destination to the source of the persistence entry.

Impact:
Messages are forwarded to an incorrect endpoint.

Workaround:
None.

Fix:
For all bi-directional persistence records the transport protocol of the connection is not used in the key used to store the record.


810821-4 : Management interface flaps after rebooting the device

Component: TMOS

Symptoms:
The Management interface flaps after rebooting the device, which may cause a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration if the final management port configuration completes late in the startup sequence. This can be due to network conditions for the network the management port is connected to.

This problem has been observed only on hardware platforms.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.

Fix:
The startup sequence has been changed to confirm that management port configuration is complete before proceeding with HA processing.


810593-4 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade

Solution Article: K10963690

Component: TMOS

Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.

Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.

Workaround:
There is no workaround. You must upgrade the VCMP host to a fixed version, for example, 15.1.0.


810557-9 : ASM ConfigSync Hardening

Solution Article: K05123525


810537-3 : TMM may consume excessive resources while processing iRules

Solution Article: K12234501


810445-3 : PEM: ftp-data not classified or reported

Component: Local Traffic Manager

Symptoms:
When a virtual server is configured with an FTP profile, and also a PEM or classification profile, the traffic associated with the FTP data stream is not correctly classified or reported.

Conditions:
-- Virtual server is configured with an FTP profile.
-- There is also PEM or classification profile.

Impact:
Traffic associated with ftp-data (i.e., file transfers using FTP) may not be classified or reported.

Workaround:
None.

Fix:
Ftp-data is now correctly classified and reported. Note that the 'inherit-parent-profile' in the FTP profile must be enabled.


810381-1 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.

Fix:
SNMPv3 requests no longer impact SNMPv1 and SNMPv2c requests.


809597-1 : Memory leak in icrd_child observed during REST usage

Component: Local Traffic Manager

Symptoms:
When multiple users are issuing REST commands, memory may leak slowly in icrd_child.

Conditions:
-- The icrd_child process is running.
-- There are multiple users accessing device via REST.

Impact:
The memory leak is very progressive. Eventually, the icrd_child process runs out of memory.

Workaround:
None.

Fix:
Fixed a memory leak in icrd_child.


809377-4 : AFM ConfigSync Hardening

Solution Article: K05123525


809205-3 : CVE-2019-3855: libssh2 Vulnerability

Component: TMOS

Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.

Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.

Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Workaround:
None.

Fix:
libcurl updated


809165-4 : TMM may crash will processing connector traffic

Solution Article: K50046200


808525-4 : TMM may crash while processing Diameter traffic

Solution Article: K55812535


808409-1 : Unable to specify if giaddr will be modified in DHCP relay chain

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.

Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced

The default is :

sys db tmm.dhcp.relay.giaddr.overwrite {
    value "enable"
}

On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP

On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain


808301-1 : TMM may crash while processing IP traffic

Solution Article: K04897373


808281 : OVA/Azure template sets '/var' partition with not enough space

Component: TMOS

Symptoms:
After booting a new BIG-IP Virtual Edition (VE) image from OVA or Azure, you see errors on the console:

Broadcast message from root@localhost.localdomain:
011d0004:3: Disk partition /var has only 19% free.

Conditions:
Installing BIG-IP software via the OVA template or Azure image.

Impact:
System is generally un-usable; applications cannot operate without space in /var. Diskmonitor reports console errors and errors in /var/log/ltm.

Workaround:
Remove unused APM binaries in /var/sam/images.


807821-3 : ICMP echo requests occasionally go unanswered

Component: Local Traffic Manager

Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.

Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.

Impact:
Possible traffic failures.

Workaround:
None.

Fix:
ICMP echo replies are always sent for a valid ICMP echo request.


807477-9 : ConfigSync Hardening

Solution Article: K04280042


807445 : Replaced ISC_TRUE and ISC_FALSE with true and false

Component: Global Traffic Manager (DNS)

Symptoms:
Updated the zrd code to remove references to ISC_TRUE and ISC_FALSE since the software is upgraded BIND to 9.11.8 and those macros do not exist anymore.

Conditions:
BIND version is earlier than 9.11.8.

Impact:
There is no functional impact.

Workaround:
None.

Fix:
Removed references to ISC_TRUE and ISC_FALSE zrd since the software has been upgraded to BIND to 9.11.8 and those macros do not exist anymore.


807177-1 : HTTPS monitoring is not caching SSL sessions correctly

Component: Global Traffic Manager (DNS)

Symptoms:
In situations where a cached SSL session cannot be used, there are conditions where the information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Conditions:
When using GTM HTTPS monitoring.

Impact:
Information for old and new SSL sessions are not properly updated, and valid SSL sessions are not terminated in an orderly fashion.

Workaround:
Restart big3d by running the following command:

bigstart restart big3d


807005-3 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration is not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.


805837-4 : REST does not follow current design best practices

Solution Article: K22441651


805017-3 : DB monitor marks pool member down if no send/recv strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.

Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).


804477-2 : Add HSB register logging when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Parts of the HSB can become unresponsive, with insufficient logging to diagnose the root cause. Additional data needs to be captured when the issue occurs.

Conditions:
This additional logging will trigger whenever parts of the HSB become unresponsive.

Impact:
The register logging will provide further insight into the HSB state when it becomes unresponsive.

Workaround:
None.

Fix:
Additional logging of HSB register states has been added whenever parts of the HSB become unresponsive.


804313-4 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None

Fix:
Message sweeper interval value now loads correctly.


804309-3 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument

Component: TMOS

Symptoms:
Running the command 'tmsh list' on a pool or virtual server with the 'all-properties' argument generates a warning:

[api-status-warning] ltm/virtual, properties : deprecated : urldb-feed-policy

Conditions:
Including the 'all-properties' argument with the 'tmsh list' command.

Impact:
There is no impact to the system. The excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands are spurious, benign, and can be ignored.

Workaround:
tmsh modify /mgmt shared settings api-status log resource-property deprecatedApiAllowed false

tmsh modify /mgmt shared settings api-status log resource deprecatedApiAllowed false


804185-3 : Some WebSafe request signatures may not work as expected

Component: Fraud Protection Services

Symptoms:
Request signatures are part of the WebSafe signature mechanism. The request signature is achieved by configuring an FPS-protected URL and a corresponding custom-alert. If the URL is a wildcard, a priority must be assigned to determine the order of matching. URL matching by priority is not working properly. As a result, the signature do not work as expected

Conditions:
There is at least one wildcard URL configured by the request signature update file.

Impact:
A portion of WebSafe request signature do not work as expected:
-- An alert is sent, though it should not be (false-positive).
-- An alert was not sent, though it should be (false-negative).

Workaround:
Configure the same signature manually in the BIG-IP system's GUI/tmsh.

Fix:
FPS now correctly handles signature-based wildcard URL's priority.


803933-4 : Expat XML parser vulnerability CVE-2018-20843

Solution Article: K51011533


803825 : WebSSO does not support large NTLM target info length

Component: Access Policy Manager

Symptoms:
WebSSO crashes.

Conditions:
When the optional field of the target info is about 1000 bytes or larger.

Impact:
WebSSO crashes and loss of service.

Workaround:
Config NTLM not to have large target info, recommend < 800.


803813-3 : TMM may experience high latency when processing WebSocket traffic

Component: Application Security Manager

Symptoms:
Under certain conditions, TMM may experience higher than usual latency when processing WebSocket traffic.

Conditions:
-- WebSocket traffic.
-- Very long connections or large amounts traffic.
-- Platforms with many CPUs.

Impact:
Increased latency in WebSocket traffic.

Workaround:
None.

Fix:
Fix an issue that could cause a latency with WebSocket traffic.


803809-1 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.

Fix:
Clients with previous connection failures are now able to connect when the port is no longer in use or the configuration has been changed.


803645-1 : GTMD daemon crashes

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process crashes in response to a call triggered by its own timer event.

Conditions:
The conditions under which this causes this intermittent issue are difficult to reproduce, but it might occur when the system is under heavy load when gtmd is starved of CPU cycles.

Impact:
The gtmd process restarts and produces a core file.

Workaround:
None.


803477-1 : BaDoS State file load failure when signature protection is off

Component: Anomaly Detection Services

Symptoms:
Behavioral DoS (BADoS) loses its learned thresholds.

Conditions:
Restart of admd when signature protection is off.

Impact:
The system must relearn the thresholds, BADoS protection is not available during the learning time.

Workaround:
Turn on signatures detection.

Fix:
BADoS State file successfully loads after admd restart, even without signatures detection.


803233-4 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.

Fix:
FQDN ephemeral pool members are created in a more timely manner when FQDN resolution via DNS returns new address records.


802961-1 : The 'any-available' prober selection is not as random as in earlier versions

Component: Global Traffic Manager (DNS)

Symptoms:
Some big3d instances can be periodically busier than other big3d instances.

Conditions:
-- When 'any-available' is selected for either the prober-preference or prober-fallback options.
-- A large number of monitors are defined.

Impact:
When the 'any-available' prober option is used, the selection of big3d probers may not be as random as in BIG-IP software versions prior to v13.0.0.

Workaround:
None.


802685-4 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }


802281-4 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcurl shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state


801705-2 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.


801637-1 : Cmp_dest on C2200 platform may give incorrect results

Component: TMOS

Symptoms:
Cmp_dest on C2200 platform may give incorrect results.

Conditions:
Run cmp_dest.

Impact:
Incorrect results from cmp_dest.

Fix:
Cmp_dest now gives correct results.


800453-1 : False positive virus violations

Solution Article: K72252057

Component: Application Security Manager

Symptoms:
False positive ASM virus violations.

Conditions:
Specific connection characteristics between ASM and the antivirus server may cause replies from the antivirus server to be missed by the ASM.

Impact:
ASM reports a virus when the antivirus reply is timed out. False positive blocking or violation reporting.

Workaround:
Configure the EnableASMByPass internal parameter setting to allow the antivirus server to not reply, so it does not issue a violation when it occurs:

/usr/share/ts/bin/add_del_internal add EnableASMByPass 1
bigstart restart asm

Note: When the internal parameter is enabled, ASM also bypasses huge HTTP requests (when they come on multiple connections) instead of resetting them.

Fix:
False positive ASM virus violations no longer occur under these conditions.


800305-4 : VDI::cmp_redirect generates flow with random client port

Component: Local Traffic Manager

Symptoms:
The VDI::cmp_redirect iRule command generates a flow with a randomly-assigned client port.

Conditions:
-- VDI::cmp_redirect iRule command used

Impact:
Client port is not the same as the original client port.

Fix:
The VDI::cmp_redirect iRule command now uses the same port.


800193 : Update OpenSSH to version 7 or later for disabling of DSA keys

Component: TMOS

Symptoms:
Current OpenSSH version 6.6.1p1 in BIG-IP v13.1.x does not allow for disabling DSA Key. Lack of this feature causes failure audits due to allowing DSA keys to authenticate to the BIG-IP system.

Conditions:
The issue can be seen on BIG-IP software that has OpenSSH version 6.6.

Impact:
Lack of this feature(disabling DSA Key) causes audit failures due to allowing DSA keys to authenticate to the BIG-IP system.

Workaround:
None.

Fix:
This version has updated OpenSSH to version 7 for disabling DSA keys.


800185-2 : Saving a large encrypted UCS archive may fail and might trigger failover

Component: TMOS

Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:

# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

-- If saving UCS is automated you may find related errors in /var/log/audit:

err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))

-- Other services might be restarted due to lack of memory, which might result in failover.

--System management via config utility or command line may be sluggish while UCS saves.

Conditions:
-- Large encrypted UCS files and low free host memory.

-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.

Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.

The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.

Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.

Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)

If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.

Fix:
Saving a large UCS file no longer fails.


799617-4 : ConfigSync Hardening

Solution Article: K05123525


799589-4 : ConfigSync Hardening

Solution Article: K05123525


799149 : Authentication fails with empty password

Component: Access Policy Manager

Symptoms:
Per-req policy authentication fails when an empty password is detected. Following errors are seen in apm logs:

-- err apmd[13930]: 01490301:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Empty session variable value received from tmm.
-- err apmd[13930]: 01490302:3: /Common/test_sp::abcdef78/Common/test_auth/XXXXXXX==: Failed to decrypt session variable 'subsession.logon.last.password' from tmm with error code: 3.

Conditions:
-- APM is licensed and provisioned.
-- Per-req policy is created with at least one Auth agent.

Impact:
APM end users cannot change a password/token or access backend resources.

Workaround:
None.

Fix:
Per-request policy auth no longer complains about empty password. If the backend server accepts an empty password, auth should work fine.


798261-4 : APMD fails to create session variables if spanning is enabled on SWG transparent virtual server

Component: Access Policy Manager

Symptoms:
The following logs showed up in APM log and user session was terminated.

Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490248:5: /Common/Phase1-fwproxy:Common:6833364e: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_finish_set_pipeline()" line: 720 Msg: Error: Set pipeline: While receiving response to 0 cmd set /.*/tmm.session.6833364e.session.assigned.uuid 0 0 32 s
Jun 13 09:56:35 F5-i4600 notice apmd[4562]: 01490000:5: memcache.c func: "mc_server_disconnect()" line: 2533 Msg: Error: bad memcache connection (tmm:1), (fd:205)
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.
Jun 13 09:56:35 F5-i4600 notice tmm1[22065]: 01490501:5: /Common/Phase1-fwproxy:Common:6833364e: Session deleted due to user logout request.

The SET command failed because it incorrectly attempted to create session variable in all traffic groups.

Conditions:
1. Virtual address for SWG transparent is 0.0.0.0
2. Spanning on the virtual address is enabled.

Impact:
User sessions will be terminated

Workaround:
Disable virtual address spanning.

Fix:
N/A


797885-4 : ConfigSync Hardening

Solution Article: K05123525


797829-3 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.

Fix:
The system now stops all scriptd child processes and creates new ones with the new user security-context when the user changes.


797785-3 : AVR reports no ASM-Anomalies data.

Component: Application Visibility and Reporting

Symptoms:
AVR collects data for ASM-Anomalies, which include Brute-Force and Web-Scraping activities. When reported, all metrics and dimensions are hidden. AVR output looks like this:
errdefs_msgno=\"22282253\",Entity=\"ASM_ANOMALIES\

Conditions:
When gathering statistics reporting a Brute-Force or Web-Scraping attack.

Impact:
AVR reports no ASM-Anomalies data.

Workaround:
None.


797769-3 : Linux vulnerability : CVE-2019-11599

Solution Article: K51674118


796993-3 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability

Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.


796601-6 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.


796469-2 : ConfigSync Hardening

Solution Article: K05123525


795797-4 : AFM WebUI Hardening

Solution Article: K21121741


795649-2 : Loading UCS from one iSeries model to another causes FPGA to fail to load

Component: TMOS

Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.

The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:

-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2

Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.

Impact:
FPGA fails to load; the BIG-IP system becomes unusable.

Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:

-- For the i2800:

# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i7800:

# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

-- For the i11400-ds:

# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version

2. Reboot the system


795437-2 : Improve handling of TCP traffic for iRules

Solution Article: K06747393


795197-3 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Solution Article: K26618426


794561-4 : TMM may crash while processing JWT/OpenID traffic.

Solution Article: K46901953


794501-4 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
SNMP OIDs relating to interfaces may yield incomplete results.

Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.

Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.


794493 : Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true

Component: Local Traffic Manager

Symptoms:
Client SSL profiles may have distinct (different from parent profile) certificate and key files, but the 'inherit-certkeychain' attribute set as 'true', even though the profile should not be inheriting these values from parent, for example:

ltm profile client-ssl example-prof {
    cert example.crt
    cert-key-chain {
        example{
            app-service none
            cert example.crt
            chain none
            key example.key
            passphrase none
        }
    }
    defaults-from intermediate
    inherit-certkeychain true
    key example.key
}

If multiple profiles are configured for SNI and assigned to a virtual server, attempting to modify the parent profile can result in error:

err mcpd[5352]: 0107149e:3: Virtual server /Common/vs_test has more than one clientssl/serverssl profile with same server name.

Conditions:
-- Parent profile other than 'clientssl'
-- Have a child profile created by defining 'cert' and 'key' attributes, rather than specifying a 'cert-key-chain', e.g.:

    tmsh create ltm profile client-ssl example-prof defaults-from intermediate cert example.crt key example.key

Impact:
Not able to modify SSL profile if profiles assigned to virtual server.

If profiles are not configured for SNI, the specified certificate and key on child profiles will be reverted to the values from the parent profile.

Workaround:
Create SSL profiles by specifying cert-key-chain, rather than separately specifying 'cert' and 'key' attributes on SSL profile.

For profiles that are already affected, you can use either of the following workarounds.

Use the GUI:
-- Modify profiles using the GUI and check the 'Custom' checkbox for 'Certificate Key Chain'.

Change the configuration file:
1. Save the configuration.
2. Open bigip.conf for editing.
3. Modify the affected profiles, changing 'inherit-certkeychain true' to 'inherit-certkeychain false'.
4. Load the configuration.

Fix:
SSL profiles created specifying certificates and keys in the profile now have inherit-certkeychain set to false.


794417-2 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Component: Local Traffic Manager

Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:

1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Impact:
The configuration does not load if saved, and reports an error:

01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.

Workaround:
If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.

Fix:
Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.

Behavior Change:
BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile


794413-9 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


794389-9 : iControl REST endpoint response inconsistency

Solution Article: K89509323


793121-1 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.


793013 : MRF DIAMETER: Implement sweeper for pending request messages queue

Component: Service Provider

Symptoms:
MRF Diameter remembers details for each request message to assist with routing answer messages. If the answer message is not received, this information is not cleaned up.

Conditions:
The server does not respond to a request message with an answer message.

Impact:
For each unresponded request message, memory is leaked. Eventually the system might run of memory and restart.

Workaround:
None.

Fix:
The DIAMETER logic will not delete any stale pending request record if it is older than twice the configured transaction timeout (in diameterrouter profile).


793005-4 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.

Fix:
'Current Sessions' statistics of MRF/Diameter pool reports correctly.


792341-4 : Google Analytics shows incorrect stats.

Component: Application Security Manager

Symptoms:
ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
Scenario 1:
-- ASM provisioned.
-- ASM policy attached to a virtual server with challenge mitigation enabled (as part of brute force protection, for example).

Scenario 2:
-- Bot defense profile attached to a virtual server with challenge mitigation enabled.

Scenario 3:
-- DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
Have an iRule that injects google-analytics.js into the challenge white page at the HTTP_RESPONSE_SENT time event.

Fix:
ASM now handles the backend's response to fix up document.referrer for tools that read this property.


792285-3 : TMM crashes if the queuing message to all HSL pool members fails

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.


792265-1 : Traffic logs does not include the BIG-IQ tags

Component: Application Visibility and Reporting

Symptoms:
AVR collects traffic data. When that data is reported to BIG-IQ, it omits the BIG-IQ tags which are required by BIG-IQ.

Conditions:
When AVR collects traffic data and sending it BIG-IQ.

Impact:
There are no BIG-IQ tags in the traffic logs. BIG-IQ is unable to map traffic-capturing logs to applications.

Workaround:
None.

Fix:
Traffic logs now include the BIG-IQ tags.


791369-4 : The REST framework may reflect client data in error logs

Solution Article: K01049383


790845-1 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.

Fix:
An In-TMM monitor is not marked down when a non-default CMP-hash is in use.


790205-2 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when adding routes to child domains.


789921-4 : TMM may restart while processing VLAN traffic

Solution Article: K03386032


789893-4 : SCP file transfer hardening

Solution Article: K54336216


788773-4 : HTTP/2 Vulnerability: CVE-2019-9515

Solution Article: K50233772


788769-4 : HTTP/2 Vulnerability: CVE-2019-9514

Solution Article: K01988340


788753-1 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.


788577 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.

Fix:
BFD session is no longer reset during CMP state change.


788557 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.


In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.

Fix:
BGP and BFD peering is not recreated in GRST timeout anymore.


788513-4 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.


788417-3 : Remote Desktop client on macOS may show resource auth token on credentials prompt

Component: Access Policy Manager

Symptoms:
APM uses the 'username' attribute to pass auth token for SSO enabled native RDP resources on macOS. In case Windows policy forces the user to provide credentials, or if Single Sign-on fails, the end user may see a credentials prompt containing the base 64-encoded auth token in the username field.

This behavior is observed only with Remote Desktop Client v10.x for macOS.

Conditions:
-- APM Webtop is configured with Single Sign-on enabled native RDP resource.
-- Try to access the RDP resource from macOS using RDP client v10.x.

Note: This issue is known to occur when Microsoft Group Policy 'Always prompt for password upon connection' is enabled on the target RDP server: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Security \ Always prompt for password upon connection.

Impact:
Prompt for credentials (contains auth token in username field) causing APM end user confusion.

Workaround:
Apply the following iRule:

Note: With the following iRule implemented, users running RDP client v8 for macOS may see an empty credentials prompt when launching APM native RDP resources.

when HTTP_RESPONSE_RELEASE {
    catch {
        set locationUri [HTTP::header Location]
        if { [HTTP::status] == 302 && $locationUri starts_with "rdp://" &&
                $locationUri contains "username=s:f5_apm"} {
            HTTP::header Location \
                [string map {"username=s:f5_apm" "gatewayaccesstoken=s:"} $locationUri]
        }
    }
}

Fix:
Remote Desktop client on macOS does not show resource auth token on credentials prompt.


788325-4 : Header continuation rule is applied to request/response line

Solution Article: K39794285

Component: Local Traffic Manager

Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.

Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.

Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).

Workaround:
None.

Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.


788301-3 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.


788269-1 : Adding toggle to disable AVR widgets on device-groups

Component: Application Visibility and Reporting

Symptoms:
Devices on device-group get into state of not-synced when AVR-related widgets are created or modified.

It occurs more frequently when manual config sync is enabled.

It can also occur when visiting a widgets page for the first time that automatically creates default widgets on the first page visit, such as Security :: Overview : Application : Traffic. This can make it appear that a 'read-only' user visiting the page has triggered the need for a config sync.

Conditions:
-- Two or more devices are in a device-group.
-- AVR-related widgets are created or modified.

Impact:
Devices go into a non-synced state.

Workaround:
None.

Fix:
A DB-variable called avr.gui.widgets.sync has been added to disable widgets syncing. Possible values are 'disable' or 'enable', it is enabled by default.

Behavior Change:
This release adds a DB-variable, avr.gui.widgets.sync, to disable widget syncing. Possible values are 'disable' or 'enable'. It is enabled by default.


788057-1 : MCPD may crash while processing syncookies

Solution Article: K00103216


787901 : While deleting a DoS profile, tmm might core in sPVA

Component: Advanced Firewall Manager

Symptoms:
When trying to delete a DoS profile attached to a virtual server, it is possible that tmm might core and restart.

Conditions:
-- An AFM DoS profile is attached to a virtual server.
-- Some of the DoS attacks are programmed into hardware (HW) through sPVA.
-- That DoS profile is deleted.

Impact:
tmm might generate a core and restart. Traffic disrupted while tmm restarts.

Workaround:
Use software (SW) DoS only.

Fix:
The tmm process no longer generates a core and restarts when deleting a profile that is attached to a virtual server.


787825-3 : Database monitors debug logs have plaintext password printed in the log file

Solution Article: K58243048

Component: Local Traffic Manager

Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password

Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql

Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.


787477-1 : Export fails from partitions with '-' as second character

Component: Access Policy Manager

Symptoms:
Attempting to export a profile/policy from partition using the hyphen/dash (-) as the second character results in error message:
'Incorrect arguments: <partition> is not specified' error.

Conditions:
Partition with '-' as second character in the name.

Impact:
Unable to export policy from given partition

Workaround:
Rename partition without '-' as the second character.

Fix:
Export is working as expected in this scenario.


786981-1 : Pending GTP iRule operation maybe aborted when connection is expired

Component: Service Provider

Symptoms:
When there is a suspended iRule operation (such as the table or after command) in GTP iRule event, the operation may be intermittently aborted when the connection is expired.

Conditions:
This occurs when a connection times out while there is still a pending iRule operation. For example, in one use case, there is a table command in GTP_SIGNALLING_INGRESS event, and the immediate idle timeout is configured in the UDP profile.

Impact:
GTP iRule may not be completely executed.

Workaround:
For the specific use case when immediate idle timeout is used, change idle timeout to some positive value. Then use the iRule to expire the connection after the GTP iRule event is done, for example, by setting 'IP::idle_timeout 0' in SERVER_CONNECTED event.

Fix:
When connection is expired, pending iRule operations in GTP iRule events are now completed.


786517-1 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.


785017-4 : Secondary blades go offline after new primary is elected

Component: TMOS

Symptoms:
Secondary active blades go offline.

Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.

For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.

Impact:
Cluster reduced to a single blade, which may impact performance.

Workaround:
None.


784989-4 : TMM may crash with panic message: Assertion 'cookie name exists' failed

Component: Access Policy Manager

Symptoms:
TMM crashes with SIGFPE panic

panic: ../modules/hudfilter/http/http_cookie.c:489: Assertion 'cookie name exists' failed.

Conditions:
-- Virtual server with remote desktop or VDI profile attached.
-- VDI logging level is set to Debug.
-- iRule that modifies/reads HTTP cookies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Increase the log-level for VDI from 'Debug' to a higher level.

Fix:
Fixed TMM crash, which occurred when remotedesktop/VDI profile was used together with custom iRule and Debug level logging.


784565-4 : VLAN groups are incompatible with fast-forwarded flows

Component: Local Traffic Manager

Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.

Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.

Impact:
Some connections may fail.

Workaround:
None.

Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.


783817-4 : UI becomes unresponsive when accessing Access active session information

Component: Access Policy Manager

Symptoms:
When accessing Admin UI Access :: Overview :: Active Sessions page, the page status is stuck in 'Receiving configuration data from your device'. TMSH command 'show apm access-info' also hangs.

The following error messages shows up in TMM log:

-- notice mcp error: 0x1020002 at ../mcp/db_access.c:831
-- notice mcp error: 0x1020031 at ../mcp/mcp_config.c:588

Conditions:
-- Two vCMP guests or two chassis are set up in high availability mode.
-- If Network Mirroring is toggled between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.

Impact:
Some session variables may be lost, which results in UI hang. Admin UI becomes unusable.

Workaround:
Do not toggle between 'Within Cluster' and 'Between Cluster' while traffic is going through the device.


783617-4 : Virtual server resets connections when all pool members are marked disabled

Component: Local Traffic Manager

Symptoms:
The BIG-IP system immediately responds with an RST against a SYN when all pool members are marked disabled by a monitor.

Conditions:
All of the pool members are marked disabled by a monitor or administratively.

Impact:
Cannot use iRules to respond with an HTTP 503 error to incoming traffic.

Cannot use LTM policies to select multiple pools if all pool members are disabled in a default pool assigned to a virtual server.

Workaround:
Use Forced offline instead of disabled to prevent this issue.

Fix:
Virtual server no longer resets connections when all pool members are marked disabled.


783513-1 : ASU is very slow on device with hundreds of policies due to logging profile handling

Component: Application Security Manager

Symptoms:
Signature Update (ASU) is very slow on devices with hundreds of policies due to logging profile handling.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- The BIG-IP is configured for logging profile handling.

Impact:
The ASU process takes hours to complete.

Workaround:
None.


783505 : ASU is very slow on device with hundreds of policies due to table checksums

Component: Application Security Manager

Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.

Impact:
The ASU process takes hours to complete.

Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.


783289-3 : PEM actions not applied in VE bigTCP.

Component: Policy Enforcement Manager

Symptoms:
If PEM virtual server is configured using bigTCP, the return traffic from the server may not return to the same TMM. PEM policies do not get applied.

Conditions:
-- BIG-IP Virtual Edition.
-- bigTCP is configured (FastL4 with PEM/GPA hudfilters).
-- Virtual server uses Source-NAT.

Impact:
PEM policies do not get applied.

Workaround:
To work around this, do the following:
-- Configure bigTCP virtual server not to use source-NAT.
-- Configure destination-IP for hashing in server-vlan (the external VLAN that has the virtual server).


783125-4 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
    https://clouddocs.f5.com/api/irules/DNS__drop.html
    https://clouddocs.f5.com/api/irules/UDP__drop.html


783113 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted

Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.


782529-4 : iRules does not follow current design best practices

Solution Article: K30215839


782353-8 : SIP MRF via header shows TCP Transport when TLS is enabled

Component: Service Provider

Symptoms:
When an SSL Client Profile (TLS) is enabled on a SIP Message-Routing Virtual Server, the via header shows an incorrect transport protocol when SIP messages are sent out the client side of MRF. For example, the via header contains 'SIP/2.0/TCP' or 'SIP/2.0/UDP', when it should read 'SIP/2.0/TLS'.

Conditions:
Sending SIP messages from the client side of the SIP MRF when an SSL client profile is enabled on the SIP Message-Routing virtual server.

Impact:
The via header is not correct and violates the SIP RFC.

Workaround:
Create an iRule that replaces the incorrect via header with a correct one, for example:

when SIP_REQUEST_SEND {
    if { [clientside] } {
        SIP::header replace Via [string map [list "SIP/2.0/TCP " "SIP/2.0/TLS " "SIP/2.0/UDP " "SIP/2.0/TLS "] [SIP::header Via 0]] 0

    }
}

Fix:
The via headers show the correct text (e.g., SIP/2.0/TLS) when an SSL Client Profile is enabled on a SIP Message-Routing virtual server.


781829-4 : GTM TCP monitor does not check the RECV string if server response string not ending with \n

Component: Global Traffic Manager (DNS)

Symptoms:
GTM TCP monitor marks resource down.

Conditions:
TCP server respond string not ending with '\n'.

Impact:
Available resources are marked down.

Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.

If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.


781753-1 : WebSocket traffic is transmitted with unknown opcodes

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.

Conditions:
A request logging profile is configured on a WebSocket virtual server.

Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.

-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.

Workaround:
Remove the request logging profile.


781637-4 : ASM brute force counts unnecessary failed logins for NTLM

Component: Application Security Manager

Symptoms:
False positive brute force violation raised and login request is blocked

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM Brute force protection enabled for NTLM login type

Impact:
login request blocked by asm policy

Workaround:
Define higher thresholds in brute force protection settings

Fix:
asm code has been fixed and do not count unnecessary failed logins for NTLM


781605-1 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
False positive or false negative attack signature match on multipart payload.

Conditions:
Very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A

Fix:
Multi part parser issue was fixed.


781581-4 : Monpd uses excessive memory on requests for network_log data

Component: Application Visibility and Reporting

Symptoms:
Monpd allocates excessive memory on multi-blade devices, and in some cases the kernel may kill monpd. The following log signature may be encountered in /var/log/kern.log:

err kernel: : [1537424.588160] Out of memory: Kill process 28371 (monpd) score 117 or sacrifice child

Conditions:
This can occur in a multi-blade BIG-IP environment when you are displaying pages that query for network_log data, for example Bot Defense requests in the event log, or realtime AVR data.

Impact:
Large fluctuations in host memory usage, occasionally leading to OOM events.

Workaround:
None.

Fix:
A db variable has been added: avr.eventlogsreportrownumber, which controls the number of logs displayed. The db variable default is 10000, and supports a range from 100 through 1000000.

Note: Using the maximum value may trigger the behavior described here. The system behavior depends on the specific machine hardware.


781449-4 : Increase efficiency of sPVA DoS protection on wildcard virtual servers

Solution Article: K14703097


781377-1 : tmrouted may crash while processing Multicast Forwarding Cache messages

Solution Article: K93417064


781225-3 : HTTP profile Response Size stats incorrect for keep-alive connections

Component: Local Traffic Manager

Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.

Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses

Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.

Workaround:
None.

Fix:
The HTTP Response Size statistics are correctly updated using per-response values.


781069-4 : Bot Defense challenge blocks requests with long Referer headers

Component: Application Security Manager

Symptoms:
The Bot Defense challenge may block the client if the Referer header is between about 1400 characters and 3072 characters long.
This client may get blocked by TCP RST, or suffer from a challenge loop.

Conditions:
-- Bot Defense with Verify before Access, or Proactive Bot Defense are configured
-- Request has a Referer header that is between ~1400 and 3072 characters long

Impact:
Legitimate browsers may get blocked or suffer from a challenge loop

Workaround:
Use an iRule to override the Referer header from the HTTP_REQUEST event, to make it shorter.

Fix:
Challenges with long Referer headers no longer block legitimate clients.


780817 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

  + VIPRION B4300, B4340, and B44xx blades.
  + BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.

Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.


780601-4 : SCP file transfer hardening

Solution Article: K03585731


779857-4 : Misleading GUI error when installing a new version in another partition

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.


779177-4 : Apmd logs "client-session-id" when access-policy debug log level is enabled

Solution Article: K37890841


778869-1 : ACLs and other AFM features (e.g., IPI) may not function as designed

Solution Article: K72423000

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, ACLs, IPI and other AFM features may not function as designed.

Conditions:
AFM provisioned and configured.
TCP mitigations active.

Impact:
AFM features do not function as designed.

Workaround:
None.

Fix:
ACLs and other AFM rules (e.g., IPI) features now function as designed.


778517-2 : Large number of in-TMM monitors results in delayed processing

Solution Article: K91052217

Component: Local Traffic Manager

Symptoms:
A monitor may continue to probe for a while after it has been removed from pool / member / node. Duplicate monitor instances may get created after associating a monitor to a server.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
-- Monitor target may appear down when responding correctly.
-- Monitor may continue to run after removed from pool / member / node.
-- Increased monitoring load on server.

Workaround:
Disable in-tmm monitors:
  tmsh modify sys db bigd.tmm value disable

Fix:
Large numbers of in-TMM monitors are processed in a timely fashion.


778365-1 : dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service

Component: Global Traffic Manager (DNS)

Symptoms:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS. If there is DNS service running on the LDNS, RTT metrics should be collected successfully as expected. However if there is no DNS service on the LDNS, there should not be any RTT metrics collected. But BIG-IP still populates the RTT values giving users a "false positive" results.

Conditions:
DNS-DOT or DNS-REV protocols are used to collect RTT metrics on the LDNS and there is no DNS service running on the LDNS.

Impact:
RTT metrics are collected even though no response from the DNS service is present giving users wrong impression that there is.

Fix:
RTT metrics are collected only when the DNS service is present otherwise zero RTT values are returned.


778077-1 : Virtual to virtual chain can cause TMM to crash

Solution Article: K53183580


778049-6 : Linux Kernel Vulnerability: CVE-2018-13405

Solution Article: K00854051


777737-2 : TMM may consume excessive resources when processing IP traffic

Solution Article: K39225055


777733-1 : DoS profile default values cause config load failure on upgrade

Component: Advanced Firewall Manager

Symptoms:
Upon upgrading from 12.1.x, the config fails to load with an error similar to the following:

01071aa6:3: Dos DNS query data bad actor can not be enabled if per-source detection/limit pps is less than 1% of the Dos vector (a) rate threshold setting for sub-profile (PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP) of Dos profile (/Common/PROFILE_DOS_NETWORK_VS-ADIB-GTM-ID177_53_UDP).

Conditions:
-- AFM configured.
-- One or more SIP or DNS vectors are configured with the rate_threshold values set to the default in 12.x.
  + For SIP, the rate_threshold value in 12.x is 30000.
  + For DNS, the rate_threshold value in 12.x is 50000.

Impact:
During upgrade, the BIG-IP system fails to convert these thresholds to the new default value of 'infinite'. After upgrade, the configuration fails to load.

Workaround:
Manually edit the profile to disable bad-actor, or change the DNS and SIP default rate_threshold value to 'infinite', then config can be loaded.

For example, in this affected configuration for DNS:

dns-query-vector {
    a {
        allow-advertisement disabled
        ...
        rate-increase 500
        rate-limit 250000
        rate-threshold 50000 <<---
    }


Change it to this:

dns-query-vector {
    a {
        allow-advertisement disabled
        ...
        rate-increase 500
        rate-limit 250000
        rate-threshold infinite
    }

At that point, the configuration should load successfully.

Fix:
DNS and SIP default rate_threshold value of 50000 and 30000 of 12.1.x are now converted to default value of 'infinite' during upgrade, so the configuration loads as expected.


777261-2 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.


777173-4 : Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error

Component: Access Policy Manager

Symptoms:
When administrator runs Citrix vdi iApp in APM standalone deployment (LTM is not licensed), iApp fails with the following error:
01070356:3: HTTP header transformation feature not licensed

This is result of a license check added for HTTP header transformation.

Conditions:
- APM is licensed as stand alone (no LTM license)
- Admin tries to run Citrix vdi iApp

Impact:
Administrator is not able to use the iApp to configure Citrix vdi access

Workaround:
Adding LTM module license will resolve the error.

Fix:
Citrix vdi iApp now can be used to configure Citrix vdi access in an APM standalone deployment.


776229-4 : iRule 'pool' command no longer accepts pool members with ports that have a value of zero

Component: Local Traffic Manager

Symptoms:
Values of 0 (zero) are no longer accepted for pool member ports in iRule 'pool' commands. The system reports an error similar to the following in /var/log/ltm:

err tmm3[12179]: 01220001:3: TCL error: /Common/_user_script_member <CLIENT_ACCEPTED> - bad port in 'pool member <addr> <port>' cmd while executing "pool test_pool member 10.1.30.10 0"

Conditions:
-- Configure an iRule to use the 'pool' command to go to the pool member using a zero port in the CLIENT_ACCEPTED event.
-- Attach the iRule to the virtual server.
-- Run traffic through it.

Impact:
The iRule rejects traffic when the pool member's port number is 0.

Workaround:
Configure any iRule using the 'pool' command to go to apool member using a non-0 port in the CLIENT_ACCEPTED event.

Fix:
No longer blocking access to pool members that use port number 0 (zero) from iRule 'pool' commands.


775621-4 : urldb memory grows past the expected ~3.5GB

Component: Access Policy Manager

Symptoms:
When using the categorization engine (urldb), memory may increase when real-time update databases are downloaded (once every ten minutes, as available).

Conditions:
-- SWG provisioned.
-- Using urldb.
-- Real-time database updates occurring.

Impact:
Memory increases, and if there is not enough room on the BIG-IP system, urldb can core.

Workaround:
None.

Fix:
The system no longer preloads the database into memory, so memory no longer grows past what is expected.


775105-1 : False positive on bot defense logs

Component: Application Security Manager

Symptoms:
Remote log entries suggest that blocking events have occurred although their DoS profile is not set to block any traffic.

Conditions:
DoS profile is not set to block any traffic.

Impact:
False positives where remote log entries which suggest blocking events have occurred.

Workaround:
None.

Fix:
Bot defense remote logging profile attached to virtual servers and some bot signatures is be set to 'Report'.


775013-4 : TIME EXCEEDED alert has insufficient data for analysis

Component: Fraud Protection Services

Symptoms:
The time-exceeded alert does not include sufficient alert details to troubleshoot the process. It is difficult to determine whether or not the alert is valid, or how long past the request time the alert occurred.

Conditions:
Viewing alert logs for time-exceeded messages.

Impact:
Makes troubleshooting and/or analysis difficult.

Workaround:
None.

Fix:
All encryption failures alert now provides additional details to assist in troubleshooting the process.


774481-3 : DNS Virtual Server creation problem with Dependency List

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use the GUI to create virtual servers with dependent virtual server.

Conditions:
This occurs when creating a virtual server that contains a dependent virtual server.

Impact:
Cannot use the GUI to create the virtual server that contains a dependent virtual server in one step.

Workaround:
You can use either of the following workarounds:

-- Use tmsh;
-- Create the virtual server through GUI without dependent virtual server first and then edit the virtual server to add dependency.


774445-3 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2

Solution Article: K74921042

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.7 Update 2 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

Conditions:
-- BIG-IP VE running on VMware ESXi 6.7 Update 2 (build number 13006603) hypervisor.
-- VMXNET 3 NICs.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
You can use the following workarounds:

-- Until this issue is fixed in a Point-Release for your software branch, you can contact F5 Networks Technical Support to obtain an Engineering Hotfix to address the issue. This workaround allows TMM to continue to use the VMXNET3 driver, which is preferable.

-- On BIG-IP version 14.1.0, you can switch to the 'sock' driver.

-- On BIG-IP versions earlier than 14.1.0, you can switch to the 'unic' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.

To switch driver:

1. Add a line to /config/tmm_init.tcl that reads 'device driver vendor_dev 15ad:07b0 DRIVER' (replacing DRIVER with 'unic' or 'sock', as appropriate). For example:

    echo "device driver vendor_dev 15ad:07b0 sock" >> /config/tmm_init.tcl

2. Restart tmm for the changes to take effect (restarting tmm disrupts traffic):

    bigstart restart tmm

3. After tmm restarts, confirm the driver in use by examining the output of:

    tmctl -d blade tmm/device_probed

Fix:
BIG-IP VE now passes traffic on ESXi 6.7 Update 2.


773693-3 : CVE-2020-5892: APM Client Vulnerability

Solution Article: K15838353


773673-4 : HTTP/2 Vulnerability: CVE-2019-9512

Solution Article: K98053339


773649-4 : APM Client Logging

Solution Article: K23876153


773553-4 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.


773421-2 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied

Component: Local Traffic Manager

Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.

Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).

-- OneConnect is applied.

-- proxy-mss is enabled (the default value starting in v12.0.0).

Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.

Workaround:
Disable proxy-mss in the configured TCP profile.

Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.


773253-2 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.


772545-1 : Tmm core in SSLO environment

Component: Local Traffic Manager

Symptoms:
Unexpected SSL events can occur in SSLO configuration, possibly resulting in tmm core.

Conditions:
SSLO environment which can cause serverside ssl to become enabled during clientside handshake causing unexpected events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enabling SSL forward proxy verified-handshake setting available in 14.0.


772233-1 : IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.

Component: Global Traffic Manager (DNS)

Symptoms:
When probing DNS Path, the metric round trip time (RTT) is not set correctly if the collection protocols used are NDS_DOT or DNS_REV.

The problem occurs only if the Path involves an IPv6 address; IPv4 address works fine.

Conditions:
-- Path involves IPv6 addresses.
-- Collection protocol used is either DNS_DOT or DNS_REV.

Impact:
RTT metric is not set at all.

Workaround:
Use collection protocols - ICMP instead.

Fix:
The problem for both collection protocols - DNS_DOT and DNS_REV no longer occurs, and the RTT is set correctly.


771873-3 : TMSH Hardening

Solution Article: K40378764


771173-1 : FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.

Component: Advanced Firewall Manager

Symptoms:
The system does not roll forward the FastL4 profile syn-cookie-enable attribute after upgrading from 12.x to 13.x and beyond.

Conditions:
This happens when upgrading from 12.x to 13.x and beyond.

Impact:
If syn cookies are explicitly disabled on a FastL4 profile prior to upgrading, they may be enabled.

Workaround:
You can fix the configuration by modifying it manually after upgrading.

In tmsh:
tmsh modify ltm profile fastl4 <profile_name> syn-cookie-enable <enabled|disabled>


771025-2 : AVR send domain names as an aggregate

Component: Application Visibility and Reporting

Symptoms:
AVR sends domain name as an aggregate of a number of domain names.

Conditions:
-- AVR receives more than the number of domain names it can handle.
-- After AVR gets DNS calls with different domain name, it no longer clears the domain name.
-- When AVR receives the maximum number of total domain names, it start to aggregate all the new domain names.

Impact:
Cannot see the correct domain name.

Workaround:
None.

Fix:
AVR now removes old domain names, so it can add new ones and send the actual domain names it collected.


770989-1 : Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.

Component: TMOS

Symptoms:
F5optics installation can fail with RPM database corruption on B4450 blades and iSeries platforms when installing 14.1.x.

Conditions:
-- Using B4450 blades or iSeries platforms.

-- Clean install (i.e., a completely new installation) of 14.1.0 from either an external drive or PXE without taking over license:

image2disk --format=volumes --nosaveconfig --nosavelicense BIGIP-14.1.0-0.0.116.iso

Impact:
-- After 14.1.0 boots up, when you check /shared/lib/rpm RPM database (by running the command: /opt/bin/rpm --dbpath /shared/lib/rpm -qa), you see errors if the RPM database has already been corrupted.

   + rpmdb: /shared/lib/rpm/Name: unexpected file type or format.
   + error: cannot open Name index using db3 - Invalid argument (22).

-- No default f5optics package is reported when running the command: tmsh show net f5optics. No f5optics packages is present in the /shared/f5optics/images/ directory (even the /shared/f5optics/images/ directory is not created).

Due to corruption of '/shared/lib/rpm' RPM database, additional component 'f5optics' installation can fail with RPM error. Other components such as geoip or epsec might also be affected due to corrupted '/shared/lib/rpm' RPM database.

Other symptoms may be that the Link Controller linkcost library (Non-US patch) may be unable to install, showing the error message:
DB_VERSION_MISMATCH: Database environment version mismatch.

Workaround:
Remove the RPM database and manually install the f5_optics RPM package.

Steps
=====
1. Remove corrupted RPM database:
   # rm -rf /shared/lib/rpm/

2. Initialize rpm database and update
   # /opt/bin/rpm --root /shared --dbpath /lib/rpm --initdb
   # /opt/bin/rpm --dbpath /shared/lib/rpm -qa

3. For iSeries platform:
   # /usr/bin/f5optics_install

   For VIPRION platform
   # tmsh install net f5optics slot all


770621-1 : [Portal Access] HTTP 308 redirect does not get rewritten

Component: Access Policy Manager

Symptoms:
Requests with URLs that are not rewritten in web application.

Conditions:
HTTP response from the backend with 308 redirect.

Impact:
HTTP Status Code 308 (Permanent Redirect) is not supported. Unexpected web application operation.

Workaround:
Use a custom iRule to rewrite the request.

Fix:
HTTP Status Code 308 (Permanent Redirect) is now supported; Location header is now rewritten.


770477-3 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.

Fix:
Allow both signaling mechanism in client_hello.


769981-3 : bd crashes in a specific scenario

Component: Application Security Manager

Symptoms:
bd crash with a core file.

Conditions:
-- XML profile with schema validation is attached to a security policy.

-- The bd.log shows out-of-memory messages relating to XML.

Impact:
Failover; traffic disruption.

Workaround:
Increase the memory XML uses by using the internal parameters total_xml_memory and/or additional_xml_memory_in_mb. For more information, see K10803: Customizing the amount of memory allocated to the BIG-IP ASM XML processing engine available at https://support.f5.com/csp/article/K10803


769817 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.

Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.


769809-2 : The vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.

Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade


769589-4 : CVE-2019-6974: Linux Kernel Vulnerability

Solution Article: K11186236


769581 : Timeout when sending many large iControl Rest requests

Component: TMOS

Symptoms:
After sending hundreds of REST requests, REST requests eventually begins to time out. This is the case for applications such as an AS3, with requests with 700 services.

Conditions:
1. Download and install the AS3 iApp. This adds the /mgmt/shared/appsvcs/ endpoint to the the BIG-IP system.

2. Deploy config with AS3:
curl -X POST \
  https://<$IP_address>/mgmt/shared/appsvcs/declare \
  -H 'Content-Type: application/json' \
  -d //This should be the data from an AS3 body

3. While deployment in step 2 is happening, make a GET to the tasks:
curl -X GET \
  https://<$IP_address>/mgmt/shared/appsvcs/task \
  -H 'Content-Type: application/json'

4. Delete configuration:
curl -X DELETE \
  https://<$IP_address>/mgmt/shared/appsvcs/declare

It may take 3 or 4 times repeating steps 2 through 4 for the issue to show up. When it appears, you will start seeing messages in the AS3 task response like the following:

-- 'message': 'failed to save BIG-IP config (POST http://<$USERNAME>:<$PASSWORD>@<$IP_address>:8100/mgmt/tm/task/sys/config create task save sys config response=400 body={\"code\":400,\"message\":\"remoteSender:Unknown, method:POST \",\"originalRequestBody\":\"{\\\"command\\\":\\\"save\\\"}\",\"referer\":\"Unknown\",\"restOperationId\":6924816,\"kind\":\":resterrorresponse\"})'

Impact:
Saving new configuration data does not work. Any new transaction tasks fail.

Workaround:
1. Restart restjavad and all iControl Rest (icrd_child) instances.
2. Wait longer for large requests to finish before performing additional requests.

Fix:
Changes to handle the new transaction iControl Rest creation process creation properly when the existing process was killed with a timeout operation.


769309-3 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.

Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).


769193-1 : Added support for faster congestion window increase in slow-start for stretch ACKs

Component: Local Traffic Manager

Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.

Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.

Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.

Workaround:
There is no workaround at this time.

Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.

Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.

Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.


769169-1 : BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring

Component: TMOS

Symptoms:
BIG-IQ sends a lot of request to the BIG-IP system to collect the stats it makes the BIG-IP slow and eventually GUI goes unresponsive.

Conditions:
-- BIG-IQ monitoring a large BIG-IP configuration.
-- With a very large number of requests, and with resource-expensive requests.

Impact:
ICRD requests wait longer in the ICRD queue, which can make the BIG-IP system becomes unresponsive. Policy Creation, Device Overview, and stats pages take more time to respond, and eventually, the GUI becomes unresponsive on these three pages.

Lot of process terminated/re-created messages in restjavad logs.

Workaround:
Remove the BIG-IP device from the BIG-IQ and restart the mcpd.

Fix:
The system now handles the queue so that there is time for BIG-IP system to recover and become responsive.


769061-4 : Improved details for learning suggestions to enable violation/sub-violation

Component: Application Security Manager

Symptoms:
The title for the entity in suggestions to enable violation/sub-violation is 'Match violation'/'Matched HTTP Check', though these suggestions are created when there is no match in the observed traffic.

Conditions:
There are learning suggestions to enable violations/sub-violation in the policy

Impact:
Misleading suggestion details.

Workaround:
None.

Fix:
The misleading word 'Matched' was removed from the title.


768981-4 : VCMP Hypervisor Hardening

Solution Article: K05765031


768761-4 : Improved accept action description for suggestions to disable signature/enable metacharacter in policy

Component: Application Security Manager

Symptoms:
It is difficult to understand the description for suggestions to disable signature or enable metacharacter on parameter/URL alternative action (accept for all entities).

Conditions:
There are suggestions to disable signature or enable metacharacter on parameter/URL.

Impact:
Action description can be difficult to understand.

Workaround:
None.

Fix:
'Accept for Any Entity' action has been renamed to 'Accept Globally'. The 'Charset' type is now mentioned in the action description for better understanding of the applied action.


768025-1 : SAML requests/responses fail with "failed to find certificate"

Component: Access Policy Manager

Symptoms:
BIG-IP as SP and BIG-IP as IdP fail to generate signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after the certificate that is used for signing is modified.

Conditions:
The certificate used for signing SAML requests/responses or SAML SLO requests/responses is modified or re-imported.

Impact:
When this issue occurs, SAML services are impacted when BIG-IP is configured as SP or IdP. Subsequent SAML/SAML SLO requests/responses fail with the error 'failed to find certificate'.

-- When BIG-IP is configured as IdP, then SAML Authentication fails and SAML/SAML SLO services do not work.

-- When BIG-IP is configured as SP, resources that need SAML Authentication cannot be accessed. Also, SAML SLO service does not work.

Workaround:
-- When BIG-IP as IdP is affected, configure a different certificate associated with SAML IdP configuration that is used for signing, change it back to the original certificate, and then the apply policy.

-- Similarly, when BIG-IP as SP is affected, configure a different certificate associated with SAML SP configuration that is used for signing, change it back to the original certificate, and then apply the policy.

Fix:
BIG-IP as SP and BIG-IP as IdP works as expected while generating signed SAML requests/responses or SAML Single Logout (SLO) requests/responses after certificate that is used for signing is modified.


767941-2 : Gracefully handle policy builder errors

Component: Application Security Manager

Symptoms:
Policy Builder (pabnagd) restarts when it encounters an error, and logs errors to /var/log/asm:

crit perl[24868]: 01310027:2: ASM subsystem error (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads (required: 2, found: 0).

Conditions:
This occurs when policy builder encounters an error.

Impact:
Temporary loss of connectivity with ASM and Policy Builder.

Workaround:
None.

Fix:
The system now handles Policy Builder errors gracefully and reduces Policy Builder down time upon connectivity loss with ASM.


767737-3 : Timing issues during startup may make an HA peer stay in the inoperative state

Component: TMOS

Symptoms:
When two BIG-IP systems are paired, it is possible during startup for the network connection to be made too early during the boot sequence. This may leave a peer in the inoperative state.

Conditions:
This is a timing-related issue that might occur during boot up of high availability (HA) peers.

Impact:
An HA peer does not become ACTIVE when it should.

Workaround:
None.


767653-2 : Malformed HTTP request can result in endless loop in an iRule script

Solution Article: K23860356


767613-3 : Restjavad can keep partially downloaded files open indefinitely

Component: Device Management

Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain open, the total number of available file handles for the process decreases, and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.

Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.

Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.

Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad

Files that were deleted now have their space reclaimed.

Fix:
The restjavad process now internally clears the file handles of such partially downloaded files if they remain untouched for two hours.


767373-3 : CVE-2019-8331: Bootstrap Vulnerability

Solution Article: K24383845


767045 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


767013-4 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.


766577-4 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.


766405-3 : MRF SIP ALG with SNAT: Fix for potential crash on next-active device

Component: Service Provider

Symptoms:
The next active device may crash with a core when attempting to create media flows.

Conditions:
The names for the LSN pool and router profile are longer than expected.

Impact:
The TMM on the next active device may core. Traffic disrupted while tmm restarts; If the next-active device was not carrying traffic for a traffic group, traffic is not disrupted.

Workaround:
None.

Fix:
Device no longer cores.


766169-3 : Replacing all VLAN interfaces resets VLAN MTU to a default value

Component: Local Traffic Manager

Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.

Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.

Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.

Workaround:
There are two workarounds:

-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.

Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.


766017-2 : [APM][LocalDB] Local user database instance name length check inconsistencies

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.

Fix:
Tmsh now enforces the length limit for localdb instance names.


765621-1 : POST request being rejected when using OAuth Resource Server mode

Component: Access Policy Manager

Symptoms:
POST request is rejected.

Conditions:
-- Using OAuth Resource Server access type.
-- Client sends a large POST body.

Impact:
The request is rejected.

Workaround:
Increase the tmm.access.maxrequestbodysize sys db variable to be larger than the POST body size.

Fix:
The system now supports larger POST requests in OAuth Resource Server mode.


765533-4 : Sensitive information logged when DEBUG logging enabled

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


764873-4 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only


764665-1 : AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP is registered on BIG-IQ system, sometimes avrd crashes with core.

Conditions:
-- BIG-IP is registered at BIG-IQ.
-- BIG-IQ sends configuration update to BIG-IP.

Impact:
Avrd cores and restarts. Functionality is not impacted, stats data are sent to BIG-IQ.

Workaround:
None.

Fix:
Corrected issue in setting value for internal flag.


764373-1 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.

Fix:
The system now checks all enforced cookies correctly, so this issue no longer includes.


763349-1 : AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out

Component: Application Visibility and Reporting

Symptoms:
avrd application on BIG-IP crashes; core is generated.

Conditions:
-- The BIG-IP is configured to send data to BIG-IQ DCD node via the HTTPS protocol.

-- Connection to DCD is established but response does not arrive within the timeout interval, so the connection times out.

Impact:
avrd crashes, and a core is generated.

Workaround:
None.

Fix:
avrd now reconnects to BIG-IQ DCD in a different sequence so this issue no longer occurs.


763121-1 : Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.

Component: Advanced Firewall Manager

Symptoms:
TMM crashes and produces a core file. The crash is a SIGFPE accompanied by the following panic string:

Assertion "packet must already have an ethernet header" failed.

Conditions:
This issue occurs when all of the following conditions are met:

- The system is provisioned for AFM.
- A TCP Half Open attack to the system is underway.
- A BIG-IP Administrator attempts to use the AFM Packet Tester tool, and simulates sending a TCP segment with the SYN flag set.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the AFM Packet Tester tool while a TCP Half Open attack is underway.

Fix:
TMM no longer crashes when utilizing the AFM Packet Tester tool.


763093-1 : LRO packets are not taken into account for ifc_stats (VLAN stats)

Component: Local Traffic Manager

Symptoms:
The ifc_stats do not correctly reflect the number of incoming octets/packets. There is a discrepancy between octets/packets in/out in the ifc_stats table, which tracks per-VLAN stats.

Conditions:
LRO is enabled and used for incoming packets.

Impact:
ifc_stats are incorrect for incoming octets and packets.

Workaround:
Disable LRO using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable

After modifying that variable, you must restart tmm for it to take effect (traffic disrupted while tmm restarts):
bigstart restart tmm


763005-2 : Aggregated Domain Names in DNS statistics are shown as random domain name

Component: Application Visibility and Reporting

Symptoms:
Many DNS queries (e.g., 50000) with different query domain names are sent and AVR aggregates data it shows aggregated names using a random name taken from the first lookup table record.

Conditions:
-- Run 50000 DNS queries, all with different domain names.
-- View Statistics :: Analytics :: DNS, and choose View By : Domain Names.

Impact:
There is one random domain name with a high counter value, other domains are shown with counter 1.

Workaround:
None.


763001-2 : Web-socket enforcement might lead to a false negative

Solution Article: K70312000

Component: Application Security Manager

Symptoms:
A request that should be blocked will be passed to server.

Conditions:
Parse parameters flag in json profile is enabled.
Requests are sent in json websocket.

Impact:
Bad requests may be passed to the server

Workaround:
Disable parse parameters flag in json profile

Fix:
Web-socket enforcement now filters requests as expected.


762453 : Hardware cryptography acceleration may fail

Solution Article: K63558580


762205-1 : IKEv2 rekey fails to recognize VENDOR_ID payload when it appears

Component: TMOS

Symptoms:
Rekey with non BIG-IP systems can fail when a response contains a VENDOR_ID payload.

Conditions:
- IKEv2 Responder sends VENDOR_ID payload in rekey response.
- The ipsec.log misleadingly reports:
  [I] [PROTO_ERR]: unexpected critical payload (type 43)
  Note: This message may be correctly present under other conditions, with different type constants not equal to 43.

Impact:
BIG-IP as the initiator of rekey drops the rekey negotiation without making further progress when the responder included a VENDOR_ID payload in a response. This will result in deleting the SA for good when the hard lifetime expires, causing a tunnel outage.

Workaround:
No workaround is known at this time.

Fix:
Handling of payload types during rekey will now ignore VENDOR_ID when it appears, the same way we ignore VENDOR_ID in other messages during IKE negotiation.


762073-1 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.

Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.


761993-4 : The nsm process may crash if it detects a nexthop mismatch

Component: TMOS

Symptoms:
If there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop, nsm may crash and restart.

Conditions:
-- Dynamic routing is in use.
-- A mismatch between tmrouted and nsm for the interface index or gateway of a nexthop exists.

Impact:
There is a temporary interruption to dynamic routing while nsm is restarted.

Workaround:
None.

Fix:
Prevented nsm crashing when there is a mismatch between tmrouted and nsm for the interface index or gateway of a nexthop.


761941-3 : ASM does not remove CSRT token query parameter before forwarding a request to the backend server

Component: Application Security Manager

Symptoms:
CSRT query parameter observed in tcpdump on the BIG-IP system's server side.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- CSRF enabled in ASM policy.

Impact:
Backend app gets CSRT parameter, which might impact its business logic.

Workaround:
You can remove a CSRT query parameter using a URI modification iRule on the server side.

Fix:
The system now removes the csrt query parameter before forwarding a request to the backend server


761921-3 : avrd high CPU utilization due to perpetual connection attempts

Component: Application Security Manager

Symptoms:
avrd shows high CPU utilization. Repeated retries on auth token client failed connection attempts.

Conditions:
-- The BIG-IQ system is not available (even though it is configured).
-- Frequent connection retries.

Impact:
avrd consumes a large amount of CPU.

Workaround:
Correct BIG-IQ availability and restart avrd.

Fix:
avrd now waits between connection retries, so this issue does not occur.


761553-4 : Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic

Component: Application Security Manager

Symptoms:
Text for analyzed requests might be misleading for suggestions that are created as result of an absence of violations in traffic:

X requests triggered this suggestion from date:time until date:time.

Actually:
-- 'X requests' did not trigger a violation, and no sampled are requests provided.

-- The format of the time in 'from date:time until date:time' is difficult to parse.

Conditions:
There are suggestions that were created as result of an absence of violations in traffic in the policy.

Impact:
Text might be misleading.

Workaround:
None.

Fix:
Improved text for analyzed requests for suggestions that were created as result of absence of violations in traffic


761549-4 : Traffic Learning: Accept and Stage action is shown only in case entity is not in staging

Component: Application Security Manager

Symptoms:
Accept and Stage action is available, even for entities that are in staging already.

Conditions:
Create suggestion for the entity (e.g., Attack signature on parameter) that is in staging.

Impact:
Action that is not relevant is shown.

Workaround:
None.

Fix:
Accept and Stage action is available only for suggestions on entities that are not in staging


761345-1 : Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode

Component: Advanced Firewall Manager

Symptoms:
When manual config-sync mode is enabled for a HA setup, additional config-sync may be required after firewall blob compilation.

Conditions:
Firewall rule configuration modified on a high availability (HA) setup with manual config-sync mode enabled.

Impact:
Additional config-sync may be required after compilation completion.
A warning may be given: "There is a possible change conflict between <device1> and <device2>.", and full sync may be forced.

Workaround:
Enable auto config-sync instead of manual config-sync.

Fix:
Additional config-sync is not required in these conditions.


761300 : Errors in REST token requests may log sensitive data

Solution Article: K61105950

Component: Device Management

Symptoms:
When requests for REST tokens generate a parsing error the logged message may contain sensitive data present in the request, including passwords.

Conditions:
Error in token request parsing. Typically causes include a typo or other JSON syntax error in the POST body of the REST request.

Impact:
Restlogs record sensitive data. Properly formatted requests do not generate this error logging and do not record sensitive data.

Workaround:
None.

Fix:
Sensitive data is now filtered from logging.


761273-1 : wr_urldbd creates sparse log files by writing from the previous position after logrotate.

Component: Traffic Classification Engine

Symptoms:
After log rotation, the wr_urldbd daemon continues to write at the pre-rotate offset into the file, so the next message is written at offset N, making the file sparse, with all characters prior to position being read as nulls.

Conditions:
System rotates log files.

Impact:
Some automated systems might not be able to read log file.

Workaround:
None.

Fix:
Log file preserves text file type after log rotation.


761231-4 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Solution Article: K79240502

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.


761185-4 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic

Solution Article: K50375550

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550

Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550

Impact:
For more information please see: https://support.f5.com/csp/article/K50375550

Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550

Fix:
For more information please see: https://support.f5.com/csp/article/K50375550


761144-6 : Broadcast frames may be dropped

Solution Article: K95117754


761112-5 : TMM may consume excessive resources when processing FastL4 traffic

Solution Article: K76328112


761032-4 : TMSH displays TSIG keys

Solution Article: K36328238

Component: Global Traffic Manager (DNS)

Symptoms:
TSIG key is displayed when related configuration is listed in TMSH.

Conditions:
Authenticated administrative user.
Listing TSIG keys using TMSH.

Impact:
Displaying TSIG keys is a security exposure.

Workaround:
None.

Fix:
TMSH no longer displays TSIG keys when listing configuration.


761030-1 : tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route

Component: Local Traffic Manager

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not shown using the show net route lookup command.

Conditions:
-- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
-- Dynamic Routing protocols such as OSPFv3 configured.

Impact:
Cannot see any dynamic routes added while IPv4-mapped IPv6 addresses are configured.

Workaround:
None.

Fix:
The query for IPv4-mapped IPv6 addresses now shows dynamic routes added while IPv4-mapped IPv6 is configured.


761014-4 : TMM may crash while processing local traffic

Solution Article: K11447758


760974-1 : TMM SIGABRT while evaluating access policy

Component: Access Policy Manager

Symptoms:
TMM cores while evaluating access policy.

Conditions:
-- Secure Web Gateway is configured and in use.
-- An access policy is being evaluated.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an iRule similar to the following:

when ACCESS_POLICY_COMPLETED {
    set res [ACCESS::session data get "session.policy.result"]

    if {[string compare $res "in_progress"] == 0} {
     log local0.notice "rejecting"
      reject
    }
    log local0.notice "result :$res"
}

Fix:
TMM no longer cores under these conditions.


760961 : TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts

Component: Traffic Classification Engine

Symptoms:
Webroot daemon (wr_urldbd) crashes because of a socket handler issue that occurs when sending the URI categorization request to the BrightCloud server.

Wr_urldbd daemon restarts, and during startup, it loads the downloaded database to the shared memory channel. This shared memory channel is being used by the TMM, which has no information about the wr_urldbd restart, so tmm restarts.

Conditions:
-- Wr_urldbd restarts (which occurs due to an issue in socket handler when sending URL categorization requests to the BrightCloud server).

-- During wr_urldbd startup, the daemon starts loading the downloaded webroot database to the shared memory channel set up between the wr_urldbd and TMM.

-- TMM accesses this shared memory channel to perform a URL category lookup (due to traffic).

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.


760878-2 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.


760771-3 : FastL4-steered traffic might cause SSL resume handshake delay

Component: Local Traffic Manager

Symptoms:
When a FastL4 virtual server steers traffic to another SSL-enabled virtual server, there can be a delay on SSL session resumption because SSL is unable to identify the connection flow.

Additionally, it has been observed that if fallback persistence is configured, the BIG-IP system might fail to start the connection serverside.

Conditions:
-- FastL4 virtual server.
-- iRule is used to steer traffic to another virtual server with client SSL enabled.
-- Multiple tmm's.

Impact:
-- Potential impact to SSL performance.
-- Possible connection failure.

Workaround:
To workaround this issue:
-- Disable FastL4.
-- Enable OneConnect.

Fix:
FastL4-steered traffic no longer causes SSL resume handshake delay.


760683-2 : RST from non-floating self-ip may use floating self-ip source mac-address

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.

Fix:
The system now uses the correct source mac-address under these conditions.


760679 : Memory corruption when using C3D on certain platforms

Component: Local Traffic Manager

Symptoms:
When using Client Certificate Constrained Delegation (C3D), memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
C3D is enabled on a virtual server.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.


760629-2 : Remove Obsolete APM keys in BigDB

Component: Access Policy Manager

Symptoms:
Several APM/Access BigDB keys are obsolete

Conditions:
This is encountered on BIG-IP software installations.

Impact:
The db keys are obsolete and can be safely ignored.

Workaround:
None

Fix:
The following db keys have been removed from the system:

Log.AccessControl.Level
Log.ApmAcl.Level
Log.SSO.Level
Log.swg.Level
Log.AccessPerRequest.Level
Log.access.syslog
Log.access.db


760622-2 : Allow Device Certificate renewal from BIG-IP Configuration Utility

Component: TMOS

Symptoms:
Unable to renew Device Certificate from System :: Certificate Management : Device Certificate Management : Device Certificate :: server.crt in non-English BIG-IP configurations.

Conditions:
Attempting to renew a device certificate on the System :: Certificate Management : Device Certificate Management : Device Certificate :: using the server.crt-equivalent on a non-English BIG-IP system.

Impact:
Unable to renew Device Certificate from the BIG-IP Configuration Utility.

Workaround:
Use a command of the following syntax, replacing key name, cert name, and # of days with your values:

openssl req -new -x509 -key ../ssl.key/server.key -days <# of days> -out server.crt

For example, to renew the siteserver.key and siteserver.crt for 90 days, use the following command:

openssl req -new -x509 -key ../ssl.key/siteserver.key -days 90 -out siteserver.crt

Fix:
The system now allows Device Certificate renewal from BIG-IP Configuration Utility.


760550-3 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.


760471-4 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.

Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.


760439-2 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.


760438-1 : PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions

Component: Policy Enforcement Manager

Symptoms:
tmm coredump

Conditions:
-- Using an iRule to apply a referential policy in a rigorous loop.
-- This is a rarely occurring timing issue.

Impact:
Traffic impact due to tmm coredump. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system now validates session presence before applying the policy.


760408-1 : System Integrity Status: Invalid after BIOS update

Solution Article: K23438711

Component: TMOS

Symptoms:
When BIG-IP system boots, it performs a System Integrity Check. The System Integrity Status may return one of three states: Valid, Unavailable, or Invalid.

This issue causes the System Integrity Status to return a value of 'Invalid'.

Conditions:
-- BIG-IP systems that have been manufactured using a earlier BIOS version.
-- Updating to a newer BIOS version.

Impact:
The System Integrity Status returns a status of Invalid, which may falsely indicate that the system BIOS or OS has been compromised.

Workaround:
Install the new BIOS, which fixes the issue that causes the 'Invalid' status to be reported, and, on systems where the BIOS and OS have not been compromised, returns a status of 'Valid'.

Fix:
The System Integrity Status check now return 'Valid' for systems that have not been compromised.


760363-2 : Update Alias Address field with default placeholder text

Component: TMOS

Symptoms:
Unable to update Alias Address field with the default value under Local Traffic :: Monitors :: [MonitorName] after removing everything from the input field and updating again with the placeholder text.

Conditions:
-- Using a system running software in which the GUI supports Chinese characters.
-- Remove content from the Alias Address field under Local Traffic :: Monitors:: [MonitorName].
-- Enter the default placeholder text.

Impact:
Unable to update the Alias Address input field with default placeholder text after replacing the said field with blank text or a valid value.

Workaround:
Pass empty value or ::

Fix:
Allow monitors to update with default placeholder text for Alias Address


760356-4 : Users with Application Security Administrator role cannot delete Scheduled Reports

Component: Application Visibility and Reporting

Symptoms:
User accounts configured with the Application Security Administrator role cannot delete scheduled reports, while they can create/view/edit them.

Conditions:
-- Logged on with a user account configured as an Application Security Administrator.
-- Attempting to delete a scheduled report.

Impact:
Cannot complete the delete operation. Deleting scheduled reports requires root/admin intervention.

Workaround:
Use root or a user account configured as Administrator to delete scheduled reports.

Fix:
User accounts configured with the Application Security Administrator role can now delete Scheduled Reports


760222-5 : SCP fails unexpected when FIPS mode is enabled

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.

Fix:
This scp issue no longer occurs when FIPS cards are installed.


760130-1 : [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK

Component: Access Policy Manager

Symptoms:
-- Increased overall TMM memory usage, which eventually forces TMM to start closing connections to reduce memory usage.
-- connflow memory usage keeps increasing. Memory usage can be observed with this command:
# tmctl -f /var/tmstat/blade/tmm0 memory_usage_stat -w200

Conditions:
1. Using PingAccess.
2. Errors are being logged in /var/log/paa.

Impact:
-- Memory leak.
-- Eventually TMM starts closing connections randomly.

Workaround:
None.

Fix:
When PingAccess encounters an error after sending traffic data to PingAccess SDK, TMM no longer leaks memory.


760050-4 : "cwnd too low" warning message seen in logs

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: "cwnd too low."

The message can be seen in both tmm logs (where it shows as 'notice' severity) and also in the ltm log (where it shows as 'crit' (critical) severity).

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.


759968 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
-- Distinct vCMP guests are able to cluster with each other.

-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac

Check the 'rebroad_mac' field for duplicate mac addresses.

vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------

Conditions:
-- It is not yet clear under what circumstances the issue occurs.

-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

To disable the db variable on the affected guest, log in to the TMOS Shell (tmsh) by entering the following command:

tmsh

Then run the following commands, in sequence:

stop sys service clusterd
modify sys db clusterd.communicateovertmmbp value false
start sys service clusterd
save sys config

Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask and then changing it back.

With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Important: Applying procedure described in K13030 interrupts traffic.

Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.


759735-1 : OSPF ASE route calculation for new external-LSA delayed

Component: TMOS

Symptoms:
External link-state advertisement (LSA) update does not trigger OSPF ASE route calculation, resulting in delay for route state changes from external LSA.

Conditions:
-- OSPF enabled.
-- More than 20 updated external LSA.
-- No updated router and network LSA.

Impact:
Delay of route update from external LSA.

Workaround:
Manually clear ip ospf process.

Fix:
OSPF ASE route calculation from external LSA are happening as normal.


759721-4 : DNS GUI does not follow best practices

Solution Article: K03332436

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS WebUI does not follow best security practices.

Conditions:
DNS services provisioned, enabled, and configured

Impact:
The DNS WebUI does not follow best security practices.

Workaround:
None.

Fix:
The DNS WebUI now follows best security practices.


759638-1 : APM current active and established session counts out of sync after failover

Component: Access Policy Manager

Symptoms:
The 'tmsh show apm license' command shows that the current established session count is much larger than the current active session count. In the extreme case, current established session count can reach the maximum allowed, and the system reports the ERR_TOOBIG error in the apm log.

err tmm3[12351]: 01490581:3: (null):Common:00000000: Access stats encountered error: SessionDB operation failed (key: tmm.license.global_estab_stats.f26de3c7, ret: ERR_TOOBIG).

Conditions:
This counter out-of-sync period happens right after failover and lasts for five minutes.

Impact:
There is no impact to user sessions. Only the connection counts are impacted.

Workaround:
None.


759596-3 : Tcl errors in iRules 'table' command

Component: TMOS

Symptoms:
The iRules 'table delete' command causes Tcl errors due to improperly handling the return code from SessionDB.

Conditions:
-- iRules 'table delete' command is used.
-- Does not occur consistently, but is more prone to occur when the system is processing more traffic.

Impact:
The 'table delete' command randomly fails and causes disruptions in traffic.

Workaround:
Do not use 'table delete' command

Fix:
Fixed 'table delete' to properly interpret the return code from SessionDB.


759536-4 : Linux kernel vulnerability: CVE-2019-8912

Solution Article: K31739796


759480-2 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

Component: Local Traffic Manager

Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.

Conditions:
When all of the following conditions are met:

-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.

-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).

-- A CLIENT_CLOSED event is present.

-- The pool member fails in some manner, triggering LB_FAILED

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.


759360 : Apply Policy fails due to policy corruption from previously enforced signature

Component: Application Security Manager

Symptoms:
Apply Policy fails due to policy corruption in PLC database from a previously enforced signature.

Conditions:
1. Export a policy containing a signature with an enforced rule.
2. Update ASM Signatures (ASU).
3. Import that previously exported policy.
4. Apply the newly imported policy.

Impact:
Apply policy fails.

Workaround:
As a workaround, run the following SQL, and then apply the policy:

----------------------------------------------------------------------
UPDATE PLC.PL_POLICY_NEGSIG_SIGNATURES SET previous_enforced_rule_md5 = '' WHERE previous_enforced_rule = '' and previous_enforced_rule_md5 != ''
----------------------------------------------------------------------


759192-1 : TMM core during display of PEM session under some specific conditions

Component: Policy Enforcement Manager

Symptoms:
TMM crashes during display of PEM session if the session has multiple IP addresses added under certain conditions.

Conditions:
-- Session has multiple IP addresses added.
-- When the session was created, addition of multiple IP addresses was not allowed.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Do not change the value of sys db variable tmm.pem.session.ip.addr.max while some sessions are already created.

Fix:
TMM core during display of PEM session no longer occurs.


759135-5 : AVR report limits are locked at 1000 transactions

Component: Application Visibility and Reporting

Symptoms:
AVR reports are limited to 1000 transactions. This is due to a hard-coded limit.

Conditions:
Using AVR reports for more than 1000 transactions.

Impact:
Unable to create reports with more than 1000 rows.

Workaround:
None.

Fix:
A db variable avr.stats.reportrownumberlimit has been added, that can be controlled via TMSH. The variable controls the number of rows in report within the range of 1 to 100000.

For example, for a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000

Behavior Change:
There is a new db variable avr.stats.reportrownumberlimit available in TMSH, which controls the number of rows in an AVR report. Valid values are from 1 to 100000.

For example, to create a report with 10000 rows, modify the 'avr.stats.reportrownumberlimit' variable using the following command:

tmsh modify sys db avr.stats.reportrownumberlimit value 10000


759077-4 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.

Fix:
The max-pending-messages and max-pending-bytes values in the SIP router profile will be used as the limits for the SIP filter's queues. If the configured value is less than the existing hard-coded limits (512 bytes or 65535 bytes), the hard-coded limits will be used.


759056-1 : stpd memory leak on secondary blades in a multi-blade system

Component: Local Traffic Manager

Symptoms:
On secondary blades in a multi-blade system, stpd shows continued increased memory usage.

Conditions:
A non passthru STP mode (STP, RSTP or MSTP) is enabled on the system.

Impact:
System performance is degraded due to needless memory usage by stpd.

Workaround:
None.

Fix:
Stpd no longer leaks memory.


758992-1 : The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address

Component: Local Traffic Manager

Symptoms:
tmm may use a combination of the traffic-group MAC address and the per-VLAN MAC address for traffic associated with the traffic-group.

Conditions:
All of the following:
-- The traffic-group has a MAC address set.
-- The sys db variable 'tm.macmasqaddr_per_vlan' is set to true.
-- There are multiple tmm processes running on the BIG-IP system.

Note: BIG-IP Virtual Edition is not affected since there is only one tmm process.

Impact:
Incorrect MAC address used for traffic associated with the traffic-group.

Workaround:
None.

Fix:
tmm uses the proper MAC address when there is a traffic-group mac address defined and 'tm.macmasqaddr_per_vlan' is set to true.


758961 : During brute force attack, the attempted passwords may be logged

Solution Article: K58243048

Component: Application Security Manager

Symptoms:
Request data potentially included passwords is not masked in the ASM local and remote logger.

Conditions:
A brute force attack is in progress and login traffic is blocked from the suspicious IPs.

Impact:
An exposure of potentially sensitive data to the BIG-IP logger.

Workaround:
N/A

Fix:
Potentially sensitive data from brute force blocked requests is no longer logged.


758872-2 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.


758781-1 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.


758772-4 : DNS Cache RRSET Evictions Stat not increasing

Component: Global Traffic Manager (DNS)

Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.

Conditions:
This occurs when the cache is full enough for records to be evicted.

Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.

Workaround:
None.

Fix:
Fixed an issue preventing the DNS Cache's 'Resource Record Cache' statistic from counting 'Evictions'.


758764-4 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).


758631-2 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.


758599-4 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.

Fix:
The IPv4 and IPv6 management routes now have a metric value of 4096. Default value of static routes are 1 for IPv4 and 1024 for IPv6. This makes static routes (TMM routes) preferred over management routes, which is correct behavior.


758527-4 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Solution Article: K39604784

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.


758437-4 : SYN w/ data disrupts stat collection in Fast L4

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.

Fix:
Data coupled with the SYN breaks the check for a Fast L4 state change. The connection can still function normally, but statistics collection is reliant on the state change to initialize things properly. The system now ensures the correct state under these conditions, so statistics are measured correctly.


758436-2 : Optimistic ACKs degrade Fast L4 statistics

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.

Fix:
Additional checks prevent analytics from trusting optimistic ACKs.


758336-1 : Incorrect recommendation in Online Help of Proactive Bot Defense

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.


758119-4 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


758065-2 : TMM may consume excessive resources while processing FIX traffic

Solution Article: K82781208


758041-4 : Pool Members may not be updated accurately when multiple identical database monitors configured

Component: Local Traffic Manager

Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.

Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.

As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.

After the next monitor ping interval, affected pool members members may be marked with the correct state.

Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv none
    send "select version();"
...
}

Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.

Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.

For example:
ltm monitor mysql mysql_monitor1 {
...
    recv none
    send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
    recv 5.7
    send "select version();"
...
}

Fix:
The system now correctly updates pool members when multiple identical database monitors are configured.


758018-3 : APD/APMD may consume excessive resources

Solution Article: K61705126


757992-1 : RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Component: Access Policy Manager

Symptoms:
RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup

Conditions:
-- Configure Floating IP with route domain.
-- Configure RADIUS accounting server with Pool Setup.
-- Configure the virtual server containing the access policy to use the RADIUS Accounting server.
-- Access the virtual server.

Impact:
-- START message is being sent through proper egress floating IP address.
-- STOP message is not sent, and the system logs the following error message:
-- err tmm1[11193]: 01490586:3: (null):Common:8a505e8c: Processing radius acct stop message failed, connection failure.
-- err tmm1[11193]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_RTE. File: ../modules/hudfilter/access/access_session.c, Function: access_session_final_callback, Line: 4439.

Workaround:
This issue is present only when the floating IP address is configured with a non-default route domain. It works fine with the default route domain. Use of default route domain is recommended.

Fix:
RADIUS Acct STOP message is now sent as expected.


757827-3 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.

-- DNS queries to resolve these FQDN names occur almost simultaneously.

-- The BIG-IP version in use contains the fix for ID 726319 :: Bug ID 726319: 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses :: https://cdn.f5.com/product/bugtracker/ID726319.html.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected. As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes ('##' is the desired number of seconds between successive DNS queries to resolve the configure FQDN name):

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }

Fix:
When using FQDN nodes and pool members, ephemeral pool members are now created as expected following a configuration-load or BIG-IP reboot operation.

However, messages similar to the following may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name:

-- err mcpd[20479]: 01020066:3: The requested Node (****) already exists in partition ****.
-- err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

These are benign messages that do not affect BIG-IP functionality.


757781-1 : Portal Access: cookie exchange may be broken sometimes

Component: Access Policy Manager

Symptoms:
Portal Access uses special HTTP request with URL '/private/fm/volatile.html' to exchange cookie data between client and BIG-IP. Sometimes the BIG-IP system might send an invalid response to such a request. As a result, no cookie data can be sent from the backend server to the client.

Conditions:
Invalid response to HTTP requests with the following URL:
/private/fm/volatile.html.

Impact:
Portal Access client cannot see cookies set by the backend server. Backend server does not send cookie data to the client.

Workaround:
None.

Fix:
Portal Access now sends correct HTTP responses with backend cookie data to the client.


757722-1 : Unknown notify message types unsupported in IKEv2

Component: TMOS

Symptoms:
IKE negotiation fails when an unrecognized notify payload type is seen in a message processed by IKEv2.

Conditions:
Receiving an IKE message that contains a notify payload whose numeric type value is unrecognized by IKEv2.

Impact:
Negotiation fails with an aborted connection, preventing tunnel creation.

Workaround:
A peer can suppress notification payloads with advisory values that get rejected by IKEv2 within the BIG-IP system.

Fix:
All unknown notify types are now logged and then ignored.


757578-4 : RAM cache is not compatible with verify-accept

Component: Local Traffic Manager

Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature

Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.

Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.

Workaround:
Do not use TCP's verify-accept option together with RAM cache.

Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.


757464-3 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record

Component: Global Traffic Manager (DNS)

Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.

tmm crash

Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.

Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.

Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.

Fix:
Fixed an issue preventing records from a DNS Validating Resolver's 'Key' sub-cache from being deleted when utilizing the TMSH command:
delete ltm dns cache records key cache


757455-1 : Excessive resource consumption when processing REST requests

Solution Article: K87920510


757442-1 : A missed SYN cookie check causes crash at the standby TMM in HA mirroring system

Component: Local Traffic Manager

Symptoms:
In a high availability (HA) mirroring configuration, an L7 packet SYN cookie check may be skipped on the standby unit and eventually causes TMM to crash.

Conditions:
-- L7 traffic being passed to an HA configuration that is configured for mirroring traffic.
-- Failover occurs.

Impact:
TMM crashes on the standby device. No connections shown on the standby unit even when mirroring isenabled.

Workaround:
Do not use HA mirroring.

Fix:
The system now provides SYN cookie checks for L7 mirrored packets on the standby system.


757441-2 : Specific sequence of packets causes Fast Open to be effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.

Fix:
TCP Fast Open is prevented from being disabled when some conditions are met.


757414 : GUI Network Map slow page load with large configuration

Component: TMOS

Symptoms:
Network Map loads very slowly when displaying large configurations.

Conditions:
Open Network Map page with a large configuration, for example, 2500 or more virtual servers, pools, and pool members.

Impact:
The Network Map page loads too slowly to be usable.

Workaround:
None.

Fix:
Network Map no longer loads very slowly when displaying large configurations.


757391-3 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.

Fix:
tmm no longer crashes under these conditions.


757359-3 : pccd crashes when deleting a nested Address List

Component: Advanced Firewall Manager

Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.

Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.

-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.

Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.

Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.

-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.

Fix:
pccd no longer crashes under these conditions, and correctly compiles the new configuration.


757357 : TMM may crash while processing traffic

Solution Article: K92002212


757306-2 : SNMP MIBS for AFM NAT do not yet exist

Component: Advanced Firewall Manager

Symptoms:
SNMP MIBS for AFM NAT do not yet exist.

Conditions:
This occurs in normal operation.

Impact:
Unable to read values that do not exist in SNMP, meaning that you cannot access information that you need.

Workaround:
None.


757279 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.

Fix:
Firewall manager can now edit firewall policies.


757088-3 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.


757027-3 : BIND Update

Solution Article: K01713115


757026-3 : BIND Update

Solution Article: K25244852


757025-3 : BIND Update

Solution Article: K00040234


757023-4 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656


756820-1 : Non-UTF8 characters returned from /bin/createmanifest

Component: TMOS

Symptoms:
/bin/createmanifest reads from mcpd values stored for items that are obtained from firmware. These might contain non-UTF8 characters. This program is called in qkview, which then gets updated to iHealth. If any non-UTF8 character is present, the output is omitted (because XML cannot handle non-UTF8 characters).

Conditions:
Data stored in mcpd obtained from firmware contain non-UTF8 characters.

Impact:
The upload to iHealth will not contain any of the manifest data set obtained via createmanifest.

Workaround:
The values can be obtained from the qkview by reading the qkview_run.data, but the convenience of reading these in iHealth is not possible.

Fix:
The corrected program converts any non-UTF8 characters into '%xx', thus outputting compliant UTF8 strings. These do not negatively impact the XML requirement, and the modified string can be uploaded to iHealth (and the non-UTF8 characters can be examined as hexadecimal values).


756774-4 : Aborted DNS queries to a cache may cause a TMM crash

Solution Article: K24401914


756538-1 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.

Solution Article: K15759349


756494-1 : For in-tmm monitoring: multiple instances of the same agent are running on the Standby device

Component: Local Traffic Manager

Symptoms:
The standby device is sending monitor requests at a more frequent interval than what is configured.

Conditions:
-- In-tmm monitoring configured.
-- High availability (HA) configured.

There is no explicit way to reproduce this and it does not occur every time.

Impact:
Multiple instances of in-tmm monitoring may be created and the BIG-IP device may be sending monitoring traffic more frequently than what is configured.

Workaround:
Reboot the BIG-IP system.

Fix:
Fixed an issue causing multiple monitoring instances to be created.


756470-3 : Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM logs 'no reply from big3d: timed out' messages when the configuration results in more runtime monitoring operations than can be supported in a given environment, but the same message also appears in the log for other reasons.

Conditions:
The GTM configuration results in more runtime monitoring operations than can be supported in a given environment.

Impact:
It is not possible to detect when there are more runtime monitoring operations than can be supported in a given environment without enabling debug logging and performing a complex analysis of the resulting log files.

Workaround:
Enable debug logging and conduct a detailed analysis to determine if monitor requests are scheduled at the configured intervals.

Fix:
There is now a warning message that provides a much clearer indication of the condition:

The list processing time (14 seconds) exceeded the interval value. There may be too many monitor instances configured with a 7 second interval.


756458-1 : Linux kernel vulnerability: CVE-2018-18559

Solution Article: K28241423


756450-2 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: Local Traffic Manager

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.

Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.


756402-1 : Re-transmitted IPsec packets can have garbled contents

Component: TMOS

Symptoms:
Before re-transmitting a packet, it is discovered to be garbled, mainly in the form of having physical length that no longer matches the logical length recorded inside the packet.

Conditions:
Possibly rare condition that might cause packet freeing while still in use.

Impact:
Likely tunnel outage until re-established.

Workaround:
No workaround is known at this time.

Fix:
This release adds checksums to verify IPsec packets are not altered between first creation and later re-transmission.


756311-1 : High CPU during erroneous deletion

Component: Policy Enforcement Manager

Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.

There might be messages similar to the following in tmm logs:

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557

Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.

Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.

Workaround:
Delete all subscribers from the CLI.


756270-2 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.


756205-3 : TMSTAT offbox statistics are not continuous

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP systems are manged by BIG-IQ, the device health statistics have gaps (missing samples).

Conditions:
BIG-IP systems managed by BIG-IQ,

Impact:
Missing data on device health, such as CPU load and memory occupancy.

Workaround:
None.

Fix:
Functionality restored - BIG-IP systems send all the data as expected.


756153-2 : Add diskmonitor support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.


756102-3 : TMM can crash with core on ABORT signal due to non-responsive AVR code

Component: Application Visibility and Reporting

Symptoms:
ABORT signal is sent to TMM by SOD; TMM aborts with a core.

Conditions:
Non-responsive AVR code. No other special conditions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


756094-3 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.


756088-1 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address

Component: TMOS

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
-- There are multiple virtual servers associated with a virtual address.

-- The virtual-address icmp-echo is set to 'all' or 'any'.

-- The virtual-address route-advertisement is set to 'all' or 'any'.

Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
None.

Fix:
The BIG-IP system now responds correctly to ICMP echo requests and correctly adds/removes dynamic routes to a virtual-address, as appropriate.


756071-1 : MCPD crash

Component: TMOS

Symptoms:
mcpd crashes on out of memory.

Conditions:
MCPD experiences a memory leak under one of the following conditions:

- A tmsh command such as the following is run:
    tmsh reset-stats ltm virtual

- The ASM or AVR module is provisioned.


In both circumstances, the 'cur_allocs' for one of MCPD's internal memory allocation types generally increases and becomes very high (e.g., millions):

tmctl -I --select cur_allocs memory_stat program=mcpd name=umem_alloc_40

Impact:
MCPD can run out of memory and crash. Traffic disrupted while mcpd restarts.

Workaround:
None.

Fix:
A memory leak that occurred in the MCPD process has been fixed.


755854-1 : TMM crash due to missing classification category

Component: Traffic Classification Engine

Symptoms:
TMM crashes when 'Thin_Client' category is used. The tmm2 log contains messages:

-- notice panic: ../modules/hudfilter/gpa/gpa_config.c:507: Assertion "Category does not exist" failed.

Conditions:
-- TMM is configured for debug mode (which might occur in cases described in K11490: Configuring the Traffic Management Microkernel to use debug mode :: https://support.f5.com/csp/article/K11490).

-- There is a classification configured with a category that does not exist.

Impact:
TMM restart loop. Traffic disrupted while tmm restarts.

Workaround:
Change the category to something that exists to load tmm.debug.

Fix:
TMM no longer crashes with 'Thin_client' category.


755727-3 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755585-3 : mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction

Component: Local Traffic Manager

Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.

Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
  * Creates a policy with 'Drafts/' as part of the policy name.
  * Publishes that policy.
  * Attaches that policy to a virtual server, either in the same transaction or a later transaction.

Impact:
mcpd restarts on all secondary blades of a cluster.

Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.


755507-3 : [App Tunnel] 'URI sanitization' error

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.


755475-3 : Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync

Component: Access Policy Manager

Symptoms:
After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.

Conditions:
1. Form a failover device group with two devices.

2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue).

3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again.

4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.

Impact:
Config is not synced properly to another device in the device group.

Workaround:
- Workaround 1:

Step1. On Standby (where the problem happens): delete the policy in question.

Step2. On Active: modify the access policy and Sync it.

* Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails).


- Workaround 2:
Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example:

"An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed."

Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.

Fix:
Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.


755197-1 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.

Fix:
The race condition is avoided and the 'save sys ucs <file>' now succeeds due to files removed by 'save sys config'.


755018-4 : Egress traffic processing may be stopped on one or more VE trunk interfaces

Component: TMOS

Symptoms:
Trunk interface members might be missing from tmm on BIG-IP Virtual Edition (VE).

Conditions:
-- Using trunks on VE.
-- May happen after a TMM restart, or after interface link states change.

Impact:
No egress traffic processing on one or more interfaces of a VE trunk.

Workaround:
Modify an attribute of the trunk and then return it to its previous value, for example:

    # tmsh modify net trunk <trunk name> link-select-policy maximum-bandwidth
    # tmsh modify net trunk <trunk name> link-select-policy auto

Fix:
Traffic is processed on all trunk interfaces.


755005-3 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.

Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.


754971-1 : OSPF inter-process redistribution might break OSPF route redistribution of various types.

Component: TMOS

Symptoms:
Enabling inter-process OSPF route redistribution might cause overall problems with OSPF route redistribution.

Conditions:
OSPF is configured with inter-process OSPF route redistribution, for example:

 router ospf
          network 0.0.0.0/0 area 0
          redistribute kernel
          redistribute ospf 1234 <--- !

Impact:
Routes might not be redistributed and will not be present in OSPF database. This affects all redistribution types (kernel, static, etc..)

Workaround:
Do not use inter-process OSPF route redistribution.

Fix:
Inter-process OSPF route redistribution is working properly.


754944-3 : AVR reporting UI does not follow best practices

Solution Article: K00432398


754901-3 : Frequent zone update notifications may cause TMM to restart

Component: Global Traffic Manager (DNS)

Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.

Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.

Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Frequent zone update notifications no longer cause TMM to restart.


754855-4 : TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile

Solution Article: K60344652


754658-1 : Improved matching of response messages uses end-to-end ID

Component: Service Provider

Symptoms:
Some responses incorrectly match requests when their hop-by-hop IDs match. This causes the response to be dropped.

Conditions:
Matching hop-by-hop ID.

Impact:
Responses rarely match the wrong request, but when they do, they will be dropped.

Workaround:
None.

Fix:
Responses are now matched to requests using end-to-end ID as well as hop-by-hop ID. There should be no more incorrect matches.


754617-1 : iRule 'DIAMETER::avp read' command does not work with 'source' option

Component: Service Provider

Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.

The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".

Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.

Impact:
'DIAMETER::avp read' does not work with the 'source' option.

Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.


754567 : Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file

Component: TMOS

Symptoms:
Child client SSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file used by the profile.

Conditions:
The issue is seen intermittently when all of the following conditions are met.
-- The client SSL profile is a child client SSL profile profile, i.e., it has a parent client SSL profile.
-- The child and the parent profile are using the same certificate.
-- The certificate file is updated, for example, by using a command similar to the following:
tmsh modify sys file ssl-cert child.crt { source-path file:///config/ssl/ssl.crt/default.crt app-service none cert-validation-options { } issuer-cert none }

Impact:
The child client SSL profile may unexpectedly end up using a different cert-key-chain from its parent profile.

Workaround:
The inherit-certkeychain flag can be set only in the GUI location: Local Traffic :: Profiles : SSL : Client :: child_profile.

In the row 'Configuration: \ Certificate Key Chain', uncheck the checkbox on the right side. That sets inherit-certkeychain to true (or does not customize the cert-key-chain for the child profile). Once the box is unchecked, the Certificate Key Chain field appears greyed out and filled with parent profile's cert-key-chain.

Fix:
The child profile's inherit-certkeychain flag is no longer unexpectedly set to false after updating the certificate file.


754542-4 : TMM may crash when using RADIUS Accounting agent

Component: Access Policy Manager

Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.

Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when RADIUS Accounting agent is used in the access policy.


754365-3 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.


754349 : FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4

Component: Local Traffic Manager

Symptoms:
FTP uploads that are offloaded on both sides drop after the idle timeout period, even though data is flowing.

Conditions:
-- FTP virtual server set up with a standard profile and FastL4 offloading.
-- Attempt a file upload to the virtual server where both client and server side of the data channel are offloaded.

Impact:
Dropped connections; data loss.

Workaround:
You can do either of the following:
-- Enable Inherit Parent Profile on the FTP profile.
-- Turn off FastL4 offloading.

Fix:
-- FTP connections to virtual servers no longer drop when both sides of data channel are offloaded via FastL4.
-- The output of the following command displays the correct acceleration state: tmsh show sys conn all-properties.


754346-1 : Access policy was not found while creating configuration snapshot.

Component: Access Policy Manager

Symptoms:
APMD fails to create configuration snapshot with the following error:

--err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!

If you attempt to modify the policy in question, the system reports a second error:

-- err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy

Conditions:
If TMM restarts and new access policy is added before TMM is fully up and running.

Impact:
Configuration snapshot is not created, and users cannot log on.

Workaround:
Recreate the access profile when TMM is stable.


754345-3 : WebUI does not follow best security practices

Solution Article: K79902360


754330-1 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected

Component: Application Visibility and Reporting

Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.

Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.

Impact:
Stats for AVR might not be loaded to the database within an expected interval.

Workaround:
None.

Fix:
Monpd now checks whether a new partition is required after each CSV file load. When needed, it creates one and aggregates data in the database to avoid this issue.


754143-2 : TCP connection may hang after finished

Solution Article: K45456231

Component: Local Traffic Manager

Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.

Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
10.0.0.1:5854 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5847 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5890 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5855 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none
10.0.0.1:5891 10.0.0.250:80 any6.any any6.any tcp 449 (tmm: 0) none none

Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN. The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.

Impact:
Those connections hang indefinitely (even past the idle timeout). Memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP connections no longer hang under these conditions.


754132-3 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command

Component: TMOS

Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.

-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>

-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out

Conditions:
-- There is a BIG-IP system with the following routing configuration:

imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
 bgp router-id 10.17.0.3
 bgp graceful-restart restart-time 120
 neighbor 10.17.0.4 remote-as 1
!

-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:

hostname[0]:sh ip ospf database
... <skip less important info>
                AS External Link States

Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0

The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.

Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.

Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.

Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:

-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
  + If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
  + If you create a default route as a static route, recreate it.
  + And so on.

The idea is to remove a root of default route generation and then add it back.

-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:

# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in

Note: This time, the 'soft in' command requests the NLRIs.

Fix:
A NLRI with default route information is successfully propagated on 'clear ip bgp <neighbor router-id> soft out' command.


754109-3 : ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive

Component: Application Security Manager

Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.

Conditions:
-- ASM provisioned.
-- ASM or Bot-Defense/DoS attached on a virtual server.
-- ASM or Bot/Dos does inline injections, like CSRF/CSHUI.

Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.

Workaround:
You can use either of the following workarounds:

-- Disable csp in ASM by running the following commands:
/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm

-- Disable csp in Bot/DoS using an iRule:
when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}

Fix:
ASM/Bot/DoSL7 no longer modifies the csp header when both source-src and default-src directives are missing.


754103-2 : iRulesLX NodeJS daemon does not follow best security practices

Solution Article: K75532331


754003-1 : Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate

Solution Article: K73202036

Component: Local Traffic Manager

Symptoms:
For more information please see: https://support.f5.com/csp/article/K73202036

Conditions:
For more information please see: https://support.f5.com/csp/article/K73202036

Impact:
For more information please see: https://support.f5.com/csp/article/K73202036

Workaround:
None.

Fix:
For more information please see: https://support.f5.com/csp/article/K73202036


753975 : TMM may crash while processing HTTP traffic with webacceleration profile

Solution Article: K92411323


753912 : UDP flows m