Applies To:
Show Versions
BIG-IP AAM
- 13.1.5
BIG-IP APM
- 13.1.5
BIG-IP Link Controller
- 13.1.5
BIG-IP Analytics
- 13.1.5
BIG-IP LTM
- 13.1.5
BIG-IP AFM
- 13.1.5
BIG-IP PEM
- 13.1.5
BIG-IP FPS
- 13.1.5
BIG-IP DNS
- 13.1.5
BIG-IP ASM
- 13.1.5
BIG-IP Release Information
Version: 13.1.5
Build: 32.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Cumulative fixes from BIG-IP v13.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 999933-5 | CVE-2022-23017 | K28042514, BT999933 | TMM may crash while processing DNS traffic on certain platforms | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 989701-3 | CVE-2020-25212 | K42355373, BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 981461-2 | CVE-2021-23032 | K45407662, BT981461 | Unspecified DNS responses cause TMM crash | 13.1.5, 14.1.4.4, 15.1.3.1 |
| 966901-4 | CVE-2020-14364 | K09081535, BT966901 | CVE-2020-14364: Qemu Vulnerability | 13.1.5, 14.1.4.4, 15.1.4.1 |
| 940317-2 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2 |
| 937333-5 | CVE-2022-23013 | K29500533, BT937333 | Incomplete validation of input in unspecified forms | 13.1.5, 14.1.4.4, 15.1.4 |
| 904165-4 | CVE-2020-27716 | K51574311, BT904165 | BIG-IP APM vulnerability CVE-2020-27716 | 13.1.5, 14.1.3.1, 15.1.1 |
| 550928-3 | CVE-2022-23010 | K34360320, BT550928 | TMM may crash when processing HTTP traffic with a FastL4 virtual server | 13.1.5, 14.1.4.4, 15.1.4.1 |
| 1089373-3 | CVE-2022-0778 | K31323265 | OpenSSL Vulnerability: CVE-2022-0778 | 13.1.5 |
| 1089237-2 | CVE-2022-0778 | K31323265 | OpenSSL Vulnerability: CVE-2022-0778 | 13.1.5 |
| 1087201-3 | CVE-2022-0778 | K31323265 | OpenSSL Vulnerability: CVE-2022-0778 | 13.1.5 |
| 1032405-5 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1030689-4 | CVE-2022-23019 | K82793463, BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2 |
| 1028669-3 | CVE-2019-9948 | K28622040, BT1028669 | Python vulnerability: CVE-2019-9948 | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1028497-3 | CVE-2019-15903 | K05295469, BT1028497 | libexpat vulnerability: CVE-2019-15903 | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1007489-3 | CVE-2022-23018 | K24358905, BT1007489 | TMM may crash while handling specific HTTP requests&start; | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 997193-3 | CVE-2022-23028 | K16101409, BT997193 | TCP connections may fail when AFM global syncookies are in operation. | 13.1.5, 14.1.4.5, 15.1.5 |
| 981693-5 | CVE-2022-23024 | K54892865, BT981693 | TMM may consume excessive resources while processing IPSec ALG traffic | 13.1.5, 14.1.4.2, 15.1.4.1 |
| 981273-4 | CVE-2021-23054 | K41997459, BT981273 | APM webtop hardening | 13.1.5, 15.1.4 |
| 974341-4 | CVE-2022-23026 | K08402414, BT974341 | REST API: File upload | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 974093-2 | CVE-2020-25705 | K09604370 | Linux kernel vulnerability CVE-2020-25705 | 13.1.5 |
| 962069-6 | CVE-2021-23047 | K79428827, BT962069 | Excessive resource consumption while processing OSCP requests via APM | 13.1.5, 14.1.4.4, 15.1.3.1 |
| 941649-5 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 940185-4 | CVE-2022-23023 | K11742742, BT940185 | icrd_child may consume excessive resources while processing REST requests | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1 |
| 907201-5 | CVE-2021-23039 | K66782293, BT907201 | TMM may crash when processing IPSec traffic | 13.1.5, 14.1.2.8, 15.1.3, 16.0.1.2 |
| 887965-4 | CVE-2022-23027 | K30573026, BT887965 | Virtual server may stop responding while processing TCP traffic | 13.1.5, 14.1.4.4, 15.1.4 |
| 870273-2 | CVE-2020-5936 | K44020030, BT870273 | TMM may consume excessive resources when processing SSL traffic | 12.1.5.2, 13.1.5, 14.1.2.8, 15.1.1 |
| 803965-4 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 13.1.5, 14.1.4.5, 15.1.4, 16.1.2 |
| 1013145-4 | CVE-2021-23052 | K32734107 | APM Hardening | 13.1.5, 14.1.4.4 |
| 1009725-5 | CVE-2022-23030 | K53442005, BT1009725 | Excessive resource usage when ixlv drivers are enabled | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1008561-2 | CVE-2022-23025 | K44110411, BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 1008077-3 | CVE-2022-23029 | K50343028, BT1008077 | TMM may crash while processing TCP traffic with a FastL4 VS | 13.1.5, 14.1.4.4, 15.1.4.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 818169-4 | 2-Critical | TMM may consume excessive resources when processing DNS profiles with DNS queing enabled | 13.1.5, 15.1.0.2 | |
| 1050537-4 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 13.1.5 |
| 911141-5 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 1046669-4 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 13.1.5 |
| 1015133-1 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1 |
| 985953-1 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 982697-3 | 4-Minor | ICMP hardening | 13.1.5 | |
| 1033837-4 | 4-Minor | REST authentication tokens persist on reboot&start; | 13.1.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1042993-4 | 1-Blocking | K19272127, BT1042993 | Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 1002109-5 | 1-Blocking | BT1002109 | Xen binaries do not follow security best practices | 13.1.5, 14.1.4.4, 15.1.4 |
| 980325-3 | 2-Critical | BT980325 | Chmand core due to memory leak from dossier requests. | 13.1.5, 14.1.4.4, 15.1.4 |
| 957897-3 | 2-Critical | BT957897 | Unable to modify gateway-ICMP monitor fields in the GUI | 13.1.5 |
| 915981-1 | 2-Critical | BIG-IP SCP hardening | 13.1.5 | |
| 817709-4 | 2-Critical | BT817709 | IPsec: TMM cored with SIGFPE in racoon2 | 13.1.5, 14.1.2.8, 15.1.0.2 |
| 775897-3 | 2-Critical | BT775897 | High Availability failover restarts tmipsecd when tmm connections are closed | 13.1.5, 14.1.2.5 |
| 741676-1 | 2-Critical | BT741676 | Intermittent crash switching between tunnel mode and interface mode | 13.1.5, 14.1.2.8 |
| 1059185-4 | 2-Critical | iControl REST Hardening | 13.1.5 | |
| 1051561-4 | 2-Critical | iControl REST request hardening | 13.1.5 | |
| 1043277-1 | 2-Critical | K06520200, BT1043277 | 'No access' error page displays for APM policy export and apply options. | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 1024325-1 | 2-Critical | BT1024325 | EHF installation is not updating the Linux Kernel | 13.1.5 |
| 1004929-3 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | 13.1.5, 14.1.4.5, 15.1.5 |
| 999125-4 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 13.1.5 |
| 982341-3 | 3-Major | iControl REST endpoint hardening | 13.1.5 | |
| 969105-5 | 3-Major | BT969105 | HA failover connections via the management address do not work on vCMP guests running on VIPRION | 13.1.5, 14.1.4.4, 15.1.4 |
| 958093-1 | 3-Major | BT958093 | IPv6 routes missing after BGP graceful restart | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 956589-4 | 3-Major | BT956589 | The tmrouted daemon restarts and produces a core file | 13.1.5, 15.1.2.1 |
| 947529-3 | 3-Major | BT947529 | Security tab in virtual server menu renders slowly | 13.1.5, 14.1.4.4, 15.1.4.1 |
| 919317-2 | 3-Major | BT919317 | NSM consumes 100% CPU processing nexthops for recursive ECMP routes | 13.1.5 |
| 918409-5 | 3-Major | BT918409 | BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures | 13.1.5 |
| 856953-6 | 3-Major | BT856953 | IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 | 13.1.5, 14.1.2.8, 15.1.4.1 |
| 809657-4 | 3-Major | BT809657 | HA Group score not computed correctly for an unmonitored pool when mcpd starts | 13.1.5, 14.1.4.4, 15.1.4.1 |
| 760950-2 | 3-Major | BT760950 | Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment | 12.1.5.3, 13.1.5, 14.1.2.7 |
| 755976-1 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 13.1.5 |
| 719555 | 3-Major | BT719555 | Interface listed as 'disable' after SFP insertion and enable | 13.1.5, 14.1.4, 15.1.1 |
| 1066285-2 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 13.1.5 |
| 1047169-4 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 13.1.5 |
| 1045421-4 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1042009-4 | 3-Major | BT1042009 | Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes | 13.1.5 |
| 1032077 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1022637-4 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 13.1.5, 15.1.5 |
| 1020789-1 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 13.1.5 |
| 1019085-3 | 3-Major | BT1019085 | Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.&start; | 13.1.5 |
| 1010393-2 | 3-Major | BT1010393 | Unable to relax AS-path attribute in multi-path selection | 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 1008269-5 | 3-Major | BT1008269 | Error: out of stack space | 13.1.5 |
| 1003257-2 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 884165-1 | 4-Minor | BT884165 | Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG | 13.1.5, 14.1.4.4, 15.1.4.1 |
| 713614-6 | 4-Minor | BT713614 | Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) | 13.1.5, 15.1.0.5 |
| 528894-8 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 13.1.5, 15.1.5 |
| 1071365-2 | 4-Minor | iControl SOAP WSDL hardening | 13.1.5 | |
| 1051797-4 | 4-Minor | Linux kernel vulnerability: CVE-2018-18281 | 13.1.5 | |
| 1046693-1 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 13.1.5 |
| 1045549-1 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 13.1.5 |
| 1040821-1 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 13.1.5 |
| 1034589-4 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 13.1.5 |
| 1024621-1 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 13.1.5 |
| 1002809-5 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 13.1.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1005433-1 | 1-Blocking | BT1005433 | LTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 13.1.5, 14.1.4.5 |
| 931677-3 | 2-Critical | IPv6 hardening | 13.1.5 | |
| 910213-5 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 13.1.5 |
| 757407-2 | 2-Critical | BT757407 | Error reading RRD file may induce processes to mutually wait for each other forever | 13.1.5 |
| 1064617-4 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 13.1.5 |
| 1019081-1 | 2-Critical | K97045220, BT1019081 | HTTP/2 hardening | 13.1.5, 14.1.4.5, 15.1.3.1 |
| 1016657-5 | 2-Critical | TMM may crash while processing LSN traffic | 13.1.5 | |
| 993981-5 | 3-Major | TMM may crash when ePVA is enabled | 13.1.5 | |
| 963705-1 | 3-Major | BT963705 | Proxy ssl server response not forwarded | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 955617-5 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 13.1.5 |
| 951257-2 | 3-Major | FTP active data channels are not established | 13.1.5 | |
| 941257-3 | 3-Major | BT941257 | Occasional Nitrox3 ZIP engine hang | 13.1.5, 14.1.4.4, 15.1.4 |
| 912517-5 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 13.1.5 |
| 904041-5 | 3-Major | BT904041 | Ephemeral pool members may be incorrect when modified via various actions | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 819329-3 | 3-Major | BT819329 | Specific FIPS device errors will not trigger failover | 13.1.5, 14.1.3.1, 15.1.4, 16.0.1.2 |
| 803629-4 | 3-Major | BT803629 | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | 13.1.5, 14.1.4.5, 15.1.4.1, 16.0.1.1 |
| 793669-4 | 3-Major | BT793669 | FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. | 13.1.5 |
| 757446-1 | 3-Major | BT757446 | Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. | 13.1.5, 14.1.2.7 |
| 672963-4 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 13.1.5 |
| 1052929-1 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 13.1.5 |
| 1038629-2 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1 |
| 1034365 | 3-Major | BT1034365 | DTLS handshake fails with DTLS1.2 client version | 13.1.5, 14.1.4.5, 15.1.5 |
| 1029897-4 | 3-Major | K63312282, BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 13.1.5 |
| 1023341-4 | 3-Major | HSM hardening | 13.1.5, 16.1.1 | |
| 1018577-1 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1017513-1 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier | 13.1.5, 14.1.4.5, 16.1.2.1 |
| 1015161-4 | 3-Major | BT1015161 | Ephemeral pool member may not be created when FQDN resolves to address that matches static node | 13.1.5, 14.1.4.5 |
| 1008017-3 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 936557-4 | 4-Minor | BT936557 | Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 935593-2 | 4-Minor | BT935593 | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 757777-2 | 4-Minor | BT757777 | bigtcp does not issue a RST in all circumstances | 13.1.5, 14.1.2.5 |
| 717806-4 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 13.1.5 |
| 1026605-1 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 13.1.5 |
| 1018493-4 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 13.1.5, 14.1.4.5, 15.1.4, 16.1.2 |
| 898929-1 | 5-Cosmetic | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1 |
| 873249-4 | 5-Cosmetic | BT873249 | Switching from fast_merge to slow_merge can result in incorrect tmm stats | 13.1.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 995853-4 | 2-Critical | BT995853 | Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. | 13.1.5, 14.1.4.4, 15.1.4 |
| 905557-5 | 2-Critical | BT905557 | Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure | 13.1.5, 14.1.4, 15.1.2 |
| 850509-2 | 2-Critical | BT850509 | Zone Trusted Signature inadequately maintained, following change of master key | 13.1.5, 14.1.4.4, 15.1.2 |
| 741862-2 | 2-Critical | BT741862 | DNS GUI may generate error or display names with special characters incorrectly. | 13.1.5 |
| 1064961-5 | 2-Critical | big3d may consume excessive resources when processing route domains | 13.1.5 | |
| 1062513-1 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 13.1.5 |
| 1035853-5 | 2-Critical | K41415626, BT1035853 | Transparent DNS Cache can consume excessive resources. | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2 |
| 993489-6 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
| 847105-4 | 3-Major | BT847105 | The bigip_gtm.conf is reverted to default after rebooting with license expired&start; | 13.1.5, 14.1.4.4, 15.1.4.1 |
| 644192-6 | 3-Major | K23022557, BT644192 | Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN | 11.6.5.3, 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 1046785-5 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. | 13.1.5 |
| 1044425-5 | 3-Major | NSEC3 record improvements for NXDOMAIN | 13.1.5 | |
| 1024553-4 | 3-Major | BT1024553 | GTM Pool member set to monitor type "none" results in big3d: timed out | 13.1.5, 14.1.4.5, 15.1.5 |
| 1021417-5 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1021061-1 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1 |
| 1018613-5 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 13.1.5 |
| 1011285-5 | 3-Major | BT1011285 | The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. | 13.1.5, 15.1.5 |
| 816277-3 | 4-Minor | BT816277 | Extremely long nameserver name causes GUI Error | 13.1.5, 14.1.4.4 |
| 753821-1 | 4-Minor | BT753821 | Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned | 13.1.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 997137-5 | 2-Critical | CSRF token modification may allow WAF bypass on GET requests | 13.1.5, 14.1.4.4, 15.1.4.1 | |
| 993613-3 | 2-Critical | BT993613 | Device fails to request full sync | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1 |
| 970329-5 | 2-Critical | ASM hardening | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 | |
| 965229-4 | 2-Critical | BT965229 | ASM Load hangs after upgrade&start; | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 912149-3 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 879841-2 | 2-Critical | BT879841 | Domain cookie same-site option is missing the "None" as value in GUI and rest | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 723061-1 | 2-Critical | BT723061 | Possible tmm core during high load, or when an ASM policy is enabled by other modules | 13.1.5 |
| 1069449-4 | 2-Critical | ASM attack signatures may not match cookies as expected | 13.1.5 | |
| 1019853-4 | 2-Critical | K30911244, BT1019853 | Some signatures are not matched under specific conditions | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 1011061-5 | 2-Critical | Certain attack signatures may not match in multipart content | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 | |
| 987157 | 3-Major | K05391775 | BIG-IP ASM system may not properly perform attack signature checks | 13.1.5 |
| 984593-4 | 3-Major | BT984593 | BD crash | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1 |
| 964245-4 | 3-Major | BT964245 | ASM reports and enforces username always | 13.1.5, 14.1.4.4, 15.1.4 |
| 962497-5 | 3-Major | BT962497 | BD crash after ICAP response | 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 956937 | 3-Major | Duplicate Attack signature sets in policy containing server technologies | 13.1.5 | |
| 946081-4 | 3-Major | BT946081 | Getcrc tool help displays directory structure instead of version | 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 932133-4 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2 |
| 926845-3 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 13.1.5 |
| 920197-1 | 3-Major | BT920197 | Brute force mitigation can stop mitigating without a notification | 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 871905-5 | 3-Major | K02705117, BT871905 | Incorrect masking of parameters in event log | 13.1.5, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 871881-3 | 3-Major | BT871881 | Apply Policy action is not synchronized after making bulk signature changes | 13.1.5 |
| 867825-1 | 3-Major | BT867825 | Export/Import on a parent policy leaves children in an inconsistent state | 13.1.5, 14.1.4.4, 15.1.4 |
| 857633-4 | 3-Major | BT857633 | Attack Type (SSRF) appears incorrectly in REST result | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 842013-5 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation&start; | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 818889-4 | 3-Major | BT818889 | False positive malformed json or xml violation. | 13.1.5 |
| 785873-1 | 3-Major | BT785873 | ASM should treat 'Authorization: Negotiate TlR' as NTLM | 13.1.5, 14.1.4.5 |
| 767057-3 | 3-Major | BT767057 | In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server | 13.1.5, 14.1.4.4 |
| 753715-3 | 3-Major | BT753715 | False positive JSON max array length violation | 13.1.5, 14.1.4.4, 15.1.4.1 |
| 731168-2 | 3-Major | BT731168 | BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash. | 13.1.5, 14.1.4.5 |
| 712336-2 | 3-Major | BT712336 | bd daemon restart loop | 12.1.5.3, 13.1.5, 14.1.4.4 |
| 1072197-4 | 3-Major | Issue with input normalization in WebSocket. | 13.1.5 | |
| 1067285-4 | 3-Major | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 13.1.5 | |
| 1060933-4 | 3-Major | Issue with input normalization. | 13.1.5 | |
| 1051213-4 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 13.1.5 |
| 1051209-4 | 3-Major | BD may not process certain HTTP payloads as expected | 13.1.5 | |
| 1045101-1 | 3-Major | Bd may crash while processing ASM traffic | 13.1.5, 15.1.5, 16.1.2.1 | |
| 1043385-1 | 3-Major | No Signature detected If Authorization header is missing padding. | 13.1.5 | |
| 1042069-4 | 3-Major | Some signatures are not matched under specific conditions. | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2.1 | |
| 1038733-1 | 3-Major | Attack signature not detected for unsupported authorization types. | 13.1.5 | |
| 1037457-4 | 3-Major | High CPU during specific dos mitigation | 13.1.5 | |
| 1031445 | 3-Major | Intermittent false positive unparseable request violations with unknown authorization | 13.1.5 | |
| 1030853-4 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 13.1.5 |
| 1023993-1 | 3-Major | Brute Force is not blocking requests, even when auth failure happens multiple times | 13.1.5 | |
| 1022269-4 | 3-Major | BT1022269 | False positive RFC compliant violation | 13.1.5, 14.1.4.4, 15.1.4, 16.1.2 |
| 1011069-5 | 3-Major | Group/User R/W permissions should be changed for .pid and .cfg files. | 13.1.5 | |
| 1004069-3 | 3-Major | BT1004069 | Brute force attack is detected too soon | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2 |
| 944441-4 | 4-Minor | BT944441 | BD_XML logs memory usage at TS_DEBUG level | 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 941249-1 | 4-Minor | BT941249 | Improvement to getcrc tool to print cookie names when cookie attributes are involved | 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 844045-1 | 4-Minor | ASM Response event logging for "Illegal response" violations. | 13.1.5 | |
| 1055453-1 | 4-Minor | BT1055453 | Blocking page trims the last digit of the Support ID. | 13.1.5 |
| 1050697-1 | 4-Minor | Traffic learning page counts Disabled signatures when they are ready to be enforced | 13.1.5 | |
| 1038741-1 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 13.1.5 |
| 1036521-5 | 4-Minor | BT1036521 | TMM crash in certain cases | 13.1.5 |
| 1034941-4 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 13.1.5 |
| 1020717-1 | 4-Minor | Policy versions cleanup process sometimes removes newer versions | 13.1.5 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 932137-3 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2 |
| 926341-4 | 3-Major | BT926341 | RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start; | 13.1.5, 14.1.4.4, 15.1.4 |
| 922105-5 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2 |
| 909161-5 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 832805-3 | 3-Major | BT832805 | AVR should make sure file permissions are correct (tmstat_tables.xml) | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 787677-1 | 3-Major | BT787677 | AVRD stays at 100% CPU constantly on some systems | 13.1.5, 14.1.4.5, 15.1.4.1 |
| 1038913-1 | 3-Major | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 13.1.5 | |
| 1035133-1 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
| 948113-5 | 4-Minor | BT948113 | User-defined report scheduling fails | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 579219-1 | 2-Critical | BT579219 | Access keys missing from SessionDB after multi-blade reboot. | 13.1.5, 14.1.2.8, 15.1.1 |
| 992073-5 | 3-Major | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 13.1.5 | |
| 827393-4 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 13.1.5, 14.1.4.5, 16.1.2.1 |
| 470346-4 | 3-Major | BT470346 | Some IPv6 client connections get RST when connecting to APM virtual | 13.1.5, 14.1.4.3, 15.1.4 |
| 423519-1 | 3-Major | Bypass disabling the redirection controls configuration of APM RDP Resource. | 13.1.5 | |
| 1007629-3 | 3-Major | BT1007629 | APM policy configured with many ACL policies can create APM memory pressure | 13.1.5, 14.1.4.4, 15.1.4.1 |
| 1002557-4 | 3-Major | BT1002557 | Tcl free object list growth | 13.1.5, 14.1.4.4, 15.1.4.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1047053-4 | 2-Critical | TMM may consume excessive resources while processing RTSP traffic | 13.1.5, 15.1.5 | |
| 1012721-3 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.1 |
| 996113-5 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 957905-4 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 13.1.5 |
| 805821-5 | 3-Major | BT805821 | GTP log message contains no useful information | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 1078721-3 | 3-Major | TMM may consume excessive resources while processing ICAP traffic | 13.1.5 | |
| 919301-5 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 913413-5 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 913409-5 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
| 913393-5 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 13.1.5, 14.1.4.4, 15.1.4, 16.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1049229-4 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 756595-2 | 1-Blocking | BT756595 | Traffic redirection to an internal virtual server may fail. | 13.1.5 |
| 946325-4 | 3-Major | PEM subscriber GUI hardening | 13.1.5 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 975593-1 | 3-Major | TMM may crash while processing IPSec traffic | 13.1.5, 14.1.4.5 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 873617-4 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 13.1.5 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1023437-5 | 3-Major | Buffer overflow during attack with large HTTP Headers | 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1 | |
| 1060409-1 | 4-Minor | Behavioral DoS enable checkbox is wrong. | 13.1.5 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 686783-4 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 965853-5 | 3-Major | IM package file hardening&start; | 13.1.5 |
Guided Configuration Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 982757-7 | 3-Major | APM Access Guided Configuration hardening | 13.1.5 |
In-tmm monitors Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 944121-2 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 13.1.5 |
Cumulative fixes from BIG-IP v13.1.4.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 989009-5 | CVE-2021-23033 | K05314769, BT989009 | BD daemon may crash while processing WebSocket traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 980125-5 | CVE-2021-23030 | K42051445, BT980125 | BD Daemon may crash while processing WebSocket traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 935433-5 | CVE-2021-23026 | K53854428, BT935433 | iControl SOAP | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 794561-4 | CVE-2020-5874 | K46901953, BT794561 | TMM may crash while processing JWT/OpenID traffic. | 13.1.4.1, 14.0.1.1, 14.1.2.5, 15.0.1.3 |
| 968349-4 | CVE-2021-23048 | K19012930, BT968349 | TMM crashes with unspecified message | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 965485-1 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 950017-4 | CVE-2021-23045 | K94941221, BT950017 | TMM may crash while processing SCTP traffic | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 |
| 949889-1 | CVE-2019-3900 | K04107324, BT949889 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 942701-4 | CVE-2021-23044 | K35408374, BT942701 | TMM may consume excessive resources while processing HTTP traffic | 13.1.4.1, 14.1.4.2, 15.1.3.1 |
| 937365-5 | CVE-2021-23041 | K42526507, BT937365 | LTM UI does not follow best practices | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 907245-4 | CVE-2021-23040 | K94255403, BT907245 | AFM UI Hardening | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 906377-5 | CVE-2021-23038 | K61643620, BT906377 | iRulesLX hardening | 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 842829-5 | CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 | K04367730, BT842829 | Multiple tcpdump vulnerabilities | 13.1.4.1, 14.1.3.1, 15.1.3 |
| 803933-4 | CVE-2018-20843 | K51011533, BT803933 | Expat XML parser vulnerability CVE-2018-20843 | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 797769-3 | CVE-2019-11599 | K51674118 | Linux vulnerability : CVE-2019-11599 | 13.1.4.1, 15.1.4, 16.0.1.2 |
| 968733-4 | CVE-2018-1120 | K42202505, BT968733 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 995629-1 | 2-Critical | BT995629 | Loading UCS files may hang if ASM is provisioned&start; | 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 990849-4 | 2-Critical | BT990849 | Loading UCS with platform-migrate option hangs and requires exiting from the command&start; | 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2 |
| 967905-1 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 1000973-1 | 2-Critical | BT1000973 | Unanticipated restart of TMM due to heartbeat failure | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 994801-5 | 3-Major | SCP file transfer system | 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2 | |
| 756820-1 | 3-Major | BT756820 | Non-UTF8 characters returned from /bin/createmanifest | 13.1.4.1 |
| 713708 | 3-Major | BT713708 | Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI | 13.1.4.1 |
| 819053-4 | 4-Minor | CVE-2019-13232 unzip: overlapping of files in ZIP container | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 | |
| 1004417-2 | 4-Minor | BT1004417 | Provisioning error message during boot up&start; | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 754143-2 | 2-Critical | K45456231, BT754143 | TCP connection may hang after FIN | 13.1.4.1, 14.1.0.2 |
| 760050-4 | 3-Major | BT760050 | "cwnd too low" warning message seen in logs | 13.1.4.1, 14.1.2.7, 15.1.4 |
| 752530-3 | 3-Major | BT752530 | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | 13.1.4.1, 14.1.2.7 |
| 752334-3 | 3-Major | BT752334 | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | 13.1.4.1, 14.1.2.7 |
| 962433-2 | 4-Minor | BT962433 | HTTP::retry for a HEAD request fails to create new connection | 13.1.4.1, 14.1.4.3, 15.1.4 |
| 962177-4 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2 |
| 830833-3 | 4-Minor | BT830833 | HTTP PSM blocking resets should have better log messages | 13.1.4.1, 14.1.2.5, 15.0.1.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 918597-1 | 2-Critical | BT918597 | Under certain conditions, deleting a topology record can result in a crash. | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 973261-5 | 3-Major | BT973261 | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 912001-1 | 3-Major | BT912001 | TMM cores on secondary blades of the Chassis system. | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 863917-4 | 3-Major | BT863917 | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 996381-5 | 2-Critical | K41503304, BT996381 | ASM attack signature may not match as expected | 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1 |
| 968421-5 | 2-Critical | K30291321, BT968421 | ASM attack signature doesn't matched | 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2 |
| 943913-5 | 2-Critical | K30150004, BT943913 | ASM attack signature does not match | 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 1017645-4 | 2-Critical | BT1017645 | False positive HTTP compliance violation | 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2 |
| 955017-5 | 3-Major | BT955017 | Excessive CPU consumption by asm_config_event_handler | 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2 |
| 950917-3 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 13.1.4.1, 14.1.4.2, 15.1.4 |
| 928685-4 | 3-Major | K49549213, BT928685 | ASM Brute Force mitigation not triggered as expected | 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 907337-5 | 3-Major | BT907337 | BD crash on specific scenario | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 888289-4 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1 |
| 830341-4 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1 |
| 792341-4 | 3-Major | BT792341 | Google Analytics shows incorrect stats. | 13.1.4.1, 14.1.4.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 932485-1 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 913085-5 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 889497-1 | 2-Critical | BT889497 | Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage | 13.1.4.1 |
| 866109-4 | 3-Major | BT866109 | JWK keys frequency does not support fewer than 60 minutes | 13.1.4.1, 14.1.4.2, 15.1.4 |
| 673748-2 | 3-Major | K19534801, BT673748 | ng_export, ng_import might leave security.configpassword in invalid state | 12.1.3.2, 13.1.4.1 |
| 747234-4 | 4-Minor | BT747234 | Macro policy does not find corresponding access-profile directly | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 685888-1 | 4-Minor | BT685888 | OAuth client stores incorrectly escaped JSON values in session variables | 13.1.4.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 868781-3 | 2-Critical | BT868781 | TMM crashes while processing MRF traffic | 13.1.4.1, 14.1.4.2, 15.1.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 948573-3 | 3-Major | BT948573 | Wr_urldbd list of valid TLDs needs to be updated | 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2 |
Cumulative fixes from BIG-IP v13.1.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 980809-4 | CVE-2021-23031 | K41351250, BT980809 | ASM REST Signature Rule Keywords Tool Hardening | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 962341-3 | CVE-2021-23028 | K00602225, BT962341 | BD crash while processing JSON content | 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2 |
| 882633-5 | CVE-2021-23008 | K51213246, BT882633 | Active Directory authentication does not follow current best practices | 12.1.6, 13.1.4, 14.1.4, 15.1.3 |
| 754855-4 | CVE-2020-27714 | K60344652, BT754855 | TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile | 13.1.4, 14.1.3.1, 15.1.1 |
| 990333-3 | CVE-2021-23016 | K75540265, BT990333 | APM may return unexpected content when processing HTTP requests | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 945109-5 | CVE-2015-9382 | K46641512, BT945109 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 938233-4 | CVE-2021-23042 | K93231374 | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization | 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 932697-1 | CVE-2021-23000 | K34441555, BT932697 | BIG-IP TMM vulnerability CVE-2021-23000 | 12.1.5.3, 13.1.4, 14.1.4 |
| 877109-5 | CVE-2021-23012 | K04234247 | Unspecified input can break intended functionality in iHealth proxy | 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 718189-2 | CVE-2021-23011 | K10751325, BT718189 | Unspecified IP traffic can cause low-memory conditions | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 1003557-5 | CVE-2021-23015 | K74151369, BT1003557 | Not following best practices in Guided Configuration Bundle Install worker | 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 1002561-4 | CVE-2021-23007 | K37451543, BT1002561 | TMM vulnerability CVE-2021-23007 | 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 838909-6 | CVE-2020-5893 | K97733133, BT838909 | BIG-IP APM Edge Client vulnerability CVE-2020-5893 | 11.6.5.2, 12.1.5.2, 13.1.4, 14.1.2.4, 15.1.0.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 912289-4 | 2-Critical | BT912289 | Cannot roll back after upgrading on certain platforms&start; | 12.1.6, 13.1.4, 14.1.4, 15.1.1 |
| 933777-3 | 3-Major | BT933777 | Context use and syntax changes clarification | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 913829-2 | 3-Major | BT913829 | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 794417-2 | 3-Major | BT794417 | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not&start; | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 719338-4 | 4-Minor | BT719338 | Concurrent management SSH connections are unlimited | 13.1.4, 14.1.4, 15.1.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 915305-2 | 2-Critical | BT915305 | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 888341-3 | 2-Critical | BT888341 | HA Group failover may fail to complete Active/Standby state transition | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 886693-1 | 2-Critical | BT886693 | System might become unresponsive after upgrading.&start; | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 785017-4 | 2-Critical | BT785017 | Secondary blades go offline after new primary is elected | 13.1.4, 14.1.4, 15.1.3 |
| 743975-2 | 2-Critical | BT743975 | TMM crash (SIGFPE) when starting on a vCMP guest | 12.1.6, 13.1.4 |
| 967745-4 | 3-Major | BT967745 | Last resort pool error for the modify command for Wide IP | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 922297-4 | 3-Major | BT922297 | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 838901-1 | 3-Major | BT838901 | TMM receives invalid rx descriptor from HSB hardware | 13.1.4, 14.1.4, 15.1.2 |
| 829821-4 | 3-Major | BT829821 | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 829317-1 | 3-Major | BT829317 | Memory leak in icrd_child due to concurrent REST usage | 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 922317-1 | 2-Critical | BT922317 | Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections | 12.1.6, 13.1.4 |
| 920265 | 2-Critical | BT920265 | TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option. | 13.1.4 |
| 876801-1 | 2-Critical | BT876801 | Tmm crash: invalid route type | 13.1.4, 14.1.4, 15.1.2 |
| 953845-5 | 3-Major | BT953845 | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 926929-1 | 3-Major | BT926929 | RFC Compliance Enforcement lacks configuration availability | 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2 |
| 919049 | 3-Major | BT919049 | Guest fails to come up when vCMP guest and host both run BIG-IP v13.1.3.3, assigning FIPS partition | 13.1.4 |
| 889601-5 | 3-Major | K14903688, BT889601 | OCSP revocation not properly checked | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 888517-4 | 3-Major | BT888517 | Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.&start; | 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 858701-4 | 3-Major | BT858701 | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x&start; | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 825689-5 | 3-Major | Enhance FIPS crypto-user storage | 12.1.6, 13.1.4, 14.1.4, 15.1.1 | |
| 809597-1 | 3-Major | BT809597 | Memory leak in icrd_child observed during REST usage | 13.1.4, 14.1.3, 15.1.0.2 |
| 784565-4 | 3-Major | BT784565 | VLAN groups are incompatible with fast-forwarded flows | 11.6.5.3, 12.1.5.2, 13.1.4, 15.0.1.1 |
| 763093-1 | 3-Major | BT763093 | LRO packets are not taken into account for ifc_stats (VLAN stats) | 13.1.4 |
| 773253-2 | 4-Minor | BT773253 | The BIG-IP may send VLAN failsafe probes from a disabled blade | 13.1.4, 14.1.4.2, 15.1.2.1 |
| 724746-1 | 4-Minor | BT724746 | Incorrect RST message after 'reject' command | 13.1.4 |
| 693901-4 | 4-Minor | BT693901 | Active FTP data connection may change source port on client-side | 11.6.5.3, 12.1.6, 13.1.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 858973-4 | 3-Major | BT858973 | DNS request matches less specific WideIP when adding new wildcard wideips | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
| 712335-1 | 4-Minor | BT712335 | GTMD may intermittently crash under unusual conditions. | 12.1.6, 13.1.4, 14.1.2.7 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 941621-4 | 3-Major | K91414704, BT941621 | Brute Force breaks server's Post-Redirect-Get flow | 13.1.4, 14.1.4, 15.1.3, 16.0.1.1 |
| 929001-5 | 3-Major | K48321015, BT929001 | ASM form handling improvements | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2 |
| 846057-1 | 3-Major | BT846057 | UCS backup archive may include unnecessary files | 13.1.4, 14.1.4, 15.1.3 |
| 673272-5 | 3-Major | BT673272 | Search by "Signature ID is" does not return results for some signature IDs | 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2 |
| 824093-1 | 4-Minor | BT824093 | Parameters payload parser issue | 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 981385-5 | 3-Major | BT981385 | AVRD does not send HTTP events to BIG-IQ DCD | 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 949593-1 | 3-Major | BT949593 | Unable to load config if AVR widgets were created under '[All]' partition&start; | 13.1.4, 14.1.4, 15.1.3, 16.0.1.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 628645 | 3-Major | BT628645 | Classification signatures fails to update and there are no errors in the GUI&start; | 13.1.4 |
Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 975233-4 | CVE-2021-22992 | K52510511, BT975233 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 973333-2 | CVE-2021-22991 | K56715231, BT973333 | TMM buffer-overflow vulnerability CVE-2021-22991 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 955145-4 | CVE-2021-22986 | K03009991, BT955145 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 954381-4 | CVE-2021-22986 | K03009991, BT954381 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 953677-4 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT953677 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 950077-4 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT950077 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 981169-4 | CVE-2021-22994 | K66851119, BT981169 | F5 TMUI XSS vulnerability CVE-2021-22994 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 959121-1 | CVE-2021-23015 | K74151369, BT959121 | Not following best practices in Guided Configuration Bundle Install worker | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 953729-4 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101, BT953729 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 949933-3 | CVE-2021-22980 | K29282483, BT949933 | BIG-IP APM CTU vulnerability CVE-2021-22980 | 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1 |
| 941449-5 | CVE-2021-22993 | K55237223, BT941449 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 931837-3 | CVE-2020-13817 | K55376430, BT931837 | NTP has predictable timestamps | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 931513-4 | CVE-2021-22977 | K14693346, BT931513 | TMM vulnerability CVE-2021-22977 | 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1 |
| 921337-1 | CVE-2021-22976 | K88230177, BT921337 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 916821-5 | CVE-2021-22974 | K68652018, BT916821 | iControl REST vulnerability CVE-2021-22974 | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 834257-5 | CVE-2020-5931 | K25400442, BT834257 | TMM may crash when processing HTTP traffic | 13.1.3.6, 14.1.2.5, 15.1.1 |
| 976925-4 | CVE-2021-23002 | K71891773, BT976925 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 948769-3 | CVE-2021-23013 | K05300051, BT948769 | TMM panic with SCTP traffic | 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 939845-4 | CVE-2021-23004 | K31025212, BT939845 | BIG-IP MPTCP vulnerability CVE-2021-23004 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 939841-4 | CVE-2021-23003 | K43470422, BT939841 | BIG-IP MPTCP vulnerability CVE-2021-23003 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 937637-5 | CVE-2021-23002 | K71891773, BT937637 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 935401-5 | CVE-2021-23001 | K06440657, BT935401 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 832757-4 | CVE-2017-18551 | K48073202, BT832757 | Linux kernel vulnerability CVE-2017-18551 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3 |
| 743105-6 | CVE-2021-22998 | K31934524, BT743105 | BIG-IP SNAT vulnerability CVE-2021-22998 | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 693360-5 | CVE-2020-27721 | K52035247, BT693360 | A virtual server status changes to yellow while still available | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1 |
| 825413-1 | CVE-2021-23053 | K36942191, BT825413 | ASM may consume excessive resources when matching signatures | 13.1.3.6, 14.1.3.1, 15.1.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 742860 | 3-Major | BT742860 | VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. | 13.1.3.6, 14.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 940021-1 | 2-Critical | BT940021 | Syslog-ng hang may lead to unexpected reboot | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 769169-1 | 2-Critical | BT769169 | BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring | 13.1.3.6, 14.0.0.5, 14.1.2.5 |
| 737322-4 | 2-Critical | BT737322 | tmm may crash at startup if the configuration load fails | 12.1.5.3, 13.1.3.6 |
| 703039-2 | 2-Critical | BT703039 | Empty results on /tm/sys/config-diff/stats | 13.1.3.6, 14.0.0 |
| 930741-4 | 3-Major | BT930741 | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 927941-2 | 3-Major | BT927941 | IPv6 static route BFD does not come up after OAMD restart | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 913433-4 | 3-Major | BT913433 | On blade failure, some trunked egress traffic is dropped. | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 896553-4 | 3-Major | BT896553 | On blade failure, some trunked egress traffic is dropped. | 13.1.3.6, 14.1.4, 15.1.3 |
| 867181-4 | 3-Major | BT867181 | ixlv: double tagging is not working | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 865241-4 | 3-Major | BT865241 | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 843597-4 | 3-Major | BT843597 | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 842189-3 | 3-Major | BT842189 | Tunnels removed when going offline are not restored when going back online | 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1 |
| 829193-5 | 3-Major | BT829193 | REST system unavailable due to disk corruption | 13.1.3.6, 14.1.3.1, 15.1.0.4 |
| 820845-1 | 3-Major | BT820845 | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 759596-3 | 3-Major | BT759596 | Tcl errors in iRules 'table' command | 12.1.5.3, 13.1.3.6, 14.1.4 |
| 754132-3 | 3-Major | BT754132 | A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command | 13.1.3.6, 14.1.4 |
| 749007-3 | 3-Major | BT749007 | South Sudan, Sint Maarten, and Curacao country missing in GTM region list | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 744252-3 | 3-Major | BT744252 | BGP route map community value: either component cannot be set to 65535 | 13.1.3.6, 14.1.4 |
| 933461-2 | 4-Minor | BT933461 | BGP multi-path candidate selection does not work properly in all cases. | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 892677-3 | 4-Minor | BT892677 | Loading config file with imish adds the newline character | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 800193 | 4-Minor | BT800193 | Update OpenSSH to version 7 or later for disabling of DSA keys | 13.1.3.6 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 726518-4 | 2-Critical | BT726518 | Tmsh show command terminated with CTRL-C can cause TMM to crash. | 13.1.3.6, 14.1.2.8, 15.1.2 |
| 705768-5 | 2-Critical | BT705768 | The dynconfd process may core and restart with multiple DNS name servers configured | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2 |
| 949145-3 | 3-Major | BT949145 | Improve TCP's response to partial ACKs during loss recovery | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 879413-4 | 3-Major | BT879413 | Statsd fails to start if one or more of its *.info files becomes corrupted | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 860005-4 | 3-Major | BT860005 | Ephemeral nodes/pool members may be created for wrong FQDN name | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2 |
| 857845-5 | 3-Major | BT857845 | TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 851045-4 | 3-Major | BT851045 | LTM database monitor may hang when monitored DB server goes down | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1 |
| 814761-3 | 3-Major | BT814761 | PostgreSQL monitor fails on second ping with count != 1 | 12.1.5.3, 13.1.3.6, 14.1.2.3, 15.0.1.3 |
| 805017-3 | 3-Major | BT805017 | DB monitor marks pool member down if no send/recv strings are configured | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.3 |
| 803233-4 | 3-Major | BT803233 | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1 |
| 772545-1 | 3-Major | BT772545 | Tmm core in SSLO environment | 13.1.3.6, 14.1.2.3, 15.0.1.1 |
| 759056-1 | 3-Major | BT759056 | stpd memory leak on secondary blades in a multi-blade system | 13.1.3.6, 14.1.3.1 |
| 747077-1 | 3-Major | BT747077 | Potential crash in TMM when updating pool members | 13.1.3.6 |
| 745682-2 | 3-Major | BT745682 | Failed to parse X-Forwarded-For header in HTTP requests | 13.1.3.6, 14.1.3.1 |
| 722707-4 | 3-Major | BT722707 | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | 12.1.5.3, 13.1.3.6, 14.1.3.1 |
| 720440-1 | 3-Major | BT720440 | Radius monitor marks pool members down after 6 seconds | 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5 |
| 714642-1 | 3-Major | BT714642 | Ephemeral pool-member state on the standby is down | 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1 |
| 705387 | 3-Major | BT705387 | HTTP/2, ALPN and SSL | 13.1.3.6 |
| 686062-1 | 3-Major | BT686062 | The dynconfd daemon uses UDP ports inefficiently | 13.1.3.6 |
| 608952-4 | 3-Major | BT608952 | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5 |
| 824365-1 | 4-Minor | BT824365 | Need informative messages for HTTP iRule runtime validation errors | 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2 |
| 822025-4 | 4-Minor | BT822025 | HTTP response not forwarded to client during an early response | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2 |
| 808409-1 | 4-Minor | BT808409 | Unable to specify if giaddr will be modified in DHCP relay chain | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 801705-2 | 4-Minor | BT801705 | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | 13.1.3.6, 14.1.3.1 |
| 738032-2 | 4-Minor | BT738032 | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 859717-4 | 5-Cosmetic | BT859717 | ICMP-limit-related warning messages in /var/log/ltm | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 918169-3 | 2-Critical | BT918169 | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1 |
| 921625-5 | 3-Major | BT921625 | The certs extend function does not work for GTM/DNS sync group | 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1 |
| 921549-7 | 3-Major | BT921549 | The gtmd process does not receive updates from local big3d. | 13.1.3.6 |
| 852101-4 | 3-Major | BT852101 | Monitor fails. | 13.1.3.6, 14.1.3.1, 15.1.2 |
| 853585-5 | 4-Minor | BT853585 | REST Wide IP object presents an inconsistent lastResortPool value | 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 940249-4 | 2-Critical | BT940249 | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 927617-4 | 2-Critical | BT927617 | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 940897-4 | 3-Major | BT940897 | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 918933-4 | 3-Major | K88162221, BT918933 | The BIG-IP ASM system may not properly perform signature checks on cookies | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1 |
| 904053-5 | 3-Major | BT904053 | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1 |
| 742549-1 | 3-Major | BT742549 | Cannot create non-ASCII entities in non-UTF ASM policy using REST | 13.1.3.6, 14.1.2.7, 15.1.0.5 |
| 767941-2 | 4-Minor | BT767941 | Gracefully handle policy builder errors | 13.1.3.6, 14.1.4 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 743826-3 | 3-Major | BT743826 | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) | 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 727031-1 | 1-Blocking | BT727031 | TMM restart in B2250 vCMP systems, and ping/monitor failures in non-B2250 vCMP systems. | 12.1.5.3, 13.1.3.6 |
| 896709-1 | 2-Critical | BT896709 | Add support for Restart Desktop for webtop in VMware VDI | 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 976501-4 | 3-Major | BT976501 | Failed to establish VPN connection | 13.1.3.6, 14.1.4, 15.1.3 |
| 924929 | 3-Major | BT924929 | Logging improvements for VDI plugin | 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 914649-1 | 3-Major | BT914649 | Support USB redirection through VVC (VMware virtual channel) with BlastX | 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 760629-2 | 3-Major | BT760629 | Remove Obsolete APM keys in BigDB | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1 |
| 739570-2 | 3-Major | BT739570 | Unable to install EPSEC package&start; | 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 554228-7 | 3-Major | BT554228 | OneConnect does not work when WEBSSO is enabled/configured. | 11.6.1, 13.1.3.6 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 939529-4 | 3-Major | BT939529 | Branch parameter not parsed properly when topmost via header received with comma separated values | 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 755854-1 | 3-Major | BT755854 | TMM crash due to missing classification category | 13.1.3.6 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 927993-5 | 1-Blocking | K97501254, BT927993 | Built-in SSL Orchestrator RPM installation failure | 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1 |
Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 943125-4 | CVE-2021-23010 | K18570111, BT943125 | ASM bd may crash while processing WebSocket traffic | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 935721-3 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291, BT935721 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1 |
| 933741-5 | CVE-2021-22979 | K63497634, BT933741 | BIG-IP FPS XSS vulnerability CVE-2021-22979 | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 933297 | CVE-2020-5949 | K20984059, BT933297 | FTP virtual server passive data channels do not pass traffic | 13.1.3.5 |
| 932065-4 | CVE-2021-22978 | K87502622, BT932065 | iControl REST vulnerability CVE-2021-22978 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 917509-1 | CVE-2020-27718 | K58102101, BT917509 | BIG-IP ASM vulnerability CVE-2020-27718 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 912221-3 | CVE-2020-12662 CVE-2020-12663 |
K37661551, BT912221 | CVE-2020-12662 & CVE-2020-12663 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 911761-5 | CVE-2020-5948 | K42696541, BT911761 | F5 TMUI XSS vulnerability CVE-2020-5948 | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 908673-2 | CVE-2020-27717 | K43850230, BT908673 | TMM may crash while processing DNS traffic | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 891457-5 | CVE-2020-5939 | K75111593, BT891457 | NIC driver may fail while transmitting data | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1 |
| 882189-4 | CVE-2020-5897 | K20346072, BT882189 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 882185-4 | CVE-2020-5897 | K20346072, BT882185 | BIG-IP Edge Client Windows ActiveX | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 881317-3 | CVE-2020-5896 | K15478554, BT881317 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 881293-4 | CVE-2020-5896 | K15478554, BT881293 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 879745-5 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 879025-6 | CVE-2020-5913 | K72752002, BT879025 | When processing TLS traffic, LTM may not enforce certificate chain restrictions | 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2 |
| 846917-5 | CVE-2019-10744 | K47105354, BT846917 | lodash Vulnerability: CVE-2019-10744 | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2 |
| 839453-2 | CVE-2019-10744 | K47105354, BT839453 | lodash library vulnerability CVE-2019-10744 | 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1 |
| 788057-1 | CVE-2020-5921 | K00103216, BT788057 | MCPD may crash while processing syncookies | 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 946581 | CVE-2020-27713 | K37960100, BT946581 | TMM vulnerability CVE-2020-27713 | 13.1.3.5, 14.1.4 |
| 928037-4 | CVE-2020-27729 | K15310332, BT928037 | APM Hardening | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 917005-3 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1 |
| 912969-5 | CVE-2020-27727 | K50343630, BT912969 | iAppsLX REST vulnerability CVE-2020-27727 | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 909837-3 | CVE-2020-5950 | K05204103, BT909837 | TMM may consume excessive resources when AFM is provisioned | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 905125-4 | CVE-2020-27726 | K30343902, BT905125 | Security hardening for APM Webtop | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 904937-5 | CVE-2020-27725 | K25595031, BT904937 | Excessive resource consumption in zxfrd | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 898949-4 | CVE-2020-27724 | K04518313, BT898949 | APM may consume excessive resources while processing VPN traffic | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 889557-3 | CVE-2019-11358 | K20455158, BT889557 | jQuery Vulnerability CVE-2019-11358 | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 881445-4 | CVE-2020-5898 | K69154630, BT881445 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 880361-4 | CVE-2021-22973 | K13323323, BT880361 | iRules LX vulnerability CVE-2021-22973 | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 856961-4 | CVE-2018-12207 | K17269881, BT856961 | INTEL-SA-00201 MCE vulnerability CVE-2018-12207 | 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5 |
| 848405-1 | CVE-2020-5933 | K26244025, BT848405 | TMM may consume excessive resources while processing compressed HTTP traffic | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1 |
| 842717-3 | CVE-2020-5855 | K55102004, BT842717 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 831777-2 | CVE-2020-27723 | K42933418, BT831777 | Tmm crash in Ping access use case | 13.1.3.5, 14.1.3.1 |
| 816413-4 | CVE-2019-1125 | K31085564, BT816413 | CVE-2019-1125: Spectre SWAPGS Gadget | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 811965-3 | CVE-2020-27722 | K73657294, BT811965 | Some VDI use cases can cause excessive resource consumption | 13.1.3.5, 14.1.3.1, 15.0.1.4 |
| 778049-6 | CVE-2018-13405 | K00854051, BT778049 | Linux Kernel Vulnerability: CVE-2018-13405 | 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1 |
| 751036-3 | CVE-2020-27721 | K52035247, BT751036 | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8 |
| 888493-5 | CVE-2020-5928 | K40843345, BT888493 | ASM GUI Hardening | 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 852929-2 | CVE-2020-5920 | K25160703, BT852929 | AFM WebUI Hardening | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 818213-6 | CVE-2019-10639 | K32804955, BT818213 | CVE-2019-10639: KASLR bypass using connectionless protocols | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 818177-1 | CVE-2019-12295 | K06725231, BT818177 | CVE-2019-12295 Wireshark Vulnerability | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1 |
| 773693-3 | CVE-2020-5892 | K15838353, BT773693 | CVE-2020-5892: APM Client Vulnerability | 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 682352-2 | CVE-2017-3735 | K21462542 | OpenSSL vulnerability CVE-2017-3735 | 13.1.3.5 |
| 834533-4 | CVE-2019-15916 | K57418558, BT834533 | Linux kernel vulnerability CVE-2019-15916 | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 890229-4 | 3-Major | BT890229 | Source port preserve setting is not honored | 13.1.3.5, 14.1.2.8, 15.1.1 |
| 738330-1 | 3-Major | BT738330 | /mgmt/toc endpoint issue after configuring remote authentication | 13.1.3.5, 14.1.2.5, 15.0.1.4 |
| 657912-3 | 3-Major | BT657912 | PIM can be configured to use a floating self IP address | 12.1.5.3, 13.1.3.5 |
| 745465-3 | 4-Minor | BT745465 | The tcpdump file does not provide the correct extension | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 749738-2 | 1-Blocking | BT749738 | After upgrade to 13.1.3.3 or 13.1.3.4, B2250 blades may fail to detect HSB and have restarting chmand&start; | 13.1.3.5, 14.1.2.2 |
| 910201-5 | 2-Critical | BT910201 | OSPF - SPF/IA calculation scheduling might get stuck infinitely | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 896217-5 | 2-Critical | BT896217 | BIG-IP GUI unresponsive | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 860517-4 | 2-Critical | BT860517 | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1 |
| 829677-4 | 2-Critical | BT829677 | .tmp files in /var/config/rest/ may cause /var directory exhaustion | 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1 |
| 812237-3 | 2-Critical | BT812237 | i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD | 12.1.6, 13.1.3.5 |
| 810593-4 | 2-Critical | K10963690, BT810593 | Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade&start; | 13.1.3.5, 14.1.2.7 |
| 796601-6 | 2-Critical | BT796601 | Invalid parameter in errdefsd while processing hostname db_variable | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 770989-1 | 2-Critical | BT770989 | Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.&start; | 13.1.3.5, 14.1.3.1 |
| 769817 | 2-Critical | BT769817 | BFD fails to propagate sessions state change during blade restart | 11.6.5.1, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4 |
| 769581 | 2-Critical | BT769581 | Timeout when sending many large iControl Rest requests | 13.1.3.5, 14.0.0.5, 14.1.2.7 |
| 706521-5 | 2-Critical | K21404407, BT706521 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 649205-1 | 2-Critical | BT649205 | Failure of mcpd during setup of HA communication | 13.1.3.5 |
| 924493-5 | 3-Major | BT924493 | VMware EULA has been updated | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 915825-5 | 3-Major | BT915825 | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | 13.1.3.5, 14.1.3.1, 15.1.1 |
| 908021-3 | 3-Major | BT908021 | Management and VLAN MAC addresses are identical | 13.1.3.5, 14.1.3.1, 15.1.3 |
| 898705-2 | 3-Major | BT898705 | IPv6 static BFD configuration is truncated or missing | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 888497-5 | 3-Major | BT888497 | Cacheable HTTP Response | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1 |
| 887089-5 | 3-Major | BT887089 | Upgrade can fail when filenames contain spaces | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5 |
| 871657-3 | 3-Major | BT871657 | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 867013-5 | 3-Major | BT867013 | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | 13.1.3.5, 14.1.2.7, 15.1.1 |
| 858197-4 | 3-Major | BT858197 | Merged crash when memory exhausted | 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1 |
| 846441-4 | 3-Major | BT846441 | Flow-control is reset to default for secondary blade's interface | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 846137-5 | 3-Major | BT846137 | The icrd returns incorrect route names in some cases | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 814585-5 | 3-Major | BT814585 | PPTP profile option not available when creating or modifying virtual servers in GUI | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1 |
| 810821-4 | 3-Major | BT810821 | Management interface flaps after rebooting the device. | 13.1.3.5, 14.1.2.7, 15.1.2 |
| 810381-1 | 3-Major | BT810381 | The SNMP max message size check is being incorrectly applied. | 13.1.3.5, 14.1.2.8, 15.1.0.4 |
| 808281 | 3-Major | BT808281 | OVA/Azure template sets '/var' partition with not enough space | 13.1.3.5 |
| 802685-4 | 3-Major | BT802685 | Unable to configure performance HTTP virtual server via GUI | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 802281-4 | 3-Major | BT802281 | Gossip shows active even when devices are missing | 13.1.3.5, 14.1.2.5, 15.1.0.2 |
| 797829-3 | 3-Major | BT797829 | The BIG-IP system may fail to deploy new or reconfigure existing iApps | 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1 |
| 795649-2 | 3-Major | BT795649 | Loading UCS from one iSeries model to another causes FPGA to fail to load | 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3 |
| 788577 | 3-Major | BT788577 | BFD sessions may be reset after CMP state change | 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 783113 | 3-Major | BT783113 | BGP sessions remain down upon new primary slot election | 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.1 |
| 767737-3 | 3-Major | BT767737 | Timing issues during startup may make an HA peer stay in the inoperative state | 13.1.3.5, 14.1.3.1, 15.1.2.1 |
| 755197-1 | 3-Major | BT755197 | UCS creation might fail during frequent config save transactions | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 754971-1 | 3-Major | BT754971 | OSPF inter-process redistribution might break OSPF route redistribution of various types. | 13.1.3.5, 14.1.3.1 |
| 751021-3 | 3-Major | BT751021 | One or more TMM instances may be left without dynamic routes. | 13.1.3.5, 14.1.4 |
| 750194-2 | 3-Major | Moderate: net-snmp security update | 13.1.3.5, 14.1.4 | |
| 746704-1 | 3-Major | BT746704 | Syslog-ng Memory Leak | 13.1.3.5, 14.1.2.8 |
| 745261-1 | 3-Major | BT745261 | The TMM process may crash in some tunnel cases | 12.1.5.3, 13.1.3.5, 14.1.2.8 |
| 740589-3 | 3-Major | BT740589 | Mcpd crash with core after 'tmsh edit /sys syslog all-properties' | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 737098-3 | 3-Major | BT737098 | ASM Sync does not work when the configsync IP address is an IPv6 address | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 725985-1 | 3-Major | BT725985 | REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured | 13.1.3.5 |
| 720569-1 | 3-Major | BT720569 | Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition | 12.1.5.3, 13.1.3.5 |
| 707320-2 | 3-Major | BT707320 | Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs | 13.1.3.5, 14.0.0 |
| 705655-2 | 3-Major | BT705655 | Virtual address not responding to ICMP when ICMP Echo set to Selective | 13.1.3.5 |
| 699091-2 | 3-Major | BT699091 | SELinux denies console access for remote users. | 12.1.5.3, 13.1.3.5 |
| 658716-1 | 3-Major | BT658716 | Failure of mcpd when closing out CMI connection | 13.1.3.5 |
| 658715-1 | 3-Major | BT658715 | Mcpd crash | 13.1.3.5 |
| 615934-3 | 3-Major | BT615934 | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | 13.1.3.5, 14.1.4, 15.1.3 |
| 605675-2 | 3-Major | BT605675 | Sync requests can be generated faster than they can be handled | 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2 |
| 489572-3 | 3-Major | K60934489, BT489572 | Sync fails if file object is created and deleted before sync to peer BIG-IP | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 431503-6 | 3-Major | K14838, BT431503 | TMSH crashes in rare initial tunnel configurations | 13.1.3.5, 14.1.2.8, 15.1.1 |
| 902417-5 | 4-Minor | BT902417 | Configuration error caused by Drafts folder in a deleted custom partition&start; | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1 |
| 890277-1 | 4-Minor | BT890277 | Full config sync to a device group operation takes a long time when there are a large number of partitions. | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 864757-1 | 4-Minor | BT864757 | Traps that were disabled are enabled after configuration save | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 831293-2 | 4-Minor | BT831293 | SNMP address-related GET requests slow to respond. | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2 |
| 804309-3 | 4-Minor | BT804309 | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 801637-1 | 4-Minor | BT801637 | Cmp_dest on C2200 platform may give incorrect results | 12.1.5.3, 13.1.3.5 |
| 779857-4 | 4-Minor | BT779857 | Misleading GUI error when installing a new version in another partition&start; | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 692165-1 | 4-Minor | BT692165 | A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token | 12.1.5, 13.1.3.5 |
| 591732-3 | 4-Minor | BT591732 | Local password policy not enforced when auth source is set to a remote type. | 12.1.5.1, 13.1.3.5, 14.1.3.1, 15.0.1.4 |
| 583084-10 | 4-Minor | K15101680, BT583084 | iControl produces 404 error while creating records successfully | 13.1.3.5, 14.1.3.1, 15.1.2 |
| 714176-4 | 5-Cosmetic | BT714176 | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 941089-4 | 2-Critical | BT941089 | TMM core when using Multipath TCP | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2 |
| 851857-4 | 2-Critical | BT851857 | HTTP 100 Continue handling does not work when it arrives in multiple packets | 13.1.3.5, 14.1.3.1, 15.1.1 |
| 687603-2 | 2-Critical | K36243347, BT687603 | tmsh query for dns records may cause tmm to crash | 11.6.5.3, 12.1.3.2, 13.1.3.5 |
| 951033-1 | 3-Major | BT951033 | Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' | 13.1.3.5, 14.1.3.1 |
| 915689-5 | 3-Major | BT915689 | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 915605-4 | 3-Major | K56251674, BT915605 | Image install fails if iRulesLX is provisioned and /usr mounted read-write&start; | 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 915281-6 | 3-Major | BT915281 | Do not rearm TCP Keep Alive timer under certain conditions | 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 909757 | 3-Major | BT909757 | HTTP CONNECT method with a delayed payload can cause a connection to be closed | 13.1.3.5 |
| 892385-3 | 3-Major | BT892385 | HTTP does not process WebSocket payload when received with server HTTP response | 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1 |
| 862597-3 | 3-Major | BT862597 | Improve MPTCP's SYN/ACK retransmission handling | 13.1.3.5, 14.1.3.1, 15.1.0.2 |
| 828601-4 | 3-Major | BT828601 | IPv6 Management route is preferred over IPv6 tmm route | 13.1.3.5, 14.1.2.7, 15.1.0.3 |
| 818853-5 | 3-Major | BT818853 | Duplicate MAC entries in FDB | 13.1.3.5, 14.1.3.1, 15.1.0.2 |
| 810445-3 | 3-Major | BT810445 | PEM: ftp-data not classified or reported | 13.1.3.5, 14.1.2.8 |
| 807821-3 | 3-Major | BT807821 | ICMP echo requests occasionally go unanswered | 12.1.5.3, 13.1.3.5 |
| 790845-1 | 3-Major | BT790845 | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | 13.1.3.5, 14.1.4, 15.1.2 |
| 786517-1 | 3-Major | BT786517 | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | 13.1.3.5, 14.1.3.1, 15.1.0.5 |
| 783617-4 | 3-Major | BT783617 | Virtual server resets connections when all pool members are marked disabled | 13.1.3.5, 14.1.3.1 |
| 766169-3 | 3-Major | BT766169 | Replacing all VLAN interfaces resets VLAN MTU to a default value | 12.1.5.2, 13.1.3.5, 14.1.2.8 |
| 758631-2 | 3-Major | BT758631 | ec_point_formats extension might be included in the server hello even if not specified in the client hello | 12.1.5, 13.1.3.5, 14.0.1.1, 14.1.2.5 |
| 758599-4 | 3-Major | BT758599 | IPv6 Management route is preferred over IPv6 tmm route | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3 |
| 758437-4 | 3-Major | BT758437 | SYN w/ data disrupts stat collection in Fast L4 | 13.1.3.5, 14.1.2.8 |
| 758436-2 | 3-Major | BT758436 | Optimistic ACKs degrade Fast L4 statistics | 13.1.3.5, 14.1.2.8 |
| 758041-4 | 3-Major | BT758041 | LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. | 13.1.3.5, 14.1.2.7, 15.1.4.1 |
| 745923-4 | 3-Major | BT745923 | Connection flow collision can cause packets to be sent with source and/or destination port 0 | 13.1.3.5, 14.1.2.5, 15.0.1.4 |
| 745663-2 | 3-Major | BT745663 | During traffic forwarding, nexthop data may be missed at large packet split | 13.1.3.5, 14.1.2.8 |
| 724824-4 | 3-Major | BT724824 | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2 |
| 710930-1 | 3-Major | BT710930 | Enabling BigDB key bigd.tmm may cause SSL monitors to fail | 13.1.3.5, 14.1.3.1 |
| 681814-1 | 3-Major | BT681814 | Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded | 13.1.3.5 |
| 522241-2 | 3-Major | BT522241 | Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7 |
| 814037-1 | 4-Minor | BT814037 | No virtual server name in Hardware Syncookie activation logs. | 13.1.3.5, 14.1.2.8, 15.1.1 |
| 781225-3 | 4-Minor | BT781225 | HTTP profile Response Size stats incorrect for keep-alive connections | 12.1.5.3, 13.1.3.5, 14.1.3.1 |
| 726983-4 | 4-Minor | BT726983 | Inserting multi-line HTTP header not handled correctly | 12.1.5.3, 13.1.3.5, 14.1.3.1 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 960749-4 | 1-Blocking | BT960749 | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 960437-4 | 2-Critical | BT960437 | The BIG-IP system may initially fail to resolve some DNS queries | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 919553-4 | 2-Critical | BT919553 | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
| 783125-4 | 2-Critical | BT783125 | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 781829-4 | 3-Major | BT781829 | GTM TCP monitor does not check the RECV string if server response string not ending with \n | 13.1.3.5, 14.1.3.1 |
| 760471-4 | 3-Major | BT760471 | GTM iQuery connections may be reset during SSL key renegotiation. | 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2 |
| 758772-4 | 3-Major | BT758772 | DNS Cache RRSET Evictions Stat not increasing | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7 |
| 757464-3 | 3-Major | BT757464 | DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record | 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7 |
| 708421-2 | 3-Major | K52142743, BT708421 | DNS::question 'set' options are applied to packet, but not to already parsed dns_msg | 12.1.5.2, 13.1.3.5 |
| 700118-1 | 3-Major | BT700118 | rrset statistics unavailable | 11.6.5.3, 12.1.6, 13.1.3.5 |
| 529896-1 | 3-Major | BT529896 | DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared | 11.6.5.3, 12.1.6, 13.1.3.5 |
| 643455-1 | 4-Minor | BT643455 | Update TTL for equally trusted records only | 11.6.5.3, 12.1.6, 13.1.3.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 903453 | 2-Critical | BT903453 | TMM crash following redirect when Proactive Bot Defense is used | 13.1.3.5 |
| 941853-3 | 3-Major | BT941853 | Logging Profiles do not disassociate from virtual server when multiple changes are made | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1 |
| 900797-5 | 3-Major | BT900797 | Brute Force Protection (BFP) hash table entry cleanup | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 900793-3 | 3-Major | K32055534, BT900793 | APM Brute Force Protection resources do not scale automatically | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 900789-5 | 3-Major | BT900789 | Alert before Brute Force Protection (BFP) hash are fully utilized | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 848445-4 | 3-Major | K86285055, BT848445 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer&start; | 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5 |
| 833685-1 | 3-Major | BT833685 | Idle async handlers can remain loaded for a long time doing nothing | 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 722337-3 | 3-Major | BT722337 | Always show violations in request log when post request is large | 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1 |
| 692279-1 | 3-Major | BT692279 | Request logging is briefly suspended after policy re-assignment | 13.1.3.5 |
| 424588-1 | 3-Major | BT424588 | iRule command [DOSL7::profile] returns empty value | 13.1.3.5 |
| 935293-1 | 4-Minor | BT935293 | 'Detected Violation' Field for event logs not showing | 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1 |
| 882769-5 | 4-Minor | BT882769 | Request Log: wrong filter applied when searching by Response contains or Response does not contain | 13.1.3.5, 14.1.2.7, 15.1.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 722392-2 | 2-Critical | BT722392 | AVR: analytics statistics are displayed even if they are disabled | 13.1.3.5 |
| 908065-5 | 3-Major | BT908065 | Logrotation for /var/log/avr blocked by files with .1 suffix | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 902485-1 | 3-Major | BT902485 | Incorrect pool member concurrent connection value | 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1 |
| 838685-1 | 3-Major | BT838685 | DoS report exist in per-widget but not under individual virtual | 13.1.3.5, 14.1.2.7, 15.1.0.5 |
| 721408-4 | 3-Major | BT721408 | Possible to create Analytics overview widgets in '[All]' partition | 13.1.3.5 |
| 866613-2 | 4-Minor | BT866613 | Missing MaxMemory Attribute | 13.1.3.5, 14.1.2.8, 15.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 833049-3 | 3-Major | BT833049 | Category lookup tool in GUI may not match actual traffic categorization | 13.1.3.5, 14.1.4, 15.1.2 |
| 766017-2 | 4-Minor | BT766017 | [APM][LocalDB] Local user database instance name length check inconsistencies&start; | 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1 |
| 679751-3 | 4-Minor | BT679751 | Authorization header can cause a connection reset | 13.1.3.5, 14.1.2.8, 15.1.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 815877-4 | 3-Major | BT815877 | Information Elements with zero-length value are rejected by the GTP parser | 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 845461-1 | 5-Cosmetic | BT845461 | MRF DIAMETER: additional details to log event to assist debugging | 13.1.3.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 703165-5 | 3-Major | BT703165 | shared memory leakage | 13.1.3.5, 14.1.2.8 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 783289-3 | 2-Critical | BT783289 | PEM actions not applied in VE bigTCP. | 13.1.3.5, 14.1.3.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 943889 | 2-Critical | BT943889 | Reopening the publisher after a failed publishing attempt | 13.1.3.5, 14.1.4 |
| 876581-5 | 3-Major | BT876581 | JavaScript engine file is empty if the original HTML page cached for too long | 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1 |
| 940401-4 | 5-Cosmetic | BT940401 | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' | 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 913441 | 2-Critical | BT913441 | Tmm cores while doing Hitless Upgrade while there are active flows | 12.1.5.3, 13.1.3.5 |
| 745733-1 | 3-Major | BT745733 | TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup | 13.1.3.5, 14.1.0.2 |
| 689614-1 | 3-Major | BT689614 | If DNS is not configured and management proxy is setup correctly, Webroot database fails to download | 13.1.3.5 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 767613-3 | 3-Major | BT767613 | Restjavad can keep partially downloaded files open indefinitely | 13.1.3.5, 14.1.3.1 |
Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 900757-5 | CVE-2020-5902 | K52145254, BT900757 | TMUI RCE vulnerability CVE-2020-5902 | 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895525-5 | CVE-2020-5902 | K52145254, BT895525 | TMUI RCE vulnerability CVE-2020-5902 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 909237-3 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 909233-3 | CVE-2020-8616 | K97810133, BT909233 | DNS Hardening | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 905905-4 | CVE-2020-5904 | K31301245, BT905905 | TMUI CSRF vulnerability CVE-2020-5904 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895993-5 | CVE-2020-5902 | K52145254, BT895993 | TMUI RCE vulnerability CVE-2020-5902 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895981-5 | CVE-2020-5902 | K52145254, BT895981 | TMUI RCE vulnerability CVE-2020-5902 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 895881-4 | CVE-2020-5903 | K43638305, BT895881 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 | 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4 |
| 883717-4 | CVE-2020-5914 | K37466356, BT883717 | BD crash on specific server cookie scenario | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 852445-5 | CVE-2019-6477 | K15840535, BT852445 | Big-IP : CVE-2019-6477 BIND Vulnerability | 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.5 |
| 841577-6 | CVE-2020-5922 | K20606443, BT841577 | iControl REST hardening | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 838677-5 | CVE-2019-10744 | K47105354, BT838677 | lodash library vulnerability CVE-2019-10744 | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 837773-4 | CVE-2020-5912 | K12936322, BT837773 | Restjavad Storage and Configuration Hardening | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 830401-5 | CVE-2020-5877 | K54200228, BT830401 | TMM may crash while processing TCP traffic with iRules | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 819197-6 | CVE-2019-13135 | K20336394, BT819197 | BIGIP: CVE-2019-13135 ImageMagick vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 819189-5 | CVE-2019-13136 | K03512441, BT819189 | BIGIP: CVE-2019-13136 ImageMagick vulnerability | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 818709-4 | CVE-2020-5858 | K36814487, BT818709 | TMSH does not follow current best practices | 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.4 |
| 778077-1 | CVE-2019-6680 | K53183580, BT778077 | Virtual to virtual chain can cause TMM to crash | 11.6.5.1, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 767373-3 | CVE-2019-8331 | K24383845, BT767373 | CVE-2019-8331: Bootstrap Vulnerability | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.4 |
| 750292-4 | CVE-2019-6592 | K54167061, BT750292 | TMM may crash when processing TLS traffic | 12.1.5.3, 13.1.3.4, 14.1.0.2 |
| 886085-1 | CVE-2020-5925 | K45421311, BT886085 | BIG-IP TMM vulnerability CVE-2020-5925 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 872673-4 | CVE-2020-5918 | K26464312, BT872673 | TMM can crash when processing SCTP traffic | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 868349-5 | CVE-2020-5935 | K62830532, BT868349 | TMM may crash while processing iRules with MQTT commands | 13.1.3.4, 14.1.2.5, 15.1.1 |
| 860477-6 | CVE-2020-5906 | K82518062 | SCP hardening | 12.1.5.2, 13.1.3.4 |
| 859089-3 | CVE-2020-5907 | K00091341, BT859089 | TMSH allows SFTP utility access | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4 |
| 858025-5 | CVE-2021-22984 | K33440533, BT858025 | BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 832885-5 | CVE-2020-5923 | K05975972, BT832885 | Self-IP hardening | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 829121-5 | CVE-2020-5886 | K65720640, BT829121 | State mirroring default does not require TLS | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2 |
| 829117-5 | CVE-2020-5885 | K17663061, BT829117 | State mirroring default does not require TLS | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2 |
| 811789-4 | CVE-2020-5915 | K57214921, BT811789 | Device trust UI hardening | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 789921-4 | CVE-2020-5881 | K03386032, BT789921 | TMM may restart while processing VLAN traffic | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 761112-5 | CVE-2019-6683 | K76328112, BT761112 | TMM may consume excessive resources when processing FastL4 traffic | 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.3, 15.0.1.4 |
| 756458-1 | CVE-2018-18559 | K28241423, BT756458 | Linux kernel vulnerability: CVE-2018-18559 | 13.1.3.4, 14.1.2.1, 15.0.1.4 |
| 745103-4 | CVE-2018-7159 | K27228191, BT745103 | NodeJS Vulnerability: CVE-2018-7159 | 13.1.3.4, 14.1.2.1, 15.0.1.3 |
| 715969-1 | CVE-2017-5703 | K19855851, BT715969 | CVE-2017-5703: Unsafe Opcodes exposed in Intel SPI based products | 13.1.3.4 |
| 823893-4 | CVE-2020-5890 | K03318649, BT823893 | Qkview may fail to completely sanitize LDAP bind credentials | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 746091-3 | CVE-2019-19151 | K21711352, BT746091 | TMSH Vulnerability: CVE-2019-19151 | 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 717276-5 | CVE-2020-5930 | K20622530, BT717276 | TMM Route Metrics Hardening | 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5 |
| 759536-4 | CVE-2019-8912 | K31739796, BT759536 | Linux kernel vulnerability: CVE-2019-8912 | 13.1.3.4, 14.1.2.1, 15.0.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 819397-3 | 1-Blocking | K50375550, BT819397 | TMM does not enforce RFC compliance when processing HTTP traffic | 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 858229-2 | 3-Major | K22493037, BT858229 | XML with sensitive data gets to the ICAP server | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 691499-1 | 3-Major | BT691499 | GTP::ie primitives in iRule to be certified | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 617929-4 | 3-Major | BT617929 | Support non-default route domains | 13.1.3.4, 14.1.2.8, 15.0.1.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 747099-1 | 1-Blocking | BT747099 | AWS Cloud VE instance cannot connect to the metadata server to obtain licensing details. | 13.1.3.4 |
| 841333-3 | 2-Critical | BT841333 | TMM may crash when tunnel used after returning from offline | 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2 |
| 792285-3 | 2-Critical | BT792285 | TMM crashes if the queuing message to all HSL pool members fails | 13.1.3.4, 14.1.2.5 |
| 780817 | 2-Critical | BT780817 | TMM can crash on certain vCMP hosts after modifications to VLANs and guests. | 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 767013-4 | 2-Critical | BT767013 | Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.4.4 |
| 762205-1 | 2-Critical | BT762205 | IKEv2 rekey fails to recognize VENDOR_ID payload when it appears | 13.1.3.4, 14.1.2.3, 15.0.1.4 |
| 882557-5 | 3-Major | BT882557 | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4 |
| 866925-1 | 3-Major | BT866925 | The TMM pages used and available can be viewed in the F5 system stats MIB | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 865225-2 | 3-Major | BT865225 | 100G modules may not work properly in i15000 and i15800 platforms | 13.1.3.4, 15.1.0.2 |
| 842125-2 | 3-Major | BT842125 | Unable to reconnect outgoing SCTP connections that have previously aborted | 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 812981-2 | 3-Major | BT812981 | MCPD: memory leak on standby BIG-IP device | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 807005-3 | 3-Major | BT807005 | Save-on-auto-sync is not working as expected with large configuration objects | 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 804477-2 | 3-Major | BT804477 | Add HSB register logging when parts of the device becomes unresponsive | 13.1.3.4, 14.1.4.3 |
| 800185-2 | 3-Major | BT800185 | Saving a large encrypted UCS archive may fail and might trigger failover | 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4 |
| 762073-1 | 3-Major | BT762073 | Continuous TMM restarts when HSB drops off the PCI bus | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4 |
| 760439-2 | 3-Major | BT760439 | After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status | 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 753860-1 | 3-Major | BT753860 | Virtual server config changes causing incorrect route injection. | 13.1.3.4, 14.1.2.7 |
| 749153-1 | 3-Major | BT749153 | Cannot create LTM policy from GUI using iControl | 12.1.4.1, 13.1.3.4 |
| 742628-5 | 3-Major | BT742628 | A tmsh session initiation adds increased control plane pressure | 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2 |
| 739872-2 | 3-Major | BT739872 | The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover | 12.1.5.3, 13.1.3.4 |
| 738943-5 | 3-Major | BT738943 | imish command hangs when ospfd is enabled | 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 738881-2 | 3-Major | BT738881 | Qkview does not collect any data under certain conditions that cause a timeout | 13.1.3.4 |
| 734846-3 | 3-Major | BT734846 | Redirection to logon summary page does not occur after session timeout | 13.1.3.4 |
| 701529-1 | 3-Major | BT701529 | Configuration may not load or not accept vlan or tunnel names as "default" or "all" | 13.1.3.4, 14.1.2.7 |
| 688399-4 | 3-Major | BT688399 | HSB failure results in continuous TMM restarts | 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4 |
| 648621-5 | 3-Major | BT648621 | SCTP: Multihome connections may not expire | 11.6.5.3, 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.4 |
| 641450-5 | 3-Major | K30053855, BT641450 | A transaction that deletes and recreates a virtual may result in an invalid configuration | 12.1.5.1, 13.1.3.4, 14.1.2.5 |
| 625901-2 | 3-Major | BT625901 | SNAT pools allow members in different partitions to be assigned, but this causes a load failure | 12.1.5.1, 13.1.3.4 |
| 748940-1 | 4-Minor | BT748940 | iControl REST cert creation not working for non-Common folder | 13.1.3.4 |
| 743815-3 | 4-Minor | BT743815 | vCMP guest observes connflow reset when a CMP state change occurs. | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7 |
| 726317-4 | 4-Minor | BT726317 | Improved debugging output for mcpd | 12.1.5, 13.1.3.4, 14.1.0.6 |
| 722230-5 | 4-Minor | BT722230 | Cannot delete FQDN template node if another FQDN node resolves to same IP address | 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 816273-4 | 1-Blocking | BT816273 | L7 Policies may execute CONTAINS operands incorrectly. | 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 715032-5 | 1-Blocking | K73302459, BT715032 | iRulesLX Hardening | 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 853329 | 2-Critical | BT853329 | HTTP explicit proxy can crash TMM when used with classification profile | 11.6.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3 |
| 841469-3 | 2-Critical | BT841469 | Application traffic may fail after an internal interface failure on a VIPRION system. | 13.1.3.4, 15.1.2.1 |
| 831325-3 | 2-Critical | K10701310, BT831325 | HTTP PSM detects more issues with Transfer-Encoding headers | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.1 |
| 826601-3 | 2-Critical | BT826601 | Prevent receive window shrinkage for looped flows that use a SYN cookie | 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.3 |
| 813561-1 | 2-Critical | BT813561 | MCPD crashes when assigning an iRule that uses a proc | 13.1.3.4, 14.1.2.8, 15.0.1.3 |
| 812525-5 | 2-Critical | K27551003, BT812525 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 757578-4 | 2-Critical | BT757578 | RAM cache is not compatible with verify-accept | 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.1 |
| 696908-1 | 2-Critical | BT696908 | Updating iRule causes TMM to crash | 13.1.3.4 |
| 690291-1 | 2-Critical | BT690291 | tmm crash | 13.1.3.4 |
| 858301-4 | 3-Major | K27551003, BT858301 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858297-4 | 3-Major | K27551003, BT858297 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858289-4 | 3-Major | K27551003, BT858289 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 858285-4 | 3-Major | K27551003, BT858285 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1 |
| 796993-3 | 3-Major | BT796993 | Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs | 12.1.5.3, 13.1.3.4, 14.1.3.1 |
| 788753-1 | 3-Major | BT788753 | GATEWAY_ICMP monitor marks node down with wrong error code | 13.1.3.4, 14.1.2.8, 15.1.0.5 |
| 778517-2 | 3-Major | K91052217, BT778517 | Large number of in-TMM monitors results in delayed processing | 13.1.3.4, 14.1.2.7 |
| 776229-4 | 3-Major | BT776229 | iRule 'pool' command no longer accepts pool members with ports that have a value of zero | 13.1.3.4, 14.1.3.1 |
| 761185-4 | 3-Major | K50375550, BT761185 | Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic | 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1 |
| 760679 | 3-Major | BT760679 | Memory corruption when using C3D on certain platforms | 13.1.3.4 |
| 759480-2 | 3-Major | BT759480 | HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash | 12.1.5, 13.1.3.4, 14.1.3.1 |
| 758872-2 | 3-Major | BT758872 | TMM memory leak | 12.1.5, 13.1.3.4, 14.1.2.3 |
| 756494-1 | 3-Major | BT756494 | For in-tmm monitoring: multiple instances of the same agent are running on the Standby device | 13.1.3.4, 14.1.2.7 |
| 753805-1 | 3-Major | BT753805 | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | 12.1.5.3, 13.1.3.4, 14.1.3.1 |
| 716167-1 | 3-Major | BT716167 | The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp | 13.1.3.4, 14.1.0.2 |
| 686059-2 | 3-Major | BT686059 | FDB entries for existing VLANs may be flushed when creating a new VLAN. | 12.1.5.3, 13.1.3.4, 14.1.2.7 |
| 751586-5 | 4-Minor | BT751586 | Http2 virtual does not honour translate-address disabled | 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4 |
| 747585-2 | 4-Minor | BT747585 | TCP Analytics supports ANY protocol number | 12.1.5, 13.1.3.4, 14.1.2.1 |
| 594064-5 | 4-Minor | K57004151, BT594064 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. | 11.6.5.3, 12.1.5.2, 13.1.3.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 807177-1 | 2-Critical | BT807177 | HTTPS monitoring is not caching SSL sessions correctly | 13.1.3.4, 14.1.2.5 |
| 802961-1 | 3-Major | BT802961 | The 'any-available' prober selection is not as random as in earlier versions | 13.1.3.4, 14.1.2.5 |
| 778365-1 | 3-Major | BT778365 | dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service | 13.1.3.4, 14.1.2.7 |
| 774481-3 | 3-Major | BT774481 | DNS Virtual Server creation problem with Dependency List | 13.1.3.4, 14.1.2.7 |
| 756470-3 | 3-Major | BT756470 | Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. | 13.1.3.4, 14.1.4.5 |
| 746348-1 | 3-Major | BT746348 | On rare occasions, gtmd fails to process probe responses originating from the same system. | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2 |
| 704198-3 | 3-Major | K29403988, BT704198 | Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance | 12.1.5.2, 13.1.3.4, 14.1.2.5 |
| 744280-1 | 4-Minor | BT744280 | Enabling or disabling a Distributed Application results in a small memory leak | 13.1.3.4, 14.0.0.5, 14.1.2.5 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 803813-3 | 2-Critical | BT803813 | TMM may experience high latency when processing WebSocket traffic | 13.1.3.4, 14.1.2.7 |
| 754109-3 | 2-Critical | BT754109 | ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive | 13.1.3.4, 14.1.2.3 |
| 854177-2 | 3-Major | BT854177 | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 850673-4 | 3-Major | BT850673 | BD sends bad ACKs to the bd_agent for configuration | 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 846493 | 3-Major | BT846493 | ASM CAPTCHA is not working the first time when a request contains sensitive parameters | 13.1.3.4 |
| 783505 | 3-Major | BT783505 | ASU is very slow on device with hundreds of policies due to table checksums | 12.1.5.1, 13.1.3.4 |
| 697269-1 | 3-Major | BT697269 | Request logging is briefly suspended after policy creation | 13.1.3.4 |
| 689987-3 | 3-Major | BT689987 | Requests are not logged on new virtual servers after UCS load while ASM is running | 13.1.3.4 |
| 681010-2 | 3-Major | K33572148, BT681010 | 'Referer' is not masked when 'Query String' contains sensitive parameter | 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 673522-1 | 3-Major | BT673522 | RST when using Bot Defense profile and surfing to a long URL on related domain | 13.1.3.4 |
| 629628-1 | 3-Major | BT629628 | Request Events Missing Due to Policy Builder Restart | 13.1.3.4 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 838709-2 | 2-Critical | BT838709 | Enabling DoS stats also enables page-load-time | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 828937-4 | 2-Critical | K45725467, BT828937 | Some systems can experience periodic high IO wait due to AVR data aggregation | 13.1.3.4, 14.1.2.5, 15.1.0.5 |
| 870957-2 | 3-Major | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 | |
| 863161-5 | 3-Major | BT863161 | Scheduled reports are sent via TLS even if configured as non encrypted | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 833113-1 | 3-Major | BT833113 | Avrd core when sending large messages via https | 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4 |
| 830073-5 | 3-Major | BT830073 | AVRD may core when restarting due to data collection device connection timeout | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 700035-5 | 3-Major | BT700035 | /var/log/avr/monpd.disk.provision not rotate | 13.1.3.4 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 885241 | 2-Critical | BT885241 | TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event. | 13.1.3.4 |
| 871761-2 | 2-Critical | BT871761 | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2 |
| 747192-2 | 2-Critical | BT747192 | Small memory leak while creating Access Policy items | 12.1.4.1, 13.1.3.4 |
| 660913-4 | 2-Critical | BT660913 | For ActiveSync client type, browscap info provided is incorrect.&start; | 12.1.4.1, 13.1.3.4, 14.1.4.3 |
| 850277-5 | 3-Major | BT850277 | Memory leak when using OAuth | 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2 |
| 803825 | 3-Major | BT803825 | WebSSO does not support large NTLM target info length | 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2 |
| 744407-5 | 3-Major | BT744407 | While the client has been closed, iRule function should not try to check on a closed session | 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2 |
WebAccelerator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 833213-5 | 3-Major | BT833213 | Conditional requests are served incorrectly with AAM policy in webacceleration profile | 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 814097-4 | 2-Critical | BT814097 | Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. | 11.6.5.2, 13.1.3.4, 14.1.2.7 |
| 811105-3 | 2-Critical | BT811105 | MRF SIP-ALG drops SIP 183 and 200 OK messages | 13.1.3.4, 14.1.2.5, 15.0.1.4 |
| 766405-3 | 2-Critical | BT766405 | MRF SIP ALG with SNAT: Fix for potential crash on next-active device | 13.1.3.4, 14.1.0.6 |
| 745397-3 | 2-Critical | BT745397 | Virtual server configured with FIX profile can leak memory. | 13.1.3.4 |
| 882273-1 | 3-Major | BT882273 | MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow | 13.1.3.4, 14.1.2.5 |
| 866021-4 | 3-Major | BT866021 | Diameter Mirror connection lost on the standby due to "process ingress error" | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 842625-1 | 3-Major | BT842625 | SIP message routing remembers a 'no connection' failure state forever | 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2 |
| 824149-1 | 3-Major | BT824149 | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
| 815529-4 | 3-Major | BT815529 | MRF outbound messages are dropped in per-peer mode | 13.1.3.4, 14.1.2.7 |
| 811033-3 | 3-Major | BT811033 | MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used | 13.1.3.4, 14.1.2.5 |
| 804313-4 | 3-Major | BT804313 | MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. | 13.1.3.4, 14.1.2.1, 15.0.1.2 |
| 803809-1 | 3-Major | BT803809 | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | 13.1.3.4, 14.1.2.7, 15.1.0.2 |
| 782353-8 | 3-Major | BT782353 | SIP MRF via header shows TCP Transport when TLS is enabled | 13.1.3.4, 14.1.2.7 |
| 754658-1 | 3-Major | BT754658 | Improved matching of response messages uses end-to-end ID | 13.1.3.4, 14.1.2.7 |
| 754617-1 | 3-Major | BT754617 | iRule 'DIAMETER::avp read' command does not work with 'source' option | 13.1.3.4, 14.1.2.7 |
| 746731-3 | 3-Major | BT746731 | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | 13.1.3.4, 14.1.2.7 |
| 744275-3 | 3-Major | BT744275 | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | 13.1.3.4, 14.1.0.2 |
| 727288-3 | 3-Major | BT727288 | Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC | 13.1.3.4 |
| 696348-2 | 3-Major | BT696348 | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
| 676709-3 | 3-Major | K37604585, BT676709 | Diameter virtual server has different behavior of connection-prime when persistence is on/off | 11.6.5.2, 13.1.3.4 |
| 836357-1 | 4-Minor | BT836357 | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2 |
| 793013 | 4-Minor | BT793013 | MRF DIAMETER: Implement sweeper for pending request messages queue | 13.1.3.4 |
| 788513-4 | 4-Minor | BT788513 | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5 |
| 786981-1 | 4-Minor | BT786981 | Pending GTP iRule operation maybe aborted when connection is expired | 13.1.3.4, 14.1.2.7 |
| 753790 | 4-Minor | BT753790 | Allow 'DIAMETER::persist reset' command in EGRESS events | 13.1.3.4 |
| 711641-1 | 4-Minor | BT711641 | MRF DIAMETER: Add log events to log when stale messages are removed from pending request queue | 13.1.3.4 |
| 793005-4 | 5-Cosmetic | BT793005 | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect | 13.1.3.4, 14.1.2.7, 15.1.0.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 852289-6 | 3-Major | K23278332, BT852289 | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector | 13.1.3.4, 14.1.2.5, 15.1.1 |
| 751116-3 | 3-Major | BT751116 | DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring | 13.1.3.4, 14.1.4.2 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 839597-2 | 3-Major | BT839597 | Restjavad fails to start if provision.extramb has a large value | 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5 |
Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release
Functional Change Fixes
None
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 803645-1 | 3-Major | BT803645 | GTMD daemon crashes | 13.1.3.3, 14.1.2.7 |
Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 818429-2 | CVE-2020-5857 | K70275209, BT818429 | TMM may crash while processing HTTP traffic | 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 808301-1 | CVE-2019-6678 | K04897373, BT808301 | TMM may crash while processing IP traffic | 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1 |
| 805837-4 | CVE-2019-6657 | K22441651, BT805837 | REST does not follow current design best practices | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1 |
| 795437-2 | CVE-2019-6677 | K06747393, BT795437 | Improve handling of TCP traffic for iRules | 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 795197-3 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426, BT795197 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 781377-1 | CVE-2019-6681 | K93417064, BT781377 | tmrouted may crash while processing Multicast Forwarding Cache messages | 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4 |
| 780601-4 | CVE-2020-5873 | K03585731, BT780601 | SCP file transfer hardening | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.1.2.5, 15.0.1.1 |
| 769589-4 | CVE-2019-6974 | K11186236, BT769589 | CVE-2019-6974: Linux Kernel Vulnerability | 13.1.3.2, 14.1.2.5 |
| 762453 | CVE-2020-5872 | K63558580, BT762453 | Hardware cryptography acceleration may fail | 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.5 |
| 757357 | CVE-2019-6676 | K92002212, BT757357 | TMM may crash while processing traffic | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 636400-1 | CVE-2019-6665 | K26462555, BT636400 | CPB (BIG-IP->BIGIQ log node) Hardening | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2 |
| 810537-3 | CVE-2020-5883 | K12234501, BT810537 | TMM may consume excessive resources while processing iRules | 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1 |
| 809165-4 | CVE-2020-5854 | K50046200, BT809165 | TMM may crash will processing connector traffic | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4 |
| 808525-4 | CVE-2019-6686 | K55812535, BT808525 | TMM may crash while processing Diameter traffic | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4 |
| 795797-4 | CVE-2019-6658 | K21121741, BT795797 | AFM WebUI Hardening | 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 788773-4 | CVE-2019-9515 | K50233772, BT788773 | HTTP/2 Vulnerability: CVE-2019-9515 | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 788769-4 | CVE-2019-9514 | K01988340, BT788769 | HTTP/2 Vulnerability: CVE-2019-9514 | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 782529-4 | CVE-2019-6685 | K30215839, BT782529 | iRules does not follow current design best practices | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3 |
| 781449-4 | CVE-2019-6672 | K14703097, BT781449 | Increase efficiency of sPVA DoS protection on wildcard virtual servers | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 777737-2 | CVE-2019-6671 | K39225055, BT777737 | TMM may consume excessive resources when processing IP traffic | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 773673-4 | CVE-2019-9512 | K98053339, BT773673 | HTTP/2 Vulnerability: CVE-2019-9512 | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 768981-4 | CVE-2019-6670 | K05765031, BT768981 | VCMP Hypervisor Hardening | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 761144-6 | CVE-2019-6684 | K95117754, BT761144 | Broadcast frames may be dropped | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 761014-4 | CVE-2019-6669 | K11447758, BT761014 | TMM may crash while processing local traffic | 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 758018-3 | CVE-2019-6661 | K61705126, BT758018 | APD/APMD may consume excessive resources | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1 |
| 725551-4 | CVE-2019-6682 | K40452417, BT725551 | ASM may consume excessive resources | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.4 |
| 636453-9 | CVE-2016-10009 | K31440025 | OpenSSH vulnerability CVE-2016-10009 | 13.1.3.2 |
| 789893-4 | CVE-2019-6679 | K54336216, BT789893 | SCP file transfer hardening | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1 |
| 779177-4 | CVE-2019-19150 | K37890841, BT779177 | Apmd logs "client-session-id" when access-policy debug log level is enabled | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3 |
| 749324-2 | CVE-2012-6708 | K62532311, BT749324 | jQuery Vulnerability: CVE-2012-6708 | 12.1.5.2, 13.1.3.2, 14.1.2.3 |
| 738236-2 | CVE-2019-6688 | K25607522, BT738236 | UCS does not follow current best practices | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 724556-2 | 2-Critical | BT724556 | icrd_child spawns more than maximum allowed times (zombie processes) | 12.1.5.3, 13.1.3.2, 14.1.2.7 |
| 769193-1 | 3-Major | BT769193 | Added support for faster congestion window increase in slow-start for stretch ACKs | 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 759135-5 | 3-Major | BT759135 | AVR report limits are locked at 1000 transactions | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 788269-1 | 4-Minor | BT788269 | Adding toggle to disable AVR widgets on device-groups | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 725950 | 1-Blocking | BT725950 | Regcomp() leaks memory if passed an invalid regex. | 13.1.3.2 |
| 831549 | 2-Critical | BT831549 | Marketing name does not display properly for BIG-IP i10010 (C127) | 13.1.3.2, 14.1.4.4 |
| 765533-4 | 2-Critical | K58243048, BT765533 | Sensitive information logged when DEBUG logging enabled | 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.1 |
| 749388 | 2-Critical | BT749388 | 'table delete' iRule command can cause TMM to crash | 12.1.5.2, 13.1.3.2, 14.1.2.5 |
| 747203-4 | 2-Critical | BT747203 | Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding | 13.1.3.2, 15.0.1.3 |
| 686996-1 | 2-Critical | BT686996 | TMM core under heavy load with PEM | 13.1.3.2 |
| 809205-3 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2 | |
| 794501-4 | 3-Major | BT794501 | Duplicate if_indexes and OIDs between interfaces and tunnels | 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 793121-1 | 3-Major | BT793121 | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2 |
| 788557 | 3-Major | BT788557 | BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior | 11.6.5.2, 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 788301-3 | 3-Major | K58243048, BT788301 | SNMPv3 Hardening | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 777261-2 | 3-Major | BT777261 | When SNMP cannot locate a file it logs messages repeatedly | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 764873-4 | 3-Major | BT764873 | An accelerated flow may transmit packets to an unavailable pool member. | 13.1.3.2, 14.1.4.2, 15.0.1.3 |
| 761993-4 | 3-Major | BT761993 | The nsm process may crash if it detects a nexthop mismatch | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 759735-1 | 3-Major | BT759735 | OSPF ASE route calculation for new external-LSA delayed | 13.1.3.2, 14.1.2.5 |
| 758781-1 | 3-Major | BT758781 | iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 758527-4 | 3-Major | K39604784, BT758527 | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.0.5, 14.1.2.3, 15.0.1.3 |
| 758119-4 | 3-Major | K58243048, BT758119 | qkview may contain sensitive information | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 747592-2 | 3-Major | PHP vulnerability CVE-2018-17082 | 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1 | |
| 745825-3 | 3-Major | BT745825 | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | 13.1.3.2, 14.1.0.2 |
| 741902-3 | 3-Major | BT741902 | sod does not validate message length vs. received packet length | 11.6.5.2, 12.1.5.2, 13.1.3.2 |
| 740413-3 | 3-Major | BT740413 | Sod not logging Failover Condition messages | 13.1.3.2 |
| 738445-2 | 3-Major | BT738445 | IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup | 12.1.5, 13.1.3.2, 14.0.1.1 |
| 724109-4 | 3-Major | BT724109 | Manual config-sync fails after pool with FQDN pool members is deleted | 12.1.5.3, 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 700712-1 | 3-Major | BT700712 | MariaDB binary logging takes up disk space | 13.1.3.2 |
| 687115-2 | 3-Major | BT687115 | SNMP performance can be impacted by a long list of allowed-addresses | 12.1.5.3, 13.1.3.2 |
| 683135-2 | 3-Major | BT683135 | Hardware syncookies number for virtual server stats is unrealistically high | 13.1.3.2, 14.1.2.7 |
| 680917-1 | 3-Major | BT680917 | Invalid monitor rule instance identifier | 12.1.5.3, 13.1.3.2, 14.1.2.1 |
| 815425 | 4-Minor | BT815425 | RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x&start; | 13.1.3.2 |
| 755018-4 | 4-Minor | BT755018 | Egress traffic processing may be stopped on one or more VE trunk interfaces | 13.1.3.2, 14.1.2.7, 15.0.1.1 |
| 484683-3 | 4-Minor | BT484683 | Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. | 13.1.3.2, 14.1.2.7 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 800305-4 | 2-Critical | BT800305 | VDI::cmp_redirect generates flow with random client port | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 787825-3 | 2-Critical | K58243048, BT787825 | Database monitors debug logs have plaintext password printed in the log file | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 739927-3 | 2-Critical | BT739927 | Bigd crashes after a specific combination of logging operations | 11.5.9, 11.6.4, 12.1.4, 13.1.3.2 |
| 693491-1 | 2-Critical | BT693491 | ASM with Web Acceleration Profile can rarely cause TMM to core | 13.1.3.2 |
| 813673-1 | 3-Major | BT813673 | The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets. | 13.1.3.2 |
| 788325-4 | 3-Major | K39794285, BT788325 | Header continuation rule is applied to request/response line | 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 781753-1 | 3-Major | BT781753 | WebSocket traffic is transmitted with unknown opcodes | 13.1.3.2, 14.1.2.8 |
| 773421-2 | 3-Major | BT773421 | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 770477-3 | 3-Major | BT770477 | SSL aborted when client_hello includes both renegotiation info extension and SCSV | 12.1.5.3, 13.1.3.2, 14.1.2.5 |
| 761030-1 | 3-Major | BT761030 | tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route | 13.1.3.2, 14.1.2.5 |
| 758992-1 | 3-Major | BT758992 | The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address | 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 757827-3 | 3-Major | BT757827 | Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution | 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 755727-3 | 3-Major | BT755727 | Ephemeral pool members not created after DNS flap and address record changes | 12.1.5.2, 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 749294-2 | 3-Major | BT749294 | TMM cores when query session index is out of boundary | 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.0.2 |
| 747907-1 | 3-Major | BT747907 | Persistence records leak while the high availability (HA) mirror connection is down | 13.1.3.2, 14.1.0.6 |
| 743257-1 | 3-Major | BT743257 | Fix block size insecurity init and assign | 13.1.3.2, 14.0.0.5, 14.1.2.5 |
| 742237-2 | 3-Major | BT742237 | CPU spikes appear wider than actual in graphs | 12.1.5, 13.1.3.2, 14.1.2.1 |
| 739638-2 | 3-Major | BT739638 | BGP failed to connect with neighbor when pool route is used | 12.1.4.1, 13.1.3.2, 14.0.1.1 |
| 726734-1 | 3-Major | BT726734 | DAGv2 port lookup stringent may fail | 13.1.3.2, 14.1.2.8 |
| 726176-4 | 3-Major | BT726176 | Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 716952-2 | 3-Major | BT716952 | With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete. | 13.1.3.2 |
| 704450-3 | 3-Major | BT704450 | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | 12.1.5.2, 13.1.3.2, 14.1.0.2 |
| 693582-1 | 3-Major | BT693582 | Monitor node log not rotated for certain monitor types | 12.1.4, 13.1.3.2 |
| 689361-1 | 3-Major | BT689361 | Configsync can change the status of a monitored pool member | 12.1.5.2, 13.1.3.2, 14.1.2.1 |
| 687887-1 | 3-Major | BT687887 | Unexpected result from multiple changes to a monitor-related object in a single transaction | 12.1.5.3, 13.1.3.2, 14.1.2.3 |
| 676990-2 | 3-Major | BT676990 | No way to enable SNAT of host traffic | 13.1.3.2 |
| 676557-1 | 3-Major | BT676557 | Binary data marshalled to TCL may be converted to UTF8 | 13.1.3.2 |
| 636842-3 | 3-Major | K51472519, BT636842 | A FastL4 virtual server may drop a FIN packet when mirroring is enabled | 12.1.5.1, 13.1.3.2, 14.1.2.5 |
| 601189-3 | 3-Major | BT601189 | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | 12.1.5.1, 13.1.3.2, 14.1.2.5 |
| 769309-3 | 4-Minor | BT769309 | DB monitor reconnects to server on every probe when count = 0 | 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 760683-2 | 4-Minor | BT760683 | RST from non-floating self-ip may use floating self-ip source mac-address | 13.1.3.2, 14.1.2.5 |
| 754003-1 | 4-Minor | K73202036, BT754003 | Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate | 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 747628-3 | 4-Minor | BT747628 | BIG-IP sends spurious ICMP PMTU message to server | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 744210-1 | 4-Minor | BT744210 | DHCPv6 does not have the ability to override the hop limit from the client. | 13.1.3.2, 14.1.2.3 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 772233-1 | 3-Major | BT772233 | IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. | 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 761032-4 | 3-Major | K36328238, BT761032 | TMSH displays TSIG keys | 13.1.3.2, 14.0.1.1, 14.1.2.3 |
| 699512-1 | 3-Major | BT699512 | UDP packet may be dropped when queued in parallel with another packet | 13.1.3.2 |
| 672491-5 | 3-Major | K10990182, BT672491 | net resolver uses internal IP as source if matching wildcard forwarding virtual server | 11.6.5.3, 12.1.3.6, 13.1.3.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 813945-1 | 2-Critical | BT813945 | PB core dump while processing many entities | 13.1.3.2, 14.1.2.3 |
| 775105-1 | 2-Critical | BT775105 | False positive on bot defense logs | 13.1.3.2, 14.0.1.1 |
| 812341-1 | 3-Major | BT812341 | Patch or Delete commands take a long time to complete when modifying an ASM signature set. | 13.1.3.2, 14.1.2.3 |
| 800453-1 | 3-Major | K72252057, BT800453 | False positive virus violations | 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 783513-1 | 3-Major | BT783513 | ASU is very slow on device with hundreds of policies due to logging profile handling | 13.1.3.2, 14.1.2.3 |
| 739618-1 | 3-Major | BT739618 | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | 13.1.3.2, 14.1.2.3, 15.1.0.2 |
| 727107-2 | 3-Major | BT727107 | Request Logs are not stored locally due to shmem pipe blockage | 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 756102-3 | 2-Critical | BT756102 | TMM can crash with core on ABORT signal due to non-responsive AVR code | 13.1.3.2, 14.1.0.6, 15.0.1.1 |
| 797785-3 | 3-Major | BT797785 | AVR reports no ASM-Anomalies data. | 13.1.3.2, 14.1.2.1, 15.0.1.3 |
| 792265-1 | 3-Major | BT792265 | Traffic logs does not include the BIG-IQ tags | 13.1.3.2, 14.1.2.1, 15.0.1.3 |
| 781581-4 | 3-Major | BT781581 | Monpd uses excessive memory on requests for network_log data | 13.1.3.2, 14.1.2.3, 15.0.1.3 |
| 703196-5 | 3-Major | BT703196 | Reports for AVR are missing data | 13.1.3.2 |
| 696191-1 | 3-Major | BT696191 | AVR-related disk partitions can get full during upgrade&start; | 13.1.3.2 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 811145-4 | 2-Critical | BT811145 | VMware View resources with SAML SSO are not working | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 784989-4 | 2-Critical | BT784989 | TMM may crash with panic message: Assertion 'cookie name exists' failed | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 777173-4 | 2-Critical | BT777173 | Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 725505-2 | 2-Critical | BT725505 | SNAT settings in network resource are not applied after FastL4 profile is updated | 13.1.3.2 |
| 618641-1 | 2-Critical | BT618641 | In rare cases VDI plugin might leak memory or crash while processing client connections | 13.1.3.2 |
| 815753-4 | 3-Major | BT815753 | TMM leaks memory when explicit SWG is configured with Kerberos authentication | 13.1.3.2, 14.0.1.1, 15.0.1.1 |
| 799149 | 3-Major | BT799149 | Authentication fails with empty password | 13.1.3.2, 14.1.2.7 |
| 798261-4 | 3-Major | BT798261 | APMD fails to create session variables if spanning is enabled on SWG transparent virtual server | 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 788417-3 | 3-Major | BT788417 | Remote Desktop client on macOS may show resource auth token on credentials prompt | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 787477-1 | 3-Major | BT787477 | Export fails from partitions with '-' as second character | 13.1.3.2, 14.1.2.1 |
| 768025-1 | 3-Major | BT768025 | SAML requests/responses fail with "failed to find certificate" | 13.1.3.2, 14.1.2.5, 15.0.1.3 |
| 766577-4 | 3-Major | BT766577 | APMD fails to send response to client and it already closed connection. | 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1 |
| 725040-3 | 3-Major | BT725040 | Auto-update fails for F5 Helper Applications on Linux | 13.1.3.2 |
| 723278-1 | 3-Major | BT723278 | Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6 | 13.1.3.2 |
| 697590-4 | 3-Major | BT697590 | APM iRule ACCESS::session remove fails outside of Access events | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 653210-1 | 3-Major | BT653210 | Rare resets during the login process | 13.1.3.2, 14.1.2.4 |
| 643935-2 | 3-Major | BT643935 | Rewriting may cause an infinite loop while processing some objects | 13.1.3.2, 14.0.1.1, 14.1.2.3 |
| 719589-3 | 4-Minor | BT719589 | GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic | 13.1.3.2, 14.1.2.7 |
| 684414-2 | 4-Minor | BT684414 | Retrieving too many groups is causing out of memory errors in TMUI and VPE | 12.1.3.2, 13.1.3.2 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 813657 | 3-Major | BT813657 | MRF SIP ALG with SNAT incorrectly detects ingress queue full | 13.1.3.2 |
| 811745-4 | 3-Major | BT811745 | Failover between clustered DIAMETER devices can cause mirror connections to be disconnected | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 787901 | 2-Critical | BT787901 | While deleting a DoS profile, tmm might core in sPVA | 13.1.3.2 |
| 778869-1 | 2-Critical | K72423000, BT778869 | ACLs and other AFM features (e.g., IPI) may not function as designed | 13.1.3.2, 14.0.1.1, 14.1.2.5 |
| 747922-2 | 2-Critical | BT747922 | With AFM enabled, during bootup, there is a small possibility of a tmm crash | 13.1.3.2, 14.1.0.2 |
| 761345-1 | 3-Major | BT761345 | Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode | 13.1.3.2, 14.1.2.3 |
| 738284-4 | 3-Major | BT738284 | Creating or deleting rule list results in warning message: Schema object encode failed | 13.1.3.2, 14.1.2.3, 15.0.1.1 |
| 679722-1 | 3-Major | BT679722 | Configuration sync failure involving self IP references | 13.1.3.2 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 753014-1 | 3-Major | BT753014 | PEM iRule action with RULE_INIT event fails to attach to PEM policy | 12.1.5.3, 13.1.3.2, 14.1.2.7 |
| 747065-3 | 3-Major | BT747065 | PEM iRule burst of session ADDs leads to missing sessions | 13.1.3.2 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 804185-3 | 3-Major | BT804185 | Some WebSafe request signatures may not work as expected | 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 803477-1 | 3-Major | BT803477 | BaDoS State file load failure when signature protection is off | 13.1.3.2, 14.1.2.1, 15.0.1.1 |
| 767045 | 4-Minor | BT767045 | TMM cores while applying policy | 13.1.3.2, 14.1.2.3 |
| 711708-1 | 4-Minor | BT711708 | Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation' | 13.1.3.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 674795-2 | 4-Minor | BT674795 | tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours. | 12.1.5.3, 13.1.3.2 |
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 688627-1 | 3-Major | BT688627 | OPT-0043 40G optical transceiver cannot be unbundled into 4x10G | 13.1.3.1 |
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 809377-4 | CVE-2019-6649 | K05123525 | AFM ConfigSync Hardening | 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 771873-3 | CVE-2019-6642 | K40378764, BT771873 | TMSH Hardening | 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 767653-2 | CVE-2019-6660 | K23860356, BT767653 | Malformed HTTP request can result in endless loop in an iRule script | 13.1.3, 14.0.1.1, 14.1.2.1 |
| 758065-2 | CVE-2019-6667 | K82781208, BT758065 | TMM may consume excessive resources while processing FIX traffic | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 757023-4 | CVE-2018-5743 | K74009656, BT757023 | BIND vulnerability CVE-2018-5743 | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 756538-1 | CVE-2019-6645 | K15759349, BT756538 | Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. | 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6 |
| 754103-2 | CVE-2019-6644 | K75532331, BT754103 | iRulesLX NodeJS daemon does not follow best security practices | 12.1.4.1, 13.1.3, 14.0.0.5, 14.1.0.6 |
| 739971-2 | CVE-2018-5391 | K74374841, BT739971 | Linux kernel vulnerability: CVE-2018-5391 | 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.5 |
| 726393-4 | CVE-2019-6643 | K36228121, BT726393 | DHCPRELAY6 can lead to a tmm crash | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6 |
| 715923-1 | CVE-2018-15317 | K43625118, BT715923 | When processing TLS traffic TMM may terminate connections unexpectedly | 11.6.3.3, 12.1.5, 13.1.3, 14.0.0.3 |
| 757455-1 | CVE-2019-6647 | K87920510, BT757455 | Excessive resource consumption when processing REST requests | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6 |
| 773649-4 | CVE-2019-6656 | K23876153, BT773649 | APM Client Logging | 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.2, 15.0.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 749704-3 | 4-Minor | BT749704 | GTPv2 Serving-Network field with mixed MNC digits | 13.1.3, 14.0.1.1, 14.1.0.6 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 774445-3 | 1-Blocking | K74921042, BT774445 | BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 | 13.1.3, 14.0.0.5, 14.1.0.6 |
| 769809-2 | 2-Critical | BT769809 | The vCMP guests 'INOPERATIVE' after upgrade | 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6 |
| 760408-1 | 2-Critical | BT760408 | System Integrity Status: Invalid after BIOS update&start; | 13.1.3, 14.0.0.5, 14.1.0.6 |
| 757722-1 | 2-Critical | BT757722 | Unknown notify message types unsupported in IKEv2 | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 756402-1 | 2-Critical | BT756402 | Re-transmitted IPsec packets can have garbled contents | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 756071-1 | 2-Critical | BT756071 | MCPD crash | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 753650 | 2-Critical | BT753650 | The BIG-IP system reports frequent kernel page allocation failures. | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 748205-1 | 2-Critical | BT748205 | SSD bay identification incorrect for RAID drive replacement&start; | 12.1.5, 13.1.3, 14.1.2.5 |
| 734539-3 | 2-Critical | BT734539 | The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads | 12.1.5, 13.1.3, 14.0.1.1 |
| 708968-2 | 2-Critical | BT708968 | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | 13.1.3, 14.0.1.1 |
| 671741-3 | 2-Critical | BT671741 | LCD on iSeries devices can lock at red 'loading' screen. | 12.1.5, 13.1.3 |
| 648270-3 | 2-Critical | BT648270 | mcpd can crash if viewing a fast-growing log file through the GUI | 11.6.5.2, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6 |
| 756153-2 | 3-Major | BT756153 | Add diskmonitor support for MySQL /var/lib/mysql | 12.1.4.1, 13.1.3, 14.1.2.7 |
| 749785-1 | 3-Major | BT749785 | nsm can become unresponsive when processing recursive routes | 12.1.5.3, 13.1.3, 14.1.2.5 |
| 746266-1 | 3-Major | BT746266 | A vCMP guest VLAN MAC mismatch across blades. | 12.1.5, 13.1.3, 14.1.2.3 |
| 735565-1 | 3-Major | BT735565 | BGP neighbor peer-group config element not persisting | 12.1.4.1, 13.1.3, 14.0.1.1 |
| 723553-1 | 3-Major | BT723553 | BIG-IP installations on RAID systems (old style) may not boot&start; | 13.1.3 |
| 720610 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run | 13.1.3, 14.1.2.7 |
| 716166-4 | 3-Major | BT716166 | Dynamic routing not added when conflicting self IPs exist | 11.6.5.1, 12.1.4.1, 13.1.3 |
| 709544-2 | 3-Major | BT709544 | VCMP guests in HA configuration become Active/Active during upgrade&start; | 12.1.4.1, 13.1.3, 14.0.0 |
| 705037-2 | 3-Major | K32332000, BT705037 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart | 12.1.4, 13.1.3, 14.0.1.1, 14.1.2.3 |
| 702310-1 | 3-Major | BT702310 | The ':l' and ':h' options are not available on the tmm interface in tcpdump | 13.1.3 |
| 693388-2 | 3-Major | BT693388 | Log additional HSB registers when device becomes unresponsive | 12.1.4.1, 13.1.3 |
| 667618-1 | 3-Major | BT667618 | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | 13.1.3 |
| 620954-5 | 3-Major | BT620954 | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | 12.1.5.1, 13.1.3 |
| 721526-2 | 4-Minor | BT721526 | tcpdump fails to write verbose packet data to file | 12.1.5.3, 13.1.3 |
| 691171-1 | 4-Minor | BT691171 | static and dynamically learned blackhole route from ZebOS cannot be deleted | 13.1.3, 14.0.0 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759968 | 1-Blocking | BT759968 | Distinct vCMP guests are able to cluster with each other. | 12.1.5, 13.1.3, 14.1.2.1, 15.0.1.1 |
| 757441-2 | 2-Critical | BT757441 | Specific sequence of packets causes Fast Open to be effectively disabled | 13.1.3, 14.0.1.1, 14.1.2.1 |
| 757391-3 | 2-Critical | BT757391 | Datagroup iRule command class can lead to memory corruption | 12.1.5, 13.1.3, 14.1.2.5 |
| 756450-2 | 2-Critical | BT756450 | Traffic using route entry that's more specific than existing blackhole route can cause core | 11.6.5.1, 12.1.5, 13.1.3, 14.1.2.3 |
| 755585-3 | 2-Critical | BT755585 | mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction | 13.1.3, 14.1.2.1 |
| 746710-2 | 2-Critical | BT746710 | Use of HTTP::cookie after HTTP:disable causes TMM core | 13.1.3, 14.1.2.1 |
| 742184-1 | 2-Critical | BT742184 | TMM memory leak | 13.1.3, 14.1.0.2 |
| 740228-1 | 2-Critical | BT740228 | TMM crash while sending a DHCP Lease Query to a DHCP server | 12.1.5.3, 13.1.3, 14.0.0.5 |
| 724214-3 | 2-Critical | BT724214 | TMM core when using Multipath TCP | 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5 |
| 667779-1 | 2-Critical | BT667779 | iRule commands may cause the TMM to crash in very rare situations. | 11.6.5.2, 12.1.5, 13.1.3 |
| 794493 | 3-Major | BT794493 | Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true | 13.1.3 |
| 790205-2 | 3-Major | BT790205 | Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core | 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.2.7, 15.0.1.1 |
| 760771-3 | 3-Major | BT760771 | FastL4-steered traffic might cause SSL resume handshake delay | 13.1.3, 14.1.2.3 |
| 760550-3 | 3-Major | BT760550 | Retransmitted TCP packet has FIN bit set | 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6 |
| 757442-1 | 3-Major | BT757442 | A missed SYN cookie check causes crash at the standby TMM in HA mirroring system | 13.1.3, 14.1.4 |
| 754349 | 3-Major | BT754349 | FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4 | 13.1.3, 14.0.1.1 |
| 753594-3 | 3-Major | BT753594 | In-TMM monitors may have duplicate instances or stop monitoring | 13.1.3, 14.1.3.1 |
| 753514-1 | 3-Major | BT753514 | Large configurations containing LTM Policies load slowly | 13.1.3, 14.0.1.1, 14.1.2.3 |
| 749414-2 | 3-Major | BT749414 | Invalid monitor rule instance identifier error | 11.6.5.2, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6 |
| 746922-4 | 3-Major | BT746922 | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | 12.1.4.1, 13.1.3, 14.0.1.1, 14.1.2.7 |
| 726001-1 | 3-Major | BT726001 | Rapid datagroup updates can cause type corruption | 13.1.3 |
| 720219 | 3-Major | K13109068, BT720219 | HSL::log command can fail to pick new pool member if last picked member is 'checking' | 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.2 |
| 719304-2 | 3-Major | BT719304 | Inconsistent node ICMP monitor operation for IPv6 nodes | 13.1.3, 14.1.4 |
| 712919-1 | 3-Major | K54802336, BT712919 | Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. | 13.1.3, 14.0.1.1, 14.1.2.3 |
| 705112-2 | 3-Major | BT705112 | DHCP server flows are not re-established after expiration | 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2 |
| 675367-2 | 3-Major | K95393925, BT675367 | The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication | 13.1.3 |
| 604811-2 | 3-Major | BT604811 | Under certain conditions TMM may crash while processing OneConnect traffic | 11.6.3.2, 12.1.5.3, 13.1.3 |
| 273104-1 | 3-Major | Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps | 12.1.4.1, 13.1.3 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759721-4 | 3-Major | K03332436, BT759721 | DNS GUI does not follow best practices | 13.1.3, 14.0.0.5, 14.1.0.6 |
| 754901-3 | 3-Major | BT754901 | Frequent zone update notifications may cause TMM to restart | 13.1.3, 14.1.2.5 |
| 750213-2 | 3-Major | K25351434, BT750213 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. | 12.1.5, 13.1.3, 14.1.2.5 |
| 726412-2 | 4-Minor | BT726412 | Virtual server drop down missing objects on pool creation | 12.1.4.1, 13.1.3 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 781637-4 | 3-Major | BT781637 | ASM brute force counts unnecessary failed logins for NTLM | 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 781605-1 | 3-Major | BT781605 | Fix RFC issue with the multipart parser | 11.6.5.3, 12.1.6, 13.1.3, 14.1.2.1, 15.0.1.1 |
| 781069-4 | 3-Major | BT781069 | Bot Defense challenge blocks requests with long Referer headers | 13.1.3, 14.1.2.1, 15.0.1.1 |
| 773553-4 | 3-Major | BT773553 | ASM JSON parser false positive. | 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 769981-3 | 3-Major | BT769981 | bd crashes in a specific scenario | 13.1.3, 14.1.2.1, 15.0.1.1 |
| 764373-1 | 3-Major | BT764373 | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 763001-2 | 3-Major | K70312000, BT763001 | Web-socket enforcement might lead to a false negative | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 761941-3 | 3-Major | BT761941 | ASM does not remove CSRT token query parameter before forwarding a request to the backend server | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 761231-4 | 3-Major | K79240502, BT761231 | Bot Defense Search Engines getting blocked after configuring DNS correctly | 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 739900-1 | 3-Major | BT739900 | All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates | 13.1.3 |
| 713051 | 3-Major | BT713051 | PB generates a suggestion to add a disallowed filtetype with empty name. | 13.1.3 |
| 686763-1 | 3-Major | BT686763 | asm_start is consuming too much memory | 12.1.5.3, 13.1.3 |
| 686500-1 | 3-Major | BT686500 | Adding user defined signature on device with many policies is very slow | 13.1.3, 14.0.0 |
| 675673-1 | 3-Major | BT675673 | Policy history files should be limited by settings in a configuration file. | 13.1.3 |
| 768761-4 | 4-Minor | BT768761 | Improved accept action description for suggestions to disable signature/enable metacharacter in policy | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 761553-4 | 4-Minor | BT761553 | Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 761549-4 | 4-Minor | BT761549 | Traffic Learning: Accept and Stage action is shown only in case entity is not in staging | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 750689-1 | 4-Minor | BT750689 | Request Log: Accept Request button available when not needed | 13.1.3, 14.0.1.1, 14.1.0.6 |
| 749184-4 | 4-Minor | BT749184 | Added description of subviolation for the suggestions that enabled/disabled them | 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.3 |
| 747560-3 | 4-Minor | BT747560 | ASM REST: Unable to download Whitehat vulnerabilities | 12.1.5.1, 13.1.3, 14.1.0.6 |
| 695878-4 | 4-Minor | BT695878 | Signature enforcement issue on specific requests | 11.5.6, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1 |
| 613728-2 | 4-Minor | BT613728 | Import/Activate Security policy with 'Replace policy associated with virtual server' option fails | 12.1.4, 13.1.3 |
| 769061-4 | 5-Cosmetic | BT769061 | Improved details for learning suggestions to enable violation/sub-violation | 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 753485-2 | 2-Critical | K50285521, BT753485 | AVR global settings are being overridden by high availability (HA) peers | 13.1.3, 14.1.2, 15.0.1 |
| 771025-2 | 3-Major | BT771025 | AVR send domain names as an aggregate | 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.3 |
| 688544-1 | 3-Major | BT688544 | SWG reports on BIG-IQ show same series as 'Allowed' and 'Blocked' at the same time | 13.1.3 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 760130-1 | 2-Critical | BT760130 | [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK | 13.1.3, 14.1.3.1 |
| 753370-1 | 2-Critical | BT753370 | RADIUS auth might not be working as configured when there is change in RADIUS auth config name. | 13.1.3, 14.0.0.5, 14.1.0.6 |
| 745600-3 | 2-Critical | BT745600 | Tmm crash and core using iRule | 13.1.3 |
| 741535-1 | 2-Critical | BT741535 | Memory leak when using SAML or Form-based Client-initiated SSO | 13.1.3 |
| 723402-2 | 2-Critical | BT723402 | Apmd crashes running command: tmsh restart sys service all | 13.1.3 |
| 686282-2 | 2-Critical | BT686282 | APMD intermittently crash when processing access policies | 12.1.3.2, 13.1.3 |
| 783817-4 | 3-Major | BT783817 | UI becomes unresponsive when accessing Access active session information | 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1 |
| 775621-4 | 3-Major | BT775621 | urldb memory grows past the expected ~3.5GB | 13.1.3, 14.1.2.1, 15.0.1.3 |
| 765621-1 | 3-Major | BT765621 | POST request being rejected when using OAuth Resource Server mode | 13.1.3 |
| 760974-1 | 3-Major | BT760974 | TMM SIGABRT while evaluating access policy | 13.1.3 |
| 759638-1 | 3-Major | BT759638 | APM current active and established session counts out of sync after failover | 13.1.3 |
| 754542-4 | 3-Major | BT754542 | TMM may crash when using RADIUS Accounting agent | 13.1.3, 14.1.0.6 |
| 750823-3 | 3-Major | BT750823 | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | 13.1.3, 14.1.2.1 |
| 750631-1 | 3-Major | BT750631 | There may be a latency between session termination and deletion of its associated IP address mapping | 13.1.3, 14.1.2.7 |
| 750170-1 | 3-Major | BT750170 | SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request | 13.1.3 |
| 749161-1 | 3-Major | Problem sync policy contains non-ASCII characters | 13.1.3, 14.1.2.1 | |
| 747725-2 | 3-Major | BT747725 | Kerberos Auth agent may override settings that manually made to krb5.conf | 12.1.4.1, 13.1.3, 14.1.2.5 |
| 744532-2 | 3-Major | BT744532 | Websso fails to decrypt secured session variables | 13.1.3 |
| 600985-3 | 3-Major | BT600985 | Network access tunnel data stalls | 13.1.3, 14.1.2.7 |
| 770621-1 | 4-Minor | BT770621 | [Portal Access] HTTP 308 redirect does not get rewritten | 13.1.3 |
| 737603-1 | 4-Minor | BT737603 | Apmd leaks memory when executing per-session policy via iRule | 13.1.3, 14.0.1.1 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759077-4 | 3-Major | BT759077 | MRF SIP filter queue sizes not configurable | 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.4 |
| 748253-3 | 3-Major | BT748253 | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | 13.1.3, 14.1.2.1 |
| 745628-3 | 3-Major | BT745628 | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | 13.1.3, 14.0.1.1, 14.1.0.2 |
| 745514-3 | 3-Major | BT745514 | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | 13.1.3, 14.0.1.1, 14.1.0.2 |
| 745404-2 | 3-Major | BT745404 | MRF SIP ALG does not reparse SDP payload if replaced | 12.1.5.2, 13.1.3, 14.0.1.1, 14.1.0.2 |
| 701680-2 | 3-Major | BT701680 | MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds | 12.1.4.1, 13.1.3 |
| 747909-3 | 4-Minor | BT747909 | GTPv2 MEI and Serving-Network fields decoded incorrectly | 11.6.5.1, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 763121-1 | 2-Critical | BT763121 | Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. | 13.1.3, 14.1.2.8 |
| 757359-3 | 2-Critical | BT757359 | pccd crashes when deleting a nested Address List | 13.1.3, 14.1.0.6 |
| 752363 | 2-Critical | BT752363 | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | 13.1.3, 14.1.0.2 |
| 777733-1 | 3-Major | BT777733 | DoS profile default values cause config load failure on upgrade | 13.1.3 |
| 771173-1 | 3-Major | BT771173 | FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.&start; | 13.1.3, 14.1.2.5, 15.0.1.3 |
| 757306-2 | 3-Major | BT757306 | SNMP MIBS for AFM NAT do not yet exist | 13.1.3, 14.1.2, 15.0.1 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 726665-2 | 2-Critical | BT726665 | tmm core dump due to SEGFAULT | 13.1.3, 14.0.1.1 |
| 760438-1 | 3-Major | BT760438 | PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions | 13.1.3, 14.1.2.1 |
| 759192-1 | 3-Major | BT759192 | TMM core during display of PEM session under some specific conditions | 13.1.3, 14.0.1.1, 14.1.2.1 |
| 756311-1 | 3-Major | BT756311 | High CPU during erroneous deletion | 13.1.3, 14.0.1.1, 14.1.2.1 |
| 753163-2 | 3-Major | BT753163 | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days | 13.1.3, 14.1.2.1 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 775013-4 | 3-Major | BT775013 | TIME EXCEEDED alert has insufficient data for analysis | 13.1.3, 14.1.2.1, 15.0.1.1 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 752803-2 | 2-Critical | BT752803 | CLASSIFICATION_DETECTED running reject can lead to a tmm core | 13.1.3, 14.1.0.6 |
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 807477-9 | CVE-2019-6650 | K04280042, BT807477 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 797885-4 | CVE-2019-6649 | K05123525, BT797885 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 796469-2 | CVE-2019-6649 | K05123525, BT796469 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 810557-9 | CVE-2019-6649 | K05123525, BT810557 | ASM ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 799617-4 | CVE-2019-6649 | K05123525, BT799617 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 799589-4 | CVE-2019-6649 | K05123525, BT799589 | ConfigSync Hardening | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 794389-9 | CVE-2019-6651 | K89509323, BT794389 | iControl REST endpoint response inconsistency | 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
| 794413-9 | CVE-2019-6471 | K10092301, BT794413 | BIND vulnerability CVE-2019-6471 | 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 744937-9 | 3-Major | K00724442, BT744937 | BIG-IP DNS and GTM DNSSEC security exposure | 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 760622-2 | 3-Major | BT760622 | Allow Device Certificate renewal from BIG-IP Configuration Utility | 15.1.0.5 |
| 760363-2 | 3-Major | BT760363 | Update Alias Address field with default placeholder text | 13.1.3.2 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 807445 | 3-Major | BT807445 | Replaced ISC_TRUE and ISC_FALSE with true and false |
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 757025-3 | CVE-2018-5744 | K00040234, BT757025 | BIND Update | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 756774-4 | CVE-2019-6612 | K24401914, BT756774 | Aborted DNS queries to a cache may cause a TMM crash | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 754944-3 | CVE-2019-6626 | K00432398, BT754944 | AVR reporting UI does not follow best practices | 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 754345-3 | CVE-2019-6625 | K79902360, BT754345 | WebUI does not follow best security practices | 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 753975 | CVE-2019-6666 | K92411323, BT753975 | TMM may crash while processing HTTP traffic with webacceleration profile | 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 753776-1 | CVE-2019-6624 | K07127032, BT753776 | TMM may consume excessive resources when processing UDP traffic | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 749879-4 | CVE-2019-6611 | K47527163, BT749879 | Possible interruption while processing VPN traffic | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 748502-3 | CVE-2019-6623 | K72335002, BT748502 | TMM may crash when processing iSession traffic | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 737731-2 | CVE-2019-6622 | K44885536, BT737731 | iControl REST input sanitization | 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 737574-2 | CVE-2019-6621 | K20541896, BT737574 | iControl REST input sanitization&start; | 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 737565-2 | CVE-2019-6620 | K20445457, BT737565 | iControl REST input sanitization | 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 726327-2 | CVE-2018-12120 | K37111863, BT726327 | NodeJS debugger accepts connections from any host | 13.1.1.5, 14.1.0.6 |
| 791369-4 | CVE-2019-6662 | K01049383 | The REST framework may reflect client data in error logs | 13.1.1.5 |
| 757027-3 | CVE-2019-6465 | K01713115, BT757027 | BIND Update | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 757026-3 | CVE-2018-5745 | K25244852, BT757026 | BIND Update | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 753796-2 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices | 11.5.9, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 750460-3 | CVE-2019-6639 | K61002104, BT750460 | Subscriber management configuration GUI | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 750187-3 | CVE-2019-6637 | K29149494, BT750187 | ASM REST may consume excessive resources | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 745713-1 | CVE-2019-6619 | K94563344, BT745713 | TMM may crash when processing HTTP/2 traffic | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 745387-3 | CVE-2019-6618 | K07702240, BT745387 | Resource-admin user roles can no longer get bash access | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 745371-2 | CVE-2019-6636 | K68151373, BT745371 | AFM GUI does not follow best security practices | 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 745257-3 | CVE-2018-14634 | K20934447, BT745257 | Linux kernel vulnerability: CVE-2018-14634 | 11.6.4, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 745165-3 | CVE-2019-6617 | K38941195, BT745165 | Users without Advanced Shell Access are not allowed SFTP access | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 742226-2 | CVE-2019-6635 | K11330536, BT742226 | TMSH platform_check utility does not follow best security practices | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 710857-2 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 703835-2 | CVE-2019-6616 | K82814400, BT703835 | When using SCP into BIG-IP systems, you must specify the target filename | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 702472-3 | CVE-2019-6615 | K87659521, BT702472 | Appliance Mode Security Hardening | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 702469-3 | CVE-2019-6633 | K73522927, BT702469 | Appliance mode hardening in scp | 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 698376-3 | CVE-2019-6614 | K46524395, BT698376 | Non-admin users have limited bash commands and can only write to certain directories | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 673842-4 | CVE-2019-6632 | K01413496, BT673842 | VCMP does not follow best security practices | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 752835-3 | 2-Critical | K46971044, BT752835 | Mitigate mcpd out of memory error with auto-sync enabled. | 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 750586-1 | 2-Critical | BT750586 | HSL may incorrectly handle pending TCP connections with elongated handshake time. | 12.1.5, 13.1.1.5, 14.1.0.6 |
| 707013 | 2-Critical | BT707013 | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 699515-1 | 2-Critical | nsm cores during update of nexthop for ECMP recursive route | 13.1.1.5, 14.1.2.5 | |
| 621260-4 | 2-Critical | BT621260 | mcpd core on iControl REST reference to non-existing pool | 11.6.5.1, 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 760222-5 | 3-Major | BT760222 | SCP fails unexpected when FIPS mode is enabled | 13.1.1.5, 14.0.0.5, 14.1.0.3 |
| 757414 | 3-Major | BT757414 | GUI Network Map slow page load with large configuration | 13.1.1.5 |
| 756088-1 | 3-Major | BT756088 | The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address | 13.1.1.5 |
| 754567 | 3-Major | BT754567 | Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file | 13.1.1.5 |
| 751011-1 | 3-Major | BT751011 | ihealth.sh script and qkview locking mechanism not working | 13.1.1.5, 14.1.0.2 |
| 750447-1 | 3-Major | BT750447 | GUI VLAN list page loading slowly with 50 records per screen | 13.1.1.5, 14.1.0.2 |
| 750318-1 | 3-Major | BT750318 | HTTPS monitor does not appear to be using cert from server-ssl profile | 13.1.1.5, 14.1.2.3 |
| 748187-2 | 3-Major | BT748187 | 'Transaction Not Found' Error on PATCH after Transaction has been Created | 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 740345-1 | 3-Major | BT740345 | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 725791-4 | 3-Major | K44895409, BT725791 | Potential HW/HSB issue detected | 11.6.5.2, 12.1.5.2, 13.1.1.5, 14.1.0.6 |
| 723794-3 | 3-Major | BT723794 | PTI (Meltdown) mitigation should be disabled on AMD-based platforms | 11.6.5.1, 12.1.4.1, 13.1.1.5 |
| 722380-2 | 3-Major | BT722380 | The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. | 12.1.5.2, 13.1.1.5 |
| 721805 | 3-Major | BT721805 | Traffic Policy edit to datagroup errors on adding ASM disable action | 13.1.1.5 |
| 720819-2 | 3-Major | BT720819 | Certain platforms may take longer than expected to detect and recover from HSB lock-ups | 12.1.4.1, 13.1.1.5 |
| 720269-2 | 3-Major | BT720269 | TACACS audit logging may append garbage characters to the end of log strings | 12.1.4.1, 13.1.1.5, 14.0.1.1 |
| 714626-2 | 3-Major | BT714626 | When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect. | 13.1.1.5, 14.0.0 |
| 701898-1 | 3-Major | BT701898 | Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups | 13.1.1.5, 14.0.0 |
| 698619-2 | 3-Major | BT698619 | Disable port bridging on HSB ports for non-vCMP systems | 12.1.4, 13.1.1.5 |
| 681009-1 | 3-Major | BT681009 | Large configurations can cause memory exhaustion during live-install&start; | 13.1.1.5 |
| 581921-3 | 3-Major | K22327083, BT581921 | Required files under /etc/ssh are not moved during a UCS restore | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 697766-1 | 4-Minor | BT697766 | Cisco IOS XR ISIS routers may report 'Authentication TLV not found' | 13.1.1.5 |
| 687368-1 | 4-Minor | BT687368 | The Configuration utility may calculate and display an incorrect HA Group Score | 13.1.1.5 |
| 686111-1 | 4-Minor | K89363245, BT686111 | Searching and Reseting Audit Logs not working as expected | 13.1.1.5 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 753912 | 2-Critical | K44385170, BT753912 | UDP flows may not be swept | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 752930-1 | 2-Critical | BT752930 | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 745533-4 | 2-Critical | NodeJS Vulnerability: CVE-2016-5325 | 13.1.1.5, 14.0.0.5, 14.1.0.6 | |
| 680564-1 | 2-Critical | BT680564 | "MCP Message:" seen on boot up with Best License | 13.1.1.5 |
| 756270-2 | 3-Major | BT756270 | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.1.0.6 |
| 750843-1 | 3-Major | BT750843 | HTTP data re-ordering when receiving data while iRule parked | 13.1.1.5, 14.0.0.5 |
| 750200-1 | 3-Major | BT750200 | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 749689-1 | 3-Major | BT749689 | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | 13.1.1.5, 14.1.2.3 |
| 747968-2 | 3-Major | BT747968 | DNS64 stats not increasing when requests go through DNS cache resolver | 11.6.5.3, 12.1.4.1, 13.1.1.5, 14.1.0.6 |
| 747617-1 | 3-Major | BT747617 | TMM core when processing invalid timer | 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 742078-2 | 3-Major | BT742078 | Incoming SYNs are dropped and the connection does not time out. | 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 738523-2 | 3-Major | BT738523 | SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages | 12.1.4.1, 13.1.1.5, 14.0.1.1 |
| 727292-1 | 3-Major | BT727292 | SSL in proxy shutdown case does not deliver server TCP FIN | 12.1.5, 13.1.1.5 |
| 712664-2 | 3-Major | BT712664 | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | 12.1.3.7, 13.1.1.5, 14.0.0.3 |
| 710564 | 3-Major | BT710564 | DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 | 12.1.4.1, 13.1.1.5 |
| 709952-1 | 3-Major | BT709952 | Disallow DHCP relay traffic to traverse between route domains | 13.1.1.5 |
| 699979-2 | 3-Major | BT699979 | Support for Safenet Client Software v7.x | 13.1.1.5 |
| 698437-1 | 3-Major | BT698437 | Internal capacity increase | 13.1.1.5 |
| 688553-3 | 3-Major | BT688553 | SASP GWM monitor may not mark member UP as expected | 12.1.3.6, 13.1.1.5, 14.0.0.5 |
| 599567-3 | 3-Major | BT599567 | APM assumes SNAT automap, does not use SNAT pool | 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.2.5 |
| 746077-1 | 4-Minor | BT746077 | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | 12.1.5.3, 13.1.1.5, 14.1.2.5 |
| 664618-1 | 4-Minor | BT664618 | Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' | 12.1.4.1, 13.1.1.5, 14.0.0.5 |
| 658382-2 | 5-Cosmetic | BT658382 | Large numbers of ERR_UNKNOWN appearing in the logs | 12.1.4.1, 13.1.1.5 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 735832-1 | 2-Critical | BT735832 | RAM Cache traffic fails on B2150 | 12.1.5, 13.1.1.5 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 756094-3 | 2-Critical | BT756094 | DNS express in restart loop, 'Error writing scratch database' in ltm log | 12.1.4.1, 13.1.1.5, 14.1.0.2 |
| 749508-3 | 3-Major | BT749508 | LDNS and DNSSEC: Various OOM conditions need to be handled properly | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 749222-3 | 3-Major | BT749222 | dname compression offset overflow causes bad compression pointer | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 748902-7 | 3-Major | BT748902 | Incorrect handling of memory allocations while processing DNSSEC queries | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 746877-3 | 3-Major | BT746877 | Omitted check for success of memory allocation for DNSSEC resource record | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 737332-3 | 3-Major | BT737332 | It is possible for DNSX to serve partial zone information for a short period of time | 12.1.4, 13.1.1.5 |
| 748177-3 | 4-Minor | BT748177 | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character | 12.1.4.1, 13.1.1.5, 14.1.0.6 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 759360 | 2-Critical | BT759360 | Apply Policy fails due to policy corruption from previously enforced signature | 13.1.1.5, 14.1.0.6 |
| 758961 | 2-Critical | K58243048 | During brute force attack, the attempted passwords may be logged | 13.1.1.5 |
| 723790-1 | 2-Critical | BT723790 | Idle asm_config_server handlers consumes a lot of memory | 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 760878-2 | 3-Major | BT760878 | Incorrect enforcement of explicit global parameters | 12.1.5, 13.1.1.5, 14.1.0.6 |
| 755005-3 | 3-Major | BT755005 | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | 12.1.5.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 754365-3 | 3-Major | BT754365 | Updated flags for countries that changed their flags since 2010 | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 751710-2 | 3-Major | BT751710 | False positive cookie hijacking violation | 13.1.1.5, 14.0.0.5, 14.1.2.1 |
| 749109-1 | 3-Major | BT749109 | CSRF situation on BIGIP-ASM GUI | 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 746146-2 | 3-Major | BT746146 | AVRD can crash with core when disconnecting/reconnecting on HTTPS connection | 13.1.1.5 |
| 739945-2 | 3-Major | BT739945 | JavaScript challenge on POST with 307 breaks application | 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 738647-2 | 3-Major | BT738647 | Add the login detection criteria of 'status code is not X' | 12.1.4, 13.1.1.5, 14.0.0.5 |
| 721399-2 | 3-Major | BT721399 | Signature Set cannot be modified to Accuracy = 'All' after another value | 12.1.5, 13.1.1.5 |
| 717525-1 | 3-Major | BT717525 | Behavior for classification in manual learning mode | 13.1.1.5, 14.0.0.5 |
| 691945-1 | 3-Major | BT691945 | Security Policy Configuration Changes When Disabling Learning | 12.1.4.1, 13.1.1.5 |
| 761921-3 | 4-Minor | BT761921 | avrd high CPU utilization due to perpetual connection attempts | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 758336-1 | 4-Minor | BT758336 | Incorrect recommendation in Online Help of Proactive Bot Defense | 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 763349-1 | 2-Critical | BT763349 | AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 756205-3 | 2-Critical | BT756205 | TMSTAT offbox statistics are not continuous | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 764665-1 | 3-Major | BT764665 | AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 763005-2 | 3-Major | BT763005 | Aggregated Domain Names in DNS statistics are shown as random domain name | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 760356-4 | 3-Major | BT760356 | Users with Application Security Administrator role cannot delete Scheduled Reports | 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1 |
| 753446-1 | 3-Major | BT753446 | avrd process crash during shutdown if connected to BIG-IQ | 13.1.1.5, 14.0.0.5, 14.1.0.2 |
| 738614-2 | 3-Major | BT738614 | 'Internal error' appears on Goodput GUI page | 13.1.1.5, 14.0.0.5 |
| 738197-2 | 3-Major | BT738197 | IP address from XFF header is not taken into account when there are trailing spaces after IP address | 13.1.1.5 |
| 737863-1 | 3-Major | BT737863 | Advanced Filters for Captured Transactions not working on Multi-Blade Platforms | 13.1.1.5, 14.0.0.5 |
| 718655 | 3-Major | BT718655 | DNS profile measurement unit name is incorrect. | 13.1.1.5 |
| 700322-2 | 3-Major | BT700322 | Upgrade may fail on a multi blade system when there are scheduled reports in configuration&start; | 13.1.1.5 |
| 754330-1 | 4-Minor | BT754330 | Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected | 13.1.1.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 752592-2 | 2-Critical | BT752592 | VMware Horizon PCoIP clients may fail to connect shortly after logout | 13.1.1.5, 14.1.0.2 |
| 704587-2 | 2-Critical | BT704587 | Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules | 13.1.1.5, 14.0.0.5 |
| 660826-3 | 2-Critical | BT660826 | BIG-IQ Deployment fails with customization-templates | 13.1.1.5, 14.0.0 |
| 758764-4 | 3-Major | BT758764 | APMD Core when CRLDP Auth fails to download revoked certificate | 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 757992-1 | 3-Major | BT757992 | RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 757781-1 | 3-Major | BT757781 | Portal Access: cookie exchange may be broken sometimes | 13.1.1.5, 14.0.0.5, 14.1.4.2, 15.0.1.1 |
| 755507-3 | 3-Major | BT755507 | [App Tunnel] 'URI sanitization' error | 12.1.5, 13.1.1.5, 14.0.0.5 |
| 755475-3 | 3-Major | BT755475 | Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 749057-3 | 3-Major | BT749057 | VMware Horizon idle timeout is ignored when connecting via APM | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 738430-1 | 3-Major | BT738430 | APM is not able to do compliance check on iOS devices running F5 Access VPN client | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 734291-2 | 3-Major | BT734291 | Logon page modification fails to sync to standby | 13.1.1.5, 14.1.0.6 |
| 696835-1 | 3-Major | BT696835 | Secondary Authentication or SSO fail after changing AD or LDAP password | 13.1.1.5 |
| 695985-2 | 3-Major | BT695985 | Access HUD filter has URL length limit (4096 bytes) | 13.1.1.5, 14.0.0.5, 14.1.0.6 |
| 656784-1 | 3-Major | K98510679, BT656784 | Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM | 12.1.4.1, 13.1.1.5, 14.0.0 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 704555-2 | 2-Critical | BT704555 | Core occurs if DIAMETER::persist reset is called if no persistence key is set. | 13.1.1.5, 14.0.0.5 |
| 752822-3 | 3-Major | BT752822 | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | 13.1.1.5, 14.0.1.1, 14.1.0.6 |
| 751179-3 | 3-Major | BT751179 | MRF: Race condition may create to many outgoing connections to a peer | 11.6.5.2, 13.1.1.5, 14.1.0.6 |
| 749603-3 | 3-Major | BT749603 | MRF SIP ALG: Potential to end wrong call when BYE received | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 748043-3 | 3-Major | BT748043 | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 747187-3 | 3-Major | BT747187 | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2 |
| 744949-3 | 3-Major | BT744949 | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix | 13.1.1.5, 14.0.1.1, 14.1.0.2 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 751869 | 2-Critical | BT751869 | Possible tmm crash when using manual mode mitigation in DoS Profile | 13.1.1.5, 14.1.0.5 |
| 757279 | 3-Major | BT757279 | LDAP authenticated Firewall Manager role cannot edit firewall policies | 13.1.1.5, 14.1.2.8, 15.1.0.5 |
| 753893-1 | 3-Major | BT753893 | Inconsistent validation for firewall address-list's nested address-list causes load failure | 13.1.1.5 |
| 748081-2 | 3-Major | BT748081 | Memory leak in Behavioral DoS module | 13.1.1.5, 14.1.0.2 |
| 710262-1 | 3-Major | BT710262 | Firewall is not updated when adding new rules | 13.1.1.5 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 739272-1 | 3-Major | BT739272 | Incorrect zombie counts in PBA stats with long PBA block-lifetimes | 13.1.1.5 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 752782-3 | 3-Major | BT752782 | 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' | 13.1.1.5, 14.0.0.5, 14.1.0.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 760961 | 2-Critical | BT760961 | TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts | 13.1.1.5, 14.1.4.4 |
| 757088-3 | 2-Critical | BT757088 | TMM clock advances and cluster failover happens during webroot db nightly updates | 12.1.5, 13.1.1.5, 14.1.0.5 |
| 752047-2 | 2-Critical | BT752047 | iRule running reject in CLASSIFICATION_DETECTED event can cause core | 13.1.1.5, 14.1.0.6 |
| 761273-1 | 3-Major | BT761273 | wr_urldbd creates sparse log files by writing from the previous position after logrotate. | 13.1.1.5, 14.1.2.8 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 761300 | 3-Major | K61105950, BT761300 | Errors in REST token requests may log sensitive data | 13.1.1.5 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 717654-2 | 2-Critical | BT717654 | TMM may crash when flooded to the Virtual Servers with SSL Forward Proxy | 13.1.1.5, 14.0.0 |
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 744035-4 | CVE-2018-15332 | K12130880, BT744035 | APM Client Vulnerability: CVE-2018-15332 | 11.6.5.1, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 739970-2 | CVE-2018-5390 | K95343321, BT739970 | Linux kernel vulnerability: CVE-2018-5390 | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1 |
| 738119-2 | CVE-2019-6589 | K23566124, BT738119 | SIP routing UI does not follow best practices | 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3 |
| 745358-3 | CVE-2019-6607 | K14812883, BT745358 | ASM GUI does not follow best practices | 11.5.9, 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3 |
| 737910-2 | CVE-2019-6609 | K18535734, BT737910 | Security hardening on the following platforms | 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 737442-2 | CVE-2019-6591 | K32840424, BT737442 | Error in APM Hosted Content when set to public access | 12.1.4, 13.1.1.4, 14.0.0.5 |
| 658557-3 | CVE-2019-6606 | K35209601, BT658557 | The snmpd daemon may leak memory when processing requests. | 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3 |
| 530775-3 | CVE-2019-6600 | K23734425 | Login page may generate unexpected HTML output | 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3 |
| 701785-2 | CVE-2017-18017 | K18352029, BT701785 | Linux kernel vulnerability: CVE-2017-18017 | 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 744685-1 | 2-Critical | BT744685 | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 744188 | 2-Critical | BT744188 | First successful auth iControl REST requests will now be logged in audit and secure log files | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 748851-1 | 3-Major | BT748851 | Bot Detection injection include tags which may cause faulty display of application | 13.1.1.4 |
| 725878-2 | 3-Major | BT725878 | AVR does not collect all of APM TMStats | 13.1.1.4, 14.0.1.1 |
| 700827-4 | 3-Major | BT700827 | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | 12.1.4, 13.1.1.4, 14.0.0.5 |
| 667257-4 | 3-Major | BT667257 | CPU Usage Reaches 100% With High FastL4 Traffic | 11.6.4, 12.1.4.1, 13.1.1.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 682837-2 | 1-Blocking | BT682837 | Compression watchdog period too brief. | 12.1.3.1, 13.1.1.4 |
| 744331 | 2-Critical | OpenSSH hardening | 12.1.5, 13.1.1.4, 14.0.0.5 | |
| 743790-3 | 2-Critical | BT743790 | BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus | 12.1.5, 13.1.1.4 |
| 741423-2 | 2-Critical | BT741423 | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | 12.1.4, 13.1.1.4, 14.0.0.5 |
| 738887-3 | 2-Critical | BIG-IP SNMPD vulnerability CVE-2019-6608 | 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3 | |
| 726487-2 | 2-Critical | BT726487 | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6 |
| 723298-2 | 2-Critical | BT723298 | BIND upgrade to version 9.11.4 | 12.1.4, 13.1.1.4, 14.0.0.3 |
| 713380 | 2-Critical | K23331143, BT713380 | Multiple B4450 blades in the same chassis run into inconsistent DAG state | 13.1.1.4 |
| 712738-1 | 2-Critical | BT712738 | fpdd may core dump when the system is going down | 13.1.1.4 |
| 710277-1 | 2-Critical | BT710277 | IKEv2 further child_sa validity checks | 12.1.5, 13.1.1.4, 14.0.0.5 |
| 697424-1 | 2-Critical | BT697424 | iControl-REST crashes on /example for firewall address-lists | 12.1.4, 13.1.1.4 |
| 688148-3 | 2-Critical | BT688148 | IKEv1 racoon daemon SEGV during phase-two SA list iteration | 12.1.3.7, 13.1.1.4 |
| 680556-1 | 2-Critical | BT680556 | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | 13.1.1.4 |
| 677937-3 | 2-Critical | K41517253, BT677937 | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets | 12.1.3.4, 13.1.1.4 |
| 668041-2 | 2-Critical | K27535157, BT668041 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.&start; | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 751009-1 | 3-Major | BT751009 | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 748206 | 3-Major | BT748206 | Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position | 13.1.1.4, 14.1.0.6 |
| 745809 | 3-Major | BT745809 | The /var partition may become 100% full, requiring manual intervention to clear space | 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 743803-2 | 3-Major | BT743803 | IKEv2 potential double free of object when async request queueing fails | 12.1.5, 13.1.1.4, 14.0.0.3, 14.1.0.6 |
| 737536-1 | 3-Major | BT737536 | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 737437-2 | 3-Major | BT737437 | IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages | 12.1.5, 13.1.1.4, 14.0.1.1 |
| 737397-3 | 3-Major | BT737397 | User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP | 13.1.1.4, 14.0.0.5 |
| 724143-1 | 3-Major | BT724143 | IKEv2 connflow expiration upon ike-peer change | 13.1.1.4, 14.0.0.5 |
| 723579-4 | 3-Major | BT723579 | OSPF routes missing | 13.1.1.4 |
| 722691 | 3-Major | BT722691 | Available datagroup list does not contain datagroups with the correct type. | 13.1.1.4 |
| 721016 | 3-Major | BT721016 | vcmpd fails updating VLAN information on vcmp guest | 13.1.1.4 |
| 720110-2 | 3-Major | BT720110 | 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. | 12.1.4.1, 13.1.1.4 |
| 718817-2 | 3-Major | BT718817 | Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. | 13.1.1.4, 14.0.0.3 |
| 718405-1 | 3-Major | BT718405 | RSA signature PAYLOAD_AUTH mismatch with certificates | 13.1.1.4, 14.1.0.6 |
| 718397-1 | 3-Major | BT718397 | IKEv2: racoon2 appends spurious trailing null byte to ID payloads | 13.1.1.4, 14.0.0.5 |
| 710666-1 | 3-Major | BT710666 | VE with interface(s) marked down may report high cpu usage | 13.1.1.4 |
| 706104-3 | 3-Major | BT706104 | Dynamically advertised route may flap | 12.1.4, 13.1.1.4 |
| 705442-1 | 3-Major | BT705442 | GUI Network Map objects search on Virtual Server IP Address and Port does not work | 13.1.1.4 |
| 698947-2 | 3-Major | BT698947 | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | 12.1.3.6, 13.1.1.4 |
| 693884-1 | 3-Major | BT693884 | ospfd core on secondary blade during network unstability | 12.1.4, 13.1.1.4 |
| 693106-1 | 3-Major | BT693106 | IKEv1 newest established phase-one SAs should be found first in a search | 12.1.3.6, 13.1.1.4 |
| 686926-2 | 3-Major | BT686926 | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | 12.1.3.6, 13.1.1.4 |
| 686124-1 | 3-Major | K83576240, BT686124 | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs | 12.1.3.7, 13.1.1.4 |
| 680838-2 | 3-Major | BT680838 | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | 12.1.3.6, 13.1.1.4 |
| 678925-1 | 3-Major | BT678925 | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | 12.1.3.6, 13.1.1.4 |
| 678380-2 | 3-Major | K26023811, BT678380 | Deleting an IKEv1 peer in current use could SEGV on race conditions. | 12.1.3.7, 13.1.1.4 |
| 676897-3 | 3-Major | K25082113, BT676897 | IPsec keeps failing to reconnect | 12.1.3.6, 13.1.1.4 |
| 676092-3 | 3-Major | BT676092 | IPsec keeps failing to reconnect | 12.1.3.6, 13.1.1.4 |
| 674145-1 | 3-Major | BT674145 | chmand error log message missing data | 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4 |
| 670197-1 | 3-Major | BT670197 | IPsec: ASSERT 'BIG-IP_conn tag' failed | 13.1.1.4 |
| 652502-2 | 3-Major | BT652502 | SNMP queries return 'No Such Object available' error for LTM OIDs | 13.1.1.4, 14.1.3.1 |
| 639619-5 | 3-Major | BT639619 | UCS may fail to load due to Master key decryption failure on EEPROM-less systems&start; | 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 598085-1 | 3-Major | BT598085 | Expected telemetry is not transmitted by sFlow on the standby-mode unit. | 12.1.4, 13.1.1.4 |
| 491560-2 | 3-Major | BT491560 | Using proxy for IP intelligence updates | 12.1.4, 13.1.1.4 |
| 738985-2 | 4-Minor | BIND vulnerability: CVE-2018-5740 | 13.1.1.4, 14.0.0.3 | |
| 689491 | 4-Minor | BT689491 | cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled | 13.1.1.4 |
| 689211-3 | 4-Minor | BT689211 | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | 12.1.3.7, 13.1.1.4 |
| 680856-2 | 4-Minor | BT680856 | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | 12.1.3.6, 13.1.1.4 |
| 713491-2 | 5-Cosmetic | BT713491 | IKEv1 logging shows spi of deleted SA with opposite endianess | 12.1.3.6, 13.1.1.4, 14.0.0.3 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 744269-2 | 2-Critical | BT744269 | dynconfd restarts if FQDN template node deleted while IP address change in progress | 12.1.4.1, 13.1.1.4, 14.0.0.5 |
| 744117-5 | 2-Critical | K18263026, BT744117 | The HTTP URI is not always parsed correctly | 12.1.4, 13.1.1.4, 14.0.0.5 |
| 743857 | 2-Critical | K21942600, BT743857 | Clientssl accepts non-SSL traffic when cipher-group is configured | 13.1.1.4 |
| 742627-2 | 2-Critical | BT742627 | SSL session mirroring may cause memory leakage if HA channel is down | 13.1.1.4, 14.0.0.5 |
| 741919 | 2-Critical | BT741919 | HTTP response may be dropped following a 100 continue message. | 12.1.4.1, 13.1.1.4, 14.0.0.5 |
| 740963-2 | 2-Critical | BT740963 | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | 12.1.5, 13.1.1.4, 14.0.0.5 |
| 740490-1 | 2-Critical | BT740490 | Configuration changes involving HTTP2 or SPDY may leak memory | 12.1.4, 13.1.1.4, 14.0.0.5 |
| 739003-1 | 2-Critical | BT739003 | TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms | 13.1.1.4 |
| 738945-2 | 2-Critical | BT738945 | SSL persistence does not work when there are multiple handshakes present in a single record | 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 738046-2 | 2-Critical | BT738046 | SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby | 12.1.5, 13.1.1.4 |
| 737758-2 | 2-Critical | BT737758 | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | 12.1.4, 13.1.1.4, 14.0.0.3 |
| 734276-2 | 2-Critical | BT734276 | TMM may leak memory when SSL certificates with VDI or EAM in use | 13.1.1.4 |
| 727206 | 2-Critical | BT727206 | Memory corruption when using SSL Forward Proxy on certain platforms | 12.1.4.1, 13.1.1.4, 14.0.0.5 |
| 720136-1 | 2-Critical | BT720136 | Upgrade may fail on mcpd when external netHSM is used | 13.1.1.4 |
| 718210-2 | 2-Critical | BT718210 | Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused | 12.1.4.1, 13.1.1.4, 14.0.0.5 |
| 716714-1 | 2-Critical | BT716714 | OCSP should be configured to avoid TMM crash. | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 702792-1 | 2-Critical | K82327396, BT702792 | Upgrade creates Server SSL profiles with invalid cipher strings&start; | 13.1.1.4, 14.0.0 |
| 685254-2 | 2-Critical | K14013100, BT685254 | RAM Cache Exceeding Watchdog Timeout in Header Field Search | 12.1.3.4, 13.1.1.4 |
| 513310-5 | 2-Critical | BT513310 | TMM might core when a profile is changed. | 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.4, 14.0.0.5 |
| 849861 | 3-Major | BT849861 | TMM may crash with FastL4 and HTTP profile using fallback host and iRule command | 13.1.1.4 |
| 752078 | 3-Major | BT752078 | Header Field Value String Corruption | 13.1.1.4, 14.1.0.6 |
| 739963-2 | 3-Major | BT739963 | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 739379-2 | 3-Major | BT739379 | Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error | 13.1.1.4, 14.0.0.5 |
| 739349-1 | 3-Major | BT739349 | LRO segments might be erroneously VLAN-tagged. | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 738521-1 | 3-Major | BT738521 | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | 12.1.4, 13.1.1.4, 14.0.0.5 |
| 726319-2 | 3-Major | BT726319 | 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses | 13.1.1.4, 14.0.0.3 |
| 724564-1 | 3-Major | BT724564 | A FastL4 connection can fail with loose-init and hash persistence enabled | 13.1.1.4 |
| 724327-1 | 3-Major | BT724327 | Changes to a cipher rule do not immediately have an effect | 13.1.1.4, 14.1.0.2 |
| 721621-1 | 3-Major | BT721621 | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | 12.1.4.1, 13.1.1.4, 14.0.0.3 |
| 720799-2 | 3-Major | BT720799 | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | 12.1.4.1, 13.1.1.4, 14.0.0.3 |
| 717896-2 | 3-Major | BT717896 | Monitor instances deleted in peer unit after sync | 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 717100-3 | 3-Major | BT717100 | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 716716-2 | 3-Major | BT716716 | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | 12.1.4.1, 13.1.1.4, 14.0.0.3 |
| 714559-2 | 3-Major | BT714559 | Removal of HTTP hash persistence cookie when a pool member goes down. | 12.1.4, 13.1.1.4 |
| 713690-3 | 3-Major | BT713690 | IPv6 cache route metrics are locked | 12.1.3.7, 13.1.1.4, 14.0.0.5 |
| 711981-5 | 3-Major | BT711981 | BIG-IP system accepts larger-than-egress MTU, PMTU update | 11.6.5.3, 12.1.3.7, 13.1.1.4, 14.0.0.5 |
| 710028-2 | 3-Major | BT710028 | LTM SQL monitors may stop monitoring if multiple monitors querying same database | 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.5 |
| 708068-2 | 3-Major | BT708068 | Tcl commands like "HTTP::path -normalize" do not return normalized path. | 12.1.4, 13.1.1.4, 14.0.0.5 |
| 707691-4 | 3-Major | BT707691 | BIG-IP handles some pathmtu messages incorrectly | 13.1.1.4, 14.0.0.5 |
| 706102-2 | 3-Major | BT706102 | SMTP monitor does not handle all multi-line banner use cases | 12.1.4, 13.1.1.4, 14.0.0.5 |
| 701678-2 | 3-Major | BT701678 | Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded | 12.1.4, 13.1.1.4, 14.0.0 |
| 685519-1 | 3-Major | BT685519 | Mirrored connections ignore the handshake timeout | 11.6.4, 12.1.4.1, 13.1.1.4 |
| 683697-1 | 3-Major | K00647240, BT683697 | SASP monitor may use the same UID for multiple HA device group members | 12.1.3.4, 13.1.1.4 |
| 674591-3 | 3-Major | K37975308, BT674591 | Packets with payload smaller than MSS are being marked to be TSOed | 11.6.5.2, 12.1.4, 13.1.1.4 |
| 504522-1 | 3-Major | BT504522 | Trailing space present after 'tmsh ltm pool members monitor' attribute value | 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6 |
| 719247-2 | 4-Minor | K10845686, BT719247 | HTTP::path and HTTP::query iRule functions cannot be set to a blank string | 13.1.1.4, 14.0.0.5 |
| 618884-6 | 4-Minor | BT618884 | Behavior when using VLAN-Group and STP | 12.1.4, 13.1.1.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 739846-3 | 2-Critical | BT739846 | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.0.3 |
| 749774-3 | 3-Major | BT749774 | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1 |
| 749675-3 | 3-Major | BT749675 | DNS cache resolver may return a malformed truncated response with multiple OPT records | 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1 |
| 744707-4 | 3-Major | BT744707 | Crash related to DNSSEC key rollover | 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 726255-2 | 3-Major | BT726255 | dns_path lingering in memory with last_access 0 causing high memory usage | 11.5.9, 11.6.5.1, 12.1.3.7, 13.1.1.4, 14.0.0.3 |
| 723288-2 | 3-Major | BT723288 | DNS cache replication between TMMs does not always work for net dns-resolver | 11.6.5.3, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 710246-2 | 3-Major | BT710246 | DNS-Express was not sending out NOTIFY messages on VE | 12.1.3.7, 13.1.1.4, 14.0.0.3 |
| 702457-2 | 3-Major | BT702457 | DNS Cache connections remain open indefinitely | 12.1.5.3, 13.1.1.4, 14.0.0.5 |
| 717113-2 | 4-Minor | BT717113 | It is possible to add the same GSLB Pool monitor multiple times | 13.1.1.4 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 750922-3 | 2-Critical | BT750922 | BD crash when content profile used for login page has no parse parameters set | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 726537-1 | 2-Critical | BT726537 | Rare TMM crash when Single Page Application is enabled on DoSL7 | 13.1.1.4, 14.0.0 |
| 576123-4 | 2-Critical | K23221623, BT576123 | ASM policies are created as inactive policies on the peer device | 11.5.9, 11.6.3.2, 12.1.3.2, 13.1.1.4 |
| 750356-3 | 3-Major | BT750356 | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 747777-1 | 3-Major | BT747777 | Extractions are learned in manual learning mode | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 747550-1 | 3-Major | BT747550 | Error 'This Logout URL already exists!' when updating logout page via GUI | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 745802-3 | 3-Major | BT745802 | Brute Force CAPTCHA response page truncates last digit in the support id | 13.1.1.4, 14.0.0.5, 14.1.2.1 |
| 744347-2 | 3-Major | BT744347 | Protocol Security logging profiles cause slow ASM upgrade and apply policy | 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 743961-3 | 3-Major | BT743961 | Signature Overrides for Content Profiles do not work after signature update | 13.1.1.4, 14.0.0.5 |
| 738864-1 | 3-Major | BT738864 | javascript functions in href are learned from response as new URLs | 13.1.1.4, 14.0.0.5 |
| 738211-3 | 3-Major | BT738211 | pabnagd core when centralized learning is turned on | 13.1.1.4, 14.0.0.5 |
| 734228-1 | 3-Major | BT734228 | False-positive illegal-length violation can appear | 13.1.1.4, 14.0.1.1, 14.1.2.3 |
| 726377-1 | 3-Major | BT726377 | False-positive cookie hijacking violation | 13.1.1.4 |
| 721752-2 | 3-Major | BT721752 | Null char returned in REST for Suggestion with more than MAX_INT occurrences | 12.1.3.7, 13.1.1.4, 14.0.0.5 |
| 705925-1 | 3-Major | BT705925 | Websocket Message Type not displayed in Request Log | 13.1.1.4, 14.0.0 |
| 701792-2 | 3-Major | BT701792 | JS Injection into cached HTML response causes TCP RST on the fictive URLs | 13.1.1.4 |
| 696333-1 | 3-Major | BT696333 | Threat campaign filter does not return campaign if filter contains quotation marks | 13.1.1.4 |
| 690215-2 | 3-Major | BT690215 | Missing requests in request log | 12.1.4.1, 13.1.1.4 |
| 676416-4 | 3-Major | BT676416 | BD restart when switching FTP profiles | 11.6.3.2, 12.1.3.2, 13.1.1.4 |
| 676223-4 | 3-Major | BT676223 | Internal parameter in order not to sign allowed cookies | 12.1.3.7, 13.1.1.4 |
| 663535-2 | 3-Major | BT663535 | Sending ASM cookies with "secure" attribute even without client-ssl profile | 12.1.3.2, 13.1.1.4 |
| 605649-2 | 3-Major | K28782793, BT605649 | The cbrd daemon runs at 100% CPU utilization | 12.1.5, 13.1.1.4 |
| 748999-1 | 4-Minor | BT748999 | invalid inactivity timeout suggestion for cookies | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 747905-1 | 4-Minor | BT747905 | 'Illegal Query String Length' violation displays wrong length | 13.1.1.4, 14.0.1.1 |
| 745531-1 | 4-Minor | BT745531 | Puffin Browser gets blocked by Bot Defense | 13.1.1.4, 14.1.0.2 |
| 739345 | 4-Minor | BT739345 | Reporting invalid signature id after specific signature upgrade | 13.1.1.4 |
| 685743-5 | 4-Minor | BT685743 | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | 12.1.3.2, 13.1.1.4 |
| 665470-3 | 4-Minor | BT665470 | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised | 12.1.3.6, 13.1.1.4 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 746941 | 2-Critical | BT746941 | Memory leak in avrd when BIG-IQ fails to receive stats information | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 739446-2 | 2-Critical | BT739446 | Resetting SSL-socket correctly for AVR connection | 13.1.1.4 |
| 737813-1 | 2-Critical | BT737813 | BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address | 13.1.1.4, 14.0.0.5 |
| 749464 | 3-Major | BT749464 | Race condition while BIG-IQ updates common file | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 749461 | 3-Major | BT749461 | Race condition while modifying analytics global-settings | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 746823 | 3-Major | BT746823 | AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members | 13.1.1.4, 14.0.0.5 |
| 745027 | 3-Major | BT745027 | AVR is doing extra activity of DNS data collection even when it should not | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 744595-1 | 3-Major | BT744595 | DoS-related reports might not contain some of the activity that took place | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 744589-1 | 3-Major | BT744589 | Missing data for Firewall Events Statistics | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 741767-2 | 3-Major | BT741767 | ASM Resource :: CPU Utilization statistics are in wrong scale | 13.1.1.4, 14.0.1.1 |
| 740086 | 3-Major | BT740086 | AVR report ignore partitions for Admin users | 13.1.1.4, 14.0.0.5 |
| 716782-2 | 3-Major | BT716782 | AVR should add new field to the events it sends: Microtimestamp | 13.1.1.4, 14.0.0 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 753368 | 1-Blocking | BT753368 | Unable to import access policy with pool | 13.1.1.4 |
| 747621-2 | 2-Critical | BT747621 | Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used | 13.1.1.4, 14.0.0.5 |
| 744556-1 | 2-Critical | K01226413, BT744556 | Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3 | 13.1.1.4 |
| 714716-2 | 2-Critical | K10248311, BT714716 | Apmd logs password for acp messages when in debug mode | 11.6.3.2, 12.1.4.1, 13.1.1.4, 14.0.0 |
| 754346-1 | 3-Major | BT754346 | Access policy was not found while creating configuration snapshot. | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 750496-1 | 3-Major | BT750496 | TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP | 13.1.1.4, 14.0.0.5 |
| 746771-1 | 3-Major | BT746771 | APMD recreates config snapshots for all access profiles every minute | 13.1.1.4, 14.1.0.2 |
| 746768-1 | 3-Major | BT746768 | APMD leaks memory if access policy policy contains variable/resource assign policy items | 12.1.4.1, 13.1.1.4, 14.1.2.1 |
| 745654-2 | 3-Major | BT745654 | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 745574-3 | 3-Major | BT745574 | URL is not removed from custom category when deleted | 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 743437-1 | 3-Major | BT743437 | Portal Access: Issue with long 'data:' URL | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 743150-1 | 3-Major | BT743150 | Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client | 13.1.1.4 |
| 739744-1 | 3-Major | BT739744 | Import of Policy using Pool with members is failing | 12.1.4, 13.1.1.4 |
| 719079-1 | 3-Major | BT719079 | Portal Access: same-origin AJAX request may fail under some conditions. | 13.1.1.4 |
| 718136-2 | 3-Major | BT718136 | 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux | 13.1.1.4, 14.0.0 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 742829-3 | 3-Major | BT742829 | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | 13.1.1.4, 14.0.1.1, 14.1.0.2 |
| 741951-2 | 3-Major | BT741951 | Multiple extensions in SIP NOTIFY request cause message to be dropped. | 11.6.5.2, 12.1.5.2, 13.1.1.4, 14.0.0.5 |
| 699431-3 | 3-Major | BT699431 | Possible memory leak in MRF under low memory | 12.1.3.2, 13.1.1.4 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 747104-3 | 1-Blocking | K52868493, BT747104 | LibSSH: CVE-2018-10933 | 12.1.4.1, 13.1.1.4, 14.1.0.2 |
| 753028-1 | 3-Major | BT753028 | AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule | 13.1.1.4, 14.1.0.6 |
| 747926 | 3-Major | BT747926 | Rare TMM restart due to NULL pointer access during AFM ACL logging | 13.1.1.4, 14.1.0.2 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 744516-1 | 2-Critical | BT744516 | TMM panics after a large number of LSN remote picks | 12.1.4, 13.1.1.4, 14.1.0.6 |
| 744959-1 | 3-Major | BT744959 | SNMP OID for sysLsnPoolStatTotal not incremented in stats | 12.1.4.1, 13.1.1.4 |
| 727212-1 | 3-Major | BT727212 | Subscriber-id query using full length IPv6 address fails. | 13.1.1.4, 14.0.0.5 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 748976 | 3-Major | BT748976 | DataSafe Logging Settings page is missing when DataSafe license is active | 13.1.1.4 |
| 742037-3 | 3-Major | BT742037 | FPS live updates do not install when minor version is different | 13.1.1.4, 14.0.0.5 |
| 741449-1 | 4-Minor | BT741449 | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | 13.1.1.4, 14.0.0.5, 14.1.0.2 |
| 726039 | 5-Cosmetic | BT726039 | Information is not updated after installing FPS live update via GUI | 13.1.1.4 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 748813-1 | 2-Critical | BT748813 | tmm cores under stress test on virtual server with DoS profile with admd enabled | 13.1.1.4, 14.0.0.5, 14.1.2.3 |
| 748121-1 | 2-Critical | BT748121 | admd livelock under CPU starvation | 13.1.1.4, 14.0.0.5, 14.1.0.6 |
| 741761-1 | 2-Critical | BT741761 | admd might fail the heartbeat, resulting in a core | 13.1.1.4, 14.0.0.5 |
| 704236-1 | 2-Critical | BT704236 | TMM crash when attaching FastL4 profile | 13.1.1.4, 14.0.0 |
| 702936-1 | 2-Critical | BT702936 | TMM SIGSEGV under specific conditions. | 13.1.1.4 |
| 653573-4 | 2-Critical | BT653573 | ADMd not cleaning up child rsync processes | 13.1.1.4, 14.0.0.5, 14.1.0.6, 14.1.2.3 |
| 741993-1 | 3-Major | BT741993 | The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. | 13.1.1.4, 14.0.0.5 |
| 741752-1 | 3-Major | BT741752 | [BADOS] state file is not saved when virtual server reuses a self IP of the device | 13.1.1.4 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 724847 | 3-Major | K95010813, BT724847 | DNS traffic does not get classified for AFM port misuse case | 13.1.1.4, 14.0.0 |
SSL Orchestrator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 740969-1 | 1-Blocking | K65151021, BT740969 | Menu visibility issue with newly activated license.&start; | 12.1.4.1, 13.1.1.4 |
| 706339-1 | 2-Critical | K30392060, BT706339 | TMM crashes due to memory leaking while processing SSL forward proxy traffic | 13.1.1.4, 14.0.0 |
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 745783-3 | 3-Major | BT745783 | Anti-fraud: remote logging of login attempts | 13.1.1.3, 14.1.0.3 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 684370-1 | 3-Major | BT684370 | APM now supports VMware Workspace ONE integration with VIDM as ID Provider | 13.1.1.3, 14.0.0 |
| 683741-1 | 3-Major | BT683741 | APM now supports VMware Workspace ONE integration with vIDM as ID Provider | 13.1.1.3, 14.0.0 |
| 635509-1 | 3-Major | BT635509 | APM does not support Vmware'e Blast UDP | 13.1.1.3 |
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 739947-1 | CVE-2019-6610 | K42465020, BT739947 | TMM may crash while processing APM traffic | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.5 |
| 737443-5 | CVE-2018-5546 | K54431371, BT737443 | BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546 | 13.1.1.2, 14.0.0.5 |
| 737441-5 | CVE-2018-5546 | K54431371, BT737441 | Disallow hard links to svpn log files | 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.5 |
| 726089-2 | CVE-2018-15312 | K44462254, BT726089 | Modifications to AVR metrics page | 12.1.3.7, 13.1.1.2, 14.0.0 |
| 725815-1 | CVE-2018-15320 | K72442354, BT725815 | vlangroup usage may cause a excessive resource consumption | 13.1.1.2, 14.0.0.3 |
| 724339-1 | CVE-2018-15314 | K04524282, BT724339 | Unexpected TMUI output in AFM | 12.1.3.7, 13.1.1.2, 14.0.0 |
| 724335-1 | CVE-2018-15313 | K21042153, BT724335 | Unexpected TMUI output in AFM | 12.1.3.7, 13.1.1.2, 14.0.0 |
| 722677-4 | CVE-2019-6604 | K26455071, BT722677 | BIG-IP HSB vulnerability CVE-2019-6604 | 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 722387-3 | CVE-2019-6596 | K97241515, BT722387 | TMM may crash when processing APM DTLS traffic | 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 722091-3 | CVE-2018-15319 | K64208870, BT722091 | TMM may crash while processing HTTP traffic | 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 717888 | CVE-2018-15323 | K26583415, BT717888 | TMM may leak memory when a virtual server uses the MQTT profile. | 13.1.1.2, 14.0.0.3 |
| 717742-5 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228, BT717742 | Oracle Java SE vulnerability CVE-2018-2783 | 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 707990-2 | CVE-2018-15315 | K41704442, BT707990 | Unexpected TMUI output in SSL Certificate Instance page | 12.1.3.7, 13.1.1.2, 14.0.0 |
| 704184-6 | CVE-2018-5529 | K52171282, BT704184 | APM MAC Client create files with owner only read write permissions | 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.5 |
| 701253-5 | CVE-2018-15318 | K16248201, BT701253 | TMM core when using MPTCP | 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 693810-6 | CVE-2018-5529 | K52171282, BT693810 | CVE-2018-5529: APM Linux Client Vulnerability | 11.5.9, 11.6.3.3, 13.1.1.2, 14.0.0.5 |
| 741858-1 | CVE-2018-15324 | K52206731, BT741858 | TMM may crash while processing Portal Access requests | 13.1.1.2, 14.0.0.5 |
| 734822-3 | CVE-2018-15325 | K77313277, BT734822 | TMSH improvements | 13.1.1.2, 14.0.0.3 |
| 725801-4 | CVE-2017-7889 | K80440915, BT725801 | CVE-2017-7889: Kernel Vulnerability | 13.1.1.2, 14.0.0.3 |
| 725635-2 | CVE-2018-3665 | K21344224, BT725635 | CVE-2018-3665: Intel Lazy FPU Vulnerability | 13.1.1.2, 14.0.0.3 |
| 724680-4 | CVE-2018-0732 | K21665601, BT724680 | OpenSSL Vulnerability: CVE-2018-0732 | 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.1.1, 14.1.0.2 |
| 721924-2 | CVE-2018-17539 | K17264695, BT721924 | BIG-IP ARM BGP vulnerability CVE-2018-17539 | 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 719554-2 | CVE-2018-8897 | K17403481, BT719554 | Linux Kernel Vulnerability: CVE-2018-8897 | 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 716900-2 | CVE-2019-6594 | K91026261, BT716900 | TMM core when using MPTCP | 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.0.3 |
| 710705-2 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645, BT710705 | Multiple Wireshark vulnerabilities | 12.1.3.6, 13.1.1.2, 14.0.0.3 |
| 705799-2 | CVE-2018-15325 | K77313277, BT705799 | TMSH improvements | 13.1.1.2, 14.0.0 |
| 699453-4 | CVE-2018-15327 | K20222812, BT699453 | Web UI does not follow current best coding practices | 13.1.1.2, 14.0.0.3 |
| 699452-4 | CVE-2019-6597 | K29280193 | Web UI does not follow current best coding practices | 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2 |
| 712876-2 | CVE-2017-8824 | K15526101, BT712876 | CVE-2017-8824: Kernel Vulnerability | 11.6.5.1, 12.1.5.1, 13.1.1.2, 14.0.1.1 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 734527-1 | 3-Major | BT734527 | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | 11.6.5.1, 12.1.4, 13.1.1.2, 14.0.0.3 |
| 715750-2 | 3-Major | K41515225, BT715750 | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. | 11.6.5.1, 12.1.3.7, 13.1.1.2, 14.0.0.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 693611-3 | 1-Blocking | K76313256, BT693611 | IKEv2 ike-peer might crash on stats object during peer modification update | 13.1.1.2 |
| 743810-1 | 2-Critical | BT743810 | AWS: Disk resizing in m5/c5 instances fails silently. | 13.1.1.2 |
| 743082-1 | 2-Critical | BT743082 | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members&start; | 12.1.5.2, 13.1.1.2, 14.0.0.3 |
| 739507 | 2-Critical | BT739507 | Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check | 13.1.1.2, 14.1.4, 15.1.0.5 |
| 739505 | 2-Critical | BT739505 | Automatic ISO digital signature checking not required when FIPS license active&start; | 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 739285-1 | 2-Critical | BT739285 | GUI partially missing when VCMP is provisioned | 13.1.1.2 |
| 725696-1 | 2-Critical | BT725696 | A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted | 13.1.1.2, 14.0.0.3 |
| 723722-2 | 2-Critical | BT723722 | MCPD crashes if several thousand files are created between config syncs. | 12.1.4, 13.1.1.2, 14.0.0.3 |
| 721350-2 | 2-Critical | BT721350 | The size of the icrd_child process is steadily growing | 13.1.1.2 |
| 717785-1 | 2-Critical | BT717785 | Interface-cos shows no egress stats for CoS configurations | 13.1.1.2 |
| 716391-2 | 2-Critical | K76031538, BT716391 | High priority for MySQL on 2 core vCMP may lead to control plane process starvation | 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.2, 14.0.0.5 |
| 711683-2 | 2-Critical | BT711683 | bcm56xxd crash with empty trunk in QinQ VLAN | 13.1.1.2 |
| 707003-3 | 2-Critical | BT707003 | Unexpected syntax error in TMSH AVR | 12.1.3.6, 13.1.1.2, 14.0.0 |
| 706423-1 | 2-Critical | BT706423 | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | 12.1.3.6, 13.1.1.2, 14.0.0.3 |
| 703669-2 | 2-Critical | BT703669 | Eventd restarts on NULL pointer access | 13.1.1.2, 14.0.0.3 |
| 703045-1 | 2-Critical | BT703045 | If using TMSH commands with deprecated attributes in iApp, the upgrade will fail. | 13.1.1.2, 14.0.0.3 |
| 700386-2 | 2-Critical | BT700386 | mcpd may dump core on startup | 12.1.4, 13.1.1.2 |
| 693996-5 | 2-Critical | K42285625, BT693996 | MCPD sync errors and restart after multiple modifications to file object in chassis | 11.5.9, 11.6.5.1, 12.1.5, 13.1.1.2 |
| 692158-1 | 2-Critical | BT692158 | iCall and CLI script memory leak when saving configuration | 12.1.3.6, 13.1.1.2, 14.0.0 |
| 691589-4 | 2-Critical | BT691589 | When using LDAP client auth, tamd may become stuck | 12.1.4, 13.1.1.2 |
| 690819-1 | 2-Critical | BT690819 | Using an iRule module after a 'session lookup' may result in crash | 11.6.3.3, 12.1.3.6, 13.1.1.2 |
| 689437-1 | 2-Critical | K49554067, BT689437 | icrd_child cores due to infinite recursion caused by incorrect group name handling | 11.5.9, 11.6.4, 12.1.4, 13.1.1.2 |
| 689002-3 | 2-Critical | BT689002 | Stackoverflow when JSON is deeply nested | 12.1.4, 13.1.1.2 |
| 658410-2 | 2-Critical | BT658410 | icrd_child generates a core when calling PUT on ltm/data-group/internal/ | 13.1.1.2 |
| 652877-5 | 2-Critical | BT652877 | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | 11.5.9, 11.6.4, 12.1.4, 13.1.1.2 |
| 638091-6 | 2-Critical | BT638091 | Config sync after changing named pool members can cause mcpd on secondary blades to restart | 12.1.4, 13.1.1.2 |
| 739126 | 3-Major | BT739126 | Multiple VE installations may have different sized volumes | 13.1.1.2 |
| 733585-3 | 3-Major | BT733585 | Merged can use %100 of CPU if all stats snapshot files are in the future | 13.1.1.2 |
| 727467-1 | 3-Major | BT727467 | Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. | 13.1.1.2, 14.0.0.5 |
| 726409-4 | 3-Major | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.3 | |
| 722682-2 | 3-Major | BT722682 | Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load&start; | 12.1.4.1, 13.1.1.2, 14.0.0.3 |
| 721740-2 | 3-Major | BT721740 | CPU stats are not correctly recorded when snapshot files have timestamps in the future | 13.1.1.2 |
| 720713-2 | 3-Major | BT720713 | TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail | 12.1.4, 13.1.1.2, 14.0.0.3 |
| 720461-2 | 3-Major | BT720461 | qkview prompts for password on chassis | 12.1.4, 13.1.1.2 |
| 718525-1 | 3-Major | BT718525 | PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting | 13.1.1.2, 14.0.0.3 |
| 714974-2 | 3-Major | BT714974 | Platform-migrate of UCS containing QinQ fails on VE&start; | 13.1.1.2 |
| 714903-2 | 3-Major | BT714903 | Errors in chmand | 12.1.4.1, 13.1.1.2, 14.0.0.5 |
| 714654-2 | 3-Major | BT714654 | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | 12.1.4.1, 13.1.1.2 |
| 713813-2 | 3-Major | BT713813 | Node monitor instances not showing up in GUI | 13.1.1.2 |
| 712102-2 | 3-Major | K11430165, BT712102 | customizing or changing the HTTP Profile's IPv6 field hides the field or the row | 13.1.1.2 |
| 710232-2 | 3-Major | BT710232 | platform-migrate fails when LACP trunks are in use | 13.1.1.2, 14.0.0.3 |
| 709444-2 | 3-Major | BT709444 | "NTP not configured on device" warning seen when NTP symmetric key authentication is configured | 13.1.1.2 |
| 709192-1 | 3-Major | BT709192 | GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart | 13.1.1.2, 14.0.0.3 |
| 707740-4 | 3-Major | BT707740 | Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination | 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.5 |
| 707509-1 | 3-Major | BT707509 | Initial vCMP guest creations can fail if certain hotfixes are used | 12.1.5, 13.1.1.2 |
| 707391-2 | 3-Major | BT707391 | BGP may keep announcing routes after disabling route health injection | 12.1.4, 13.1.1.2, 14.0.0.3 |
| 706804-1 | 3-Major | BT706804 | SNMP trap destination configuration of network option is missing "default" keyword | 13.1.1.2 |
| 706354-2 | 3-Major | BT706354 | OPT-0045 optic unable to link | 12.1.4, 13.1.1.2, 14.0.0 |
| 706169-3 | 3-Major | BT706169 | tmsh memory leak | 13.1.1.2, 14.0.0.3 |
| 705456-1 | 3-Major | BT705456 | Enabling HTTP-to-HTTPS redirection in a vCMP guest can prevent some Host-Guest Management features from working | 13.1.1.2, 14.0.0 |
| 704755-1 | 3-Major | BT704755 | EUD_M package could not be installed on 800 platforms | 13.1.1.2, 14.0.0.3 |
| 704512-1 | 3-Major | BT704512 | Automated upload of qkview to iHealth can time out resulting in error | 13.1.1.2, 14.0.0 |
| 704336-1 | 3-Major | BT704336 | Updating 3rd party device cert not copied correctly to trusted certificate store | 12.1.3.6, 13.1.1.2 |
| 702227-3 | 3-Major | BT702227 | Memory leak in TMSH load sys config | 13.1.1.2, 14.0.0.3 |
| 700757-1 | 3-Major | BT700757 | vcmpd may crash when it is exiting | 11.6.4, 12.1.4, 13.1.1.2 |
| 700576-1 | 3-Major | BT700576 | GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore" | 13.1.1.2, 14.0.0 |
| 700426 | 3-Major | K58033284, BT700426 | Switching partitions while viewing objects in GUI can result in empty list | 13.1.1.2 |
| 700250-3 | 3-Major | K59327012, BT700250 | qkviews for secondary blade appear to be corrupt | 13.1.1.2 |
| 698875-1 | 3-Major | Qkview Security Hardening | 13.1.1.2 | |
| 698084-3 | 3-Major | K03776801, BT698084 | IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs | 13.1.1.2 |
| 696731-3 | 3-Major | K94062594, BT696731 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled | 13.1.1.2 |
| 693578-2 | 3-Major | BT693578 | switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0 | 13.1.1.2 |
| 692189-1 | 3-Major | BT692189 | errdefsd fails to generate a core file on request. | 12.1.4, 13.1.1.2 |
| 692179-1 | 3-Major | BT692179 | Potential high memory usage from errdefsd. | 12.1.3.6, 13.1.1.2 |
| 691609-1 | 3-Major | BT691609 | 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address&start; | 13.1.1.2 |
| 690890-1 | 3-Major | BT690890 | Running sod manually can cause issues/failover | 13.1.1.2 |
| 689375-1 | 3-Major | K01512833, BT689375 | Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled | 13.1.1.2 |
| 688406-1 | 3-Major | K14513346, BT688406 | HA-Group Score showing 0 | 13.1.1.2 |
| 687905-2 | 3-Major | K72040312, BT687905 | OneConnect profile causes CMP redirected connections on the HA standby | 12.1.3.6, 13.1.1.2 |
| 687534-1 | 3-Major | BT687534 | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | 12.1.3.6, 13.1.1.2 |
| 684391-3 | 3-Major | BT684391 | Existing IPsec tunnels reload. tmipsecd creates a core file. | 12.1.3.6, 13.1.1.2 |
| 684218-1 | 3-Major | BT684218 | vADC 'live-install' Downgrade from v13.1.0 is not possible | 13.1.1.2 |
| 681782-6 | 3-Major | BT681782 | Unicast IP address can be configured in a failover multicast configuration | 13.1.1.2 |
| 679347-2 | 3-Major | K44117473, BT679347 | ECP does not work for PFS in IKEv2 child SAs | 12.1.3.6, 13.1.1.2, 14.0.0 |
| 678488-1 | 3-Major | K59332320, BT678488 | BGP default-originate not announced to peers if several are peering over different VLANs | 12.1.4.1, 13.1.1.2 |
| 677485-1 | 3-Major | BT677485 | Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error | 13.1.1.2 |
| 671712-2 | 3-Major | BT671712 | The values returned for the ltmUserStatProfileStat table are incorrect. | 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 670528-4 | 3-Major | K20251354, BT670528 | Warnings during vCMP host upgrade. | 11.6.5.2, 12.1.3.7, 13.1.1.2 |
| 651413-4 | 3-Major | K34042229, BT651413 | tmsh list ltm node does not return an error when node does not exist | 12.1.3.4, 13.1.1.2 |
| 642923-6 | 3-Major | BT642923 | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system | 12.1.4, 13.1.1.2 |
| 617643-2 | 3-Major | BT617643 | iControl.ForceSessions enabled results in GUI error on certain pages | 13.1.1.2 |
| 551925-4 | 3-Major | BT551925 | Misdirected UDP traffic with hardware acceleration | 11.6.4, 12.1.3.7, 13.1.1.2 |
| 464650-6 | 3-Major | BT464650 | Failure of mcpd with invalid authentication context. | 11.5.7, 11.6.3.3, 12.1.3.7, 13.1.1.2 |
| 727297-3 | 4-Minor | BT727297 | GUI TACACS+ remote server list should accept hostname | 13.1.1.2 |
| 725612-1 | 4-Minor | BT725612 | syslog-ng does not send any messages to the remote servers after reconfiguration | 13.1.1.2, 14.0.0.3 |
| 719770-2 | 4-Minor | BT719770 | tmctl -H -V and -l options without values crashed | 13.1.1.2, 14.0.0.5 |
| 714749-2 | 4-Minor | cURL Vulnerability: CVE-2018-1000120 | 13.1.1.2, 14.0.0.3 | |
| 713947-1 | 4-Minor | BT713947 | stpd repeatedly logs "hal sendMessage failed" | 13.1.1.2 |
| 713932-1 | 4-Minor | BT713932 | Commands are replicated to PostgreSQL even when not in use. | 13.1.1.2, 14.0.0.3 |
| 707631-2 | 4-Minor | BT707631 | The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI | 13.1.1.2 |
| 707267 | 4-Minor | BT707267 | REST Framework HTTP header limit size increased to 8 KB | 13.1.1.2, 14.0.0.3 |
| 701826 | 4-Minor | BT701826 | qkview upload to ihealth fails or unable to untar qkview file | 13.1.1.2 |
| 691491-5 | 4-Minor | K13841403, BT691491 | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces | 13.1.1.2 |
| 685582-7 | 4-Minor | BT685582 | Incorrect output of b64 unit key hash by command f5mku -f | 12.1.5.3, 13.1.1.2 |
| 683029-1 | 4-Minor | BT683029 | Sync of virtual address and self IP traffic groups only happens in one direction | 13.1.1.2 |
| 679135-2 | 4-Minor | BT679135 | IKEv1 and IKEv2 cannot share common local address in tunnels | 12.1.3.6, 13.1.1.2 |
| 678388-1 | 4-Minor | K00050055, BT678388 | IKEv1 racoon daemon is not restarted when killed multiple times | 12.1.3.6, 13.1.1.2 |
| 550526-2 | 4-Minor | K84370515, BT550526 | Some time zones prevent configuring trust with a peer device using the GUI. | 12.1.3.7, 13.1.1.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 722594-2 | 1-Blocking | BT722594 | TCP flow may not work as expected if double tagging is used | 13.1.1.2, 14.0.0 |
| 737445-2 | 2-Critical | BT737445 | Use of TCP Verified Accept can disable server-side flow control | 13.1.1.2, 14.0.0.3 |
| 727044-2 | 2-Critical | TMM may crash while processing compressed data | 12.1.4, 13.1.1.2, 14.0.0.3 | |
| 726239-4 | 2-Critical | BT726239 | interruption of traffic handling as sod daemon restarts TMM | 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.0.3 |
| 725545-1 | 2-Critical | BT725545 | Ephemeral listener might not be set up correctly | 13.1.1.2, 14.0.0 |
| 724906-1 | 2-Critical | BT724906 | sasp_gwm monitor leaks memory over time | 13.1.1.2, 14.0.0.3 |
| 724868-1 | 2-Critical | BT724868 | dynconfd memory usage increases over time | 12.1.4, 13.1.1.2, 14.0.0.3 |
| 724213-1 | 2-Critical | K74431483, BT724213 | Modified ssl_profile monitor param not synced correctly | 13.1.1.2, 14.0.0.3 |
| 722893-1 | 2-Critical | K30764018, BT722893 | TMM can restart without a stack trace or core file after becoming disconnected from MCPD. | 13.1.1.2, 14.0.0 |
| 716213-1 | 2-Critical | BT716213 | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | 12.1.3.7, 13.1.1.2, 14.0.0.5 |
| 713612-1 | 2-Critical | BT713612 | tmm might restart if the HTTP passthrough on pipeline option is used | 13.1.1.2 |
| 710221-2 | 2-Critical | K67352313, BT710221 | Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled | 13.1.1.2, 14.0.0.3 |
| 673664-1 | 2-Critical | BT673664 | TMM crashes when sys db Crypto.HwAcceleration is disabled.&start; | 13.1.1.2 |
| 635191-2 | 2-Critical | BT635191 | Under rare circumstances TMM may crash | 12.1.3.7, 13.1.1.2, 14.0.0 |
| 727222-1 | 3-Major | BT727222 | 206 Partial Content responses from ramcache have malformed Content-Range header | 13.1.1.2 |
| 723300-2 | 3-Major | BT723300 | TMM may crash when tracing iRules containing nameless listeners on internal virtual servers | 13.1.1.2, 14.0.0 |
| 722363-2 | 3-Major | BT722363 | Client fails to connect to server when using PVA offload at Established | 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 721261-1 | 3-Major | BT721261 | v12.x Policy rule names containing slashes are not migrated properly | 13.1.1.2, 14.0.0.5 |
| 720293-3 | 3-Major | BT720293 | HTTP2 IPv4 to IPv6 fails | 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 719600-2 | 3-Major | BT719600 | TCP::collect iRule with L7 policy present may result in connection reset | 13.1.1.2, 14.0.0.3 |
| 717346-2 | 3-Major | K13040347, BT717346 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total | 13.1.1.2, 14.0.0.3, 16.0.1.1 |
| 715883 | 3-Major | BT715883 | Tmm crash due to invalid cookie attribute | 13.1.1.2, 14.0.0.3 |
| 715785-2 | 3-Major | BT715785 | Incorrect encryption error for monitors during sync or upgrade | 13.1.1.2, 14.0.0.5 |
| 715756-2 | 3-Major | BT715756 | Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only | 13.1.1.2 |
| 715467-2 | 3-Major | BT715467 | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | 12.1.5, 13.1.1.2, 14.0.0.3 |
| 714384-3 | 3-Major | BT714384 | DHCP traffic may not be forwarded when BWC is configured | 13.1.1.2, 14.0.0.3 |
| 707951-2 | 3-Major | BT707951 | Stalled mirrored flows on HA next-active when OneConnect is used. | 12.1.3.6, 13.1.1.2, 14.0.0.3 |
| 704764-3 | 3-Major | BT704764 | SASP monitor marks members down with non-default route domains | 13.1.1.2, 14.0.0.3 |
| 703580-1 | 3-Major | BT703580 | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | 12.1.3.6, 13.1.1.2 |
| 703266-2 | 3-Major | BT703266 | Potential MCP memory leak in LTM policy compile code | 13.1.1.2 |
| 702450-1 | 3-Major | BT702450 | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | 11.6.4, 12.1.5, 13.1.1.2, 14.0.0.5 |
| 701690-1 | 3-Major | K53819652, BT701690 | Fragmented ICMP forwarded with incorrect icmp checksum | 13.1.1.2 |
| 700696-1 | 3-Major | BT700696 | SSID does not cache fragmented Client Certificates correctly via iRule | 12.1.3.7, 13.1.1.2 |
| 699273-1 | 3-Major | BT699273 | TMM Core During FTP Monitor Use | 13.1.1.2 |
| 695925-1 | 3-Major | BT695925 | Tmm crash when showing connections for a CMP disabled virtual server | 11.6.4, 12.1.4, 13.1.1.2 |
| 691785-1 | 3-Major | BT691785 | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | 13.1.1.2 |
| 691224-3 | 3-Major | K59327001, BT691224 | Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled | 12.1.3.7, 13.1.1.2 |
| 690778-1 | 3-Major | K53531153, BT690778 | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule | 13.1.1.2 |
| 688629-1 | 3-Major | K52334096, BT688629 | Deleting data-group in use by iRule does not trigger validation error | 12.1.5, 13.1.1.2 |
| 685110-1 | 3-Major | K05430133, BT685110 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. | 12.1.3.2, 13.1.1.2 |
| 681757-3 | 3-Major | K32521651, BT681757 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' | 12.1.3.6, 13.1.1.2 |
| 681673-4 | 3-Major | BT681673 | tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results | 13.1.1.2 |
| 679613-1 | 3-Major | K23531420, BT679613 | i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' | 13.1.1.2 |
| 672312-3 | 3-Major | BT672312 | IP ToS may not be forwarded to serverside with syncookie activated | 12.1.4, 13.1.1.2, 14.0.0.5 |
| 602708-4 | 3-Major | K84837413, BT602708 | Traffic may not passthrough CoS by default | 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 716922-2 | 4-Minor | BT716922 | Reduction in PUSH flags when Nagle Enabled | 11.5.7, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3 |
| 712637-2 | 4-Minor | BT712637 | Host header persistence not implemented | 13.1.1.2, 14.0.0.3 |
| 700433-1 | 4-Minor | K10870739, BT700433 | Memory leak when attaching an LTM policy to a virtual server | 11.6.4, 12.1.3.6, 13.1.1.2 |
| 697988-3 | 4-Minor | K34554754, BT697988 | During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100% | 13.1.1.2 |
| 693966-1 | 4-Minor | BT693966 | TCP sndpack not reset along with other tcp profile stats | 13.1.1.2 |
| 688557-1 | 4-Minor | K50462482, BT688557 | Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' | 13.1.1.2 |
| 495242-4 | 4-Minor | BT495242 | mcpd log messages: Failed to unpublish LOIPC object | 11.5.6, 11.6.4, 12.1.3.6, 13.1.1.2 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 718885-3 | 2-Critical | K25348242, BT718885 | Under certain conditions, monitor probes may not be sent at the configured interval | 12.1.3.7, 13.1.1.2, 14.0.0 |
| 723792-2 | 3-Major | BT723792 | GTM regex handling of some escape characters renders it invalid | 12.1.4, 13.1.1.2, 14.0.0.3 |
| 719644-2 | 3-Major | BT719644 | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions&start; | 12.1.3.7, 13.1.1.2, 14.0.0.3 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 737500-2 | 2-Critical | BT737500 | Apply Policy and Upgrade time degradation when there are previous enforced rules | 13.1.1.2, 14.0.0.5 |
| 726090-1 | 2-Critical | BT726090 | No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense | 13.1.1.2, 14.0.0.5 |
| 724414-2 | 2-Critical | BT724414 | ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled | 13.1.1.2, 14.0.0.5 |
| 724032-1 | 2-Critical | BT724032 | Searching Request Log for value containing backslash does not return expected result | 13.1.1.2, 14.0.0.5 |
| 721741-3 | 2-Critical | BT721741 | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | 12.1.3.7, 13.1.1.2, 14.1.0.2 |
| 704143-1 | 2-Critical | BT704143 | BD memory leak | 12.1.3.6, 13.1.1.2, 14.0.0 |
| 701856-1 | 2-Critical | BT701856 | Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart | 12.1.3.7, 13.1.1.2 |
| 740719-2 | 3-Major | BT740719 | ASM CSP header parser does not honor unsafe-inline attribute within script-src directive | 13.1.1.2, 14.0.0.5 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 737867-1 | 3-Major | BT737867 | Scheduled reports are being incorrectly displayed in different partitions | 13.1.1.2, 14.0.1.1 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 739716-2 | 1-Blocking | BT739716 | APM Subroutine loops without finishing | 13.1.1.2, 14.0.0.5 |
| 740777-1 | 2-Critical | BT740777 | Secondary blades mcp daemon restart when subroutine properties are configured | 12.1.4, 13.1.1.2 |
| 739674-1 | 2-Critical | BT739674 | TMM might core in SWG scenario with per-request policy. | 13.1.1.2 |
| 722013 | 2-Critical | BT722013 | MCPD restarts on all secondary blades post config-sync involving APM customization group | 12.1.3.7, 13.1.1.2, 14.0.0.5 |
| 713820-1 | 2-Critical | BT713820 | Pass in IP address to urldb categorization engine | 13.1.1.2 |
| 739939-1 | 3-Major | BT739939 | Ping Access Agent Module leaks memory in TMM. | 13.1.1.2, 14.0.0.5 |
| 739190 | 3-Major | BT739190 | Policies could be exported with not patched /Common partition | 13.1.1.2 |
| 738582-1 | 3-Major | BT738582 | Ping Access Agent Module leaks memory in TMM. | 13.1.1.2, 14.0.0.5 |
| 738397-1 | 3-Major | BT738397 | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | 12.1.3.7, 13.1.1.2, 14.0.0.5 |
| 737355-1 | 3-Major | BT737355 | HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files | 13.1.1.2 |
| 737064-2 | 3-Major | BT737064 | ACCESS::session iRule commands may not work in serverside events | 13.1.1.2 |
| 726895 | 3-Major | K02205915, BT726895 | VPE cannot modify subroutine settings | 12.1.3.7, 13.1.1.2 |
| 726616-1 | 3-Major | BT726616 | TMM crashes when a session is terminated | 13.1.1.2, 14.0.0.5 |
| 726592-1 | 3-Major | BT726592 | Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop | 12.1.4, 13.1.1.2 |
| 725867-2 | 3-Major | BT725867 | ADFS proxy does not fetch configuration for non-floating virtual servers | 13.1.1.2, 14.0.0.5 |
| 725412-1 | 3-Major | APM does not follow current best practices for HTTP headers | 13.1.1.2, 14.0.0 | |
| 724571-1 | 3-Major | BT724571 | Importing access profile takes a long time | 13.1.1.2 |
| 722969-2 | 3-Major | BT722969 | Access Policy import with 'reuse' enabled instead rewrites shared objects | 12.1.4.1, 13.1.1.2, 14.0.0 |
| 722423-1 | 3-Major | BT722423 | Analytics agent always resets when Category Lookup is of type custom only | 13.1.1.2, 14.0.0.5 |
| 720757-1 | 3-Major | BT720757 | Without proper licenses Category Lookup always fails with license error in Allow Ending | 13.1.1.2, 14.0.0.5 |
| 713655-2 | 3-Major | BT713655 | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | 12.1.3.7, 13.1.1.2, 14.0.0.5 |
| 711427-2 | 3-Major | BT711427 | Edge Browser does not launch F5 VPN App | 13.1.1.2, 14.0.0 |
| 710884-1 | 3-Major | BT710884 | Portal Access might omit some valid cookies when rewriting HTTP request. | 13.1.1.2, 14.0.0.5 |
| 701800-2 | 3-Major | K29064506, BT701800 | SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x | 13.1.1.2, 14.0.0.5 |
| 701056-1 | 3-Major | BT701056 | User is not able to reset their Active Directory password | 13.1.1.2 |
| 698984-1 | 3-Major | BT698984 | Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned | 13.1.1.2 |
| 696669-1 | 3-Major | BT696669 | Users cannot change or reset RSA PIN | 13.1.1.2 |
| 696544-1 | 3-Major | BT696544 | APM end users can not change/reset password when auth agents are included in per-req policy | 13.1.1.2 |
| 671323-1 | 3-Major | BT671323 | Reset PIN Fail if Token input field is not 'password' field | 13.1.1.2 |
| 734595-2 | 4-Minor | BT734595 | sp-connector is not being deleted together with profile | 13.1.1.2 |
| 721375-1 | 4-Minor | BT721375 | Export then import of config with RSA server in it might fail | 12.1.3.7, 13.1.1.2 |
WebAccelerator Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 706642-2 | 2-Critical | BT706642 | wamd may leak memory during configuration changes and cluster events | 11.5.9, 11.6.4, 12.1.4, 13.1.1.2, 14.0.0.3 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 709383-2 | 3-Major | BT709383 | DIAMETER::persist reset non-functional | 13.1.1.2 |
| 706750-1 | 3-Major | BT706750 | Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash. | 13.1.1.2, 14.0.0 |
| 691048-1 | 3-Major | K34553736, BT691048 | Support DIAMETER Experimental-Result AVP response | 13.1.1.2 |
| 688942-5 | 3-Major | BT688942 | ICAP: Chunk parser performs poorly with very large chunk | 12.1.3.6, 13.1.1.2 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 724532-2 | 2-Critical | BT724532 | SIG SEGV during IP intelligence category match in TMM | 12.1.4, 13.1.1.2 |
| 720045-1 | 2-Critical | BT720045 | IP fragmented UDP DNS request and response packets dropped as DNS Malformed | 13.1.1.2, 14.0.0 |
| 710755-1 | 2-Critical | BT710755 | TMM crash when route information becomes stale and the system accesses stale information. | 12.1.4, 13.1.1.2, 14.0.0 |
| 698333-1 | 2-Critical | K43392052, BT698333 | TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families) | 13.1.1.2, 14.0.0 |
| 694849-1 | 2-Critical | BT694849 | TMM crash when packet sampling is turned for DNS BDOS signatures. | 13.1.1.2 |
| 672514-1 | 2-Critical | BT672514 | Local Traffic/Virtual Server/Security page crashed | 13.1.1.2 |
| 630137-2 | 2-Critical | BT630137 | Dynamic Signatures feature can fill up /config partition impacting system stability | 13.1.1.2, 14.0.0 |
| 726154-2 | 3-Major | BT726154 | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies | 12.1.5.3, 13.1.1.2 |
| 704528-2 | 3-Major | BT704528 | tmm may run out of memory during IP shunning | 13.1.1.2, 14.0.0 |
| 704369-2 | 3-Major | BT704369 | TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled | 13.1.1.2, 14.0.0 |
| 696201-1 | 3-Major | BT696201 | Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation | 13.1.1.2 |
| 686376-2 | 3-Major | BT686376 | Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon | 12.1.4.1, 13.1.1.2 |
| 707054-1 | 4-Minor | BT707054 | SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 | 13.1.1.2 |
| 699454-4 | 4-Minor | Web UI does not follow current best coding practices | 12.1.4, 13.1.1.2, 14.0.0.3 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 726647-3 | 3-Major | BT726647 | PEM content insertion in a compressed response may truncate some data | 12.1.4.1, 13.1.1.2, 14.0.0.3, 14.1.0.2 |
| 721704-1 | 3-Major | BT721704 | UDP flows are not deleted after subscriber deletion | 13.1.1.2 |
| 709670-2 | 3-Major | BT709670 | iRule triggered from RADIUS occasionally fails to create subscribers. | 12.1.5, 13.1.1.2, 14.0.0.5 |
Carrier-Grade NAT Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 721570-1 | 1-Blocking | K20285019, BT721570 | TMM core when trying to log an unknown subscriber | 13.1.1.2, 14.0.0 |
| 734446-2 | 2-Critical | BT734446 | TMM crash after changing LSN pool mode from PBA to NAPT | 11.6.4, 12.1.4, 13.1.1.2, 14.0.0.3 |
| 688246-1 | 2-Critical | BT688246 | An invalid mode in the LSN::persistence command causes TMM crash | 13.1.1.2 |
| 708830-2 | 3-Major | BT708830 | Inbound or hairpin connections may get stuck consuming memory. | 12.1.4.1, 13.1.1.2, 14.0.0 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 738669-2 | 3-Major | BT738669 | Login validation may fail for a large request with early server response | 12.1.3.7, 13.1.1.2 |
| 737368-1 | 3-Major | BT737368 | Fingerprint cookie large value may result in tmm core. | 13.1.1.2, 14.0.1.1 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 739277 | 2-Critical | BT739277 | TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode | 13.1.1.2, 14.0.0.5 |
| 720585-1 | 3-Major | BT720585 | Signatures generated by Behavioral DOS algorithm can create false-positive signatures | 13.1.1.2, 14.0.0.5 |
| 689540-1 | 3-Major | BT689540 | The same DOS attack generates new signatures even if there are signatures generated during previous attacks. | 13.1.1.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 726303-1 | 3-Major | BT726303 | Unlock 10 million custom db entry limit | 12.1.3.7, 13.1.1.2 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 726872-2 | 3-Major | BT726872 | iApp LX directory disappears after upgrade or restoring from UCS&start; | 13.1.1.2, 14.0.1.1 |
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Functional Change Fixes
None
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 693359-1 | 1-Blocking | BT693359 | AWS M5 and C5 instance families are supported | 13.1.1, 14.0.0.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 721364 | 1-Blocking | BT721364 | BIG-IP per-application VE BYOL license does not support three wildcard virtual servers | 13.1.1, 14.0.0.1 |
| 716469 | 1-Blocking | BT716469 | OpenSSL 1.0.1l fails with 512 bit DSA keys | 13.1.1 |
| 697615-1 | 1-Blocking | K65013424, BT697615 | Neurond may restart indefinitely after boot, with neurond_i2c_config message | 13.1.1 |
| 675921-2 | 1-Blocking | BT675921 | Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running | 12.1.3.1, 13.1.1 |
| 723130-1 | 2-Critical | K13996, BT723130 | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file | 11.5.8, 11.6.3.3, 12.1.3.6, 13.1.1, 14.0.0 |
| 700086-1 | 2-Critical | BT700086 | AWS C5/M5 Instances do not support BIG-IP VE | 13.1.1, 14.0.0.1 |
| 696732-3 | 2-Critical | K54431534, BT696732 | tmm may crash in a compression provider | 12.1.3.5, 13.1.1 |
| 721985 | 3-Major | BT721985 | PAYG License remains inactive as dossier verification fails. | 13.1.1, 14.0.0.1 |
| 721512 | 3-Major | BT721512 | Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6. | 13.1.1 |
| 721342 | 3-Major | BT721342 | No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. | 13.1.1, 14.0.0.1 |
| 720961-1 | 3-Major | BT720961 | Upgrading in Intelligence Community AWS environment may fail | 13.1.1, 14.0.0.1 |
| 720756-1 | 3-Major | BT720756 | SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS | 12.1.3.6, 13.1.1 |
| 720651-2 | 3-Major | BT720651 | Running Guest Changed to Provisioned Never Stops | 12.1.4, 13.1.1, 14.0.0.3 |
| 720104-1 | 3-Major | BT720104 | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | 12.1.3.6, 13.1.1, 14.0.0.3 |
| 719396-1 | 3-Major | K34339214, BT719396 | DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. | 13.1.1, 14.0.0.1 |
| 717832 | 3-Major | BT717832 | Remove unneeded files from UCS backup directories | 13.1.1 |
| 714303-1 | 3-Major | K25057050, BT714303 | X520 virtual functions do not support MAC masquerading | 13.1.1, 14.0.0.1 |
| 712266-1 | 3-Major | BT712266 | Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware | 13.1.1 |
| 697616-2 | 3-Major | BT697616 | Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests | 12.1.3.5, 13.1.1 |
| 680086 | 3-Major | BT680086 | BMC firmware fails md5sum check | 13.1.1 |
| 673996-2 | 3-Major | BT673996 | Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms | 13.1.1, 14.0.0 |
| 680388-1 | 4-Minor | BT680388 | f5optics should not show function name in non-debug log messages | 12.1.3.5, 13.1.1 |
| 653759-1 | 4-Minor | BT653759 | Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update&start; | 12.1.3.5, 13.1.1 |
| 720391-2 | 5-Cosmetic | BT720391 | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' | 12.1.3.6, 13.1.1, 14.0.0.3 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 737550 | 2-Critical | BT737550 | State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade&start; | 13.1.1 |
| 701538-2 | 2-Critical | BT701538 | SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured | 12.1.3.5, 13.1.1 |
| 720460-1 | 3-Major | BT720460 | Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly | 13.1.1 |
| 694778-1 | 3-Major | BT694778 | Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size | 12.1.3.5, 13.1.1 |
| 686631-2 | 3-Major | BT686631 | Deselect a compression provider at the end of a job and reselect a provider for a new job | 12.1.3.5, 13.1.1 |
| 679494-1 | 3-Major | BT679494 | Change the default compression strategy to speed | 12.1.3.5, 13.1.1 |
| 495443-9 | 3-Major | K16621, BT495443 | ECDH negotiation failures logged as critical errors. | 11.5.3, 12.1.3.5, 13.1.1 |
| 679496-2 | 4-Minor | BT679496 | Add 'comp_req' to the output of 'tmctl compress' | 12.1.3.5, 13.1.1 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 717909 | 2-Critical | BT717909 | tmm can abort on sPVA flush if the HSB flush does not succeed | 13.1.1, 14.0.0 |
| 701637 | 2-Critical | BT701637 | Crash in bcm56xxd during TMM failover | 13.1.1 |
| 702738-1 | 3-Major | K32181540, BT702738 | Tmm might crash activating new blob when changing firewall rules | 12.1.3.4, 13.1.1 |
| 698182 | 3-Major | BT698182 | Upgrading from 13.1.1 to newer release might cause config to not be copied over&start; | 13.1.1 |
| 697516 | 3-Major | BT697516 | Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled | 13.1.1 |
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 716992-2 | CVE-2018-5539 | K75432956, BT716992 | The ASM bd process may crash | 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0 |
| 710244-3 | CVE-2018-5536 | K27391542, BT710244 | Memory Leak of access policy execution objects | 12.1.3.6, 13.1.0.8, 14.0.0.5 |
| 710140-1 | CVE-2018-5527 | K20134942, BT710140 | TMM may consume excessive resources when processing SSL Intercept traffic | 13.1.0.8, 14.0.0 |
| 709688-3 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700, BT709688 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 | 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 695072-2 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 |
K23030550, BT695072 | CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 | 13.1.0.8, 14.0.0.3 |
| 693744-4 | CVE-2018-5531 | K64721111, BT693744 | CVE-2018-5531: vCMP vulnerability | 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8 |
| 651741-2 | CVE-2017-5970, | K60104355, BT651741 | CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop | 13.1.0.8, 14.0.0.3 |
| 717900-2 | CVE-2018-5528 | K27044729, BT717900 | TMM crash while processing APM data | 13.1.0.8, 14.0.0 |
| 710827-2 | CVE-2019-6598 | K44603900, BT710827 | TMUI dashboard daemon stability issue | 11.5.9, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 710148-2 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153, BT710148 | CVE-2017-1000111 & CVE-2017-1000112 | 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 709256-2 | CVE-2017-9074 CVE-2017-7542 |
K61223103, BT709256 | CVE-2017-9074: Local Linux Kernel Vulnerability | 11.5.6, 11.6.3.1, 12.1.3.3, 13.1.0.8, 14.0.0.3 |
| 705476-2 | CVE-2018-15322 | K28003839, BT705476 | Appliance Mode does not follow design best practices | 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 698813-2 | CVE-2018-5538 | K45435121, BT698813 | When processing DNSX transfers ZoneRunner does not enforce best practices | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 688625-5 | CVE-2017-11628 | K75543432, BT688625 | PHP Vulnerability CVE-2017-11628 | 11.5.7, 11.6.3.2, 12.1.3.2, 13.1.0.8 |
| 662850-6 | CVE-2015-2716 | K50459349, BT662850 | Expat XML library vulnerability CVE-2015-2716 | 11.5.7, 11.6.3.2, 12.1.3.2, 13.1.0.8 |
| 714879-3 | CVE-2018-15326 | K34652116, BT714879 | APM CRLDP Auth passes all certs | 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.5 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 685020-3 | 3-Major | BT685020 | Enhancement to SessionDB provides timeout | 12.1.3.2, 13.1.0.8 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 708956-1 | 1-Blocking | K51206433, BT708956 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' | 12.1.3.5, 13.1.0.8, 14.0.1.1 |
| 719597 | 2-Critical | BT719597 | HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 | 13.1.0.8, 14.0.0.3 |
| 715820-1 | 2-Critical | BT715820 | vCMP in HA configuration with VIPRION chassis might cause unstable data plane | 13.1.0.8 |
| 712401-1 | 2-Critical | BT712401 | Enhanced administrator lock/unlock for Common Criteria compliance | 13.1.0.8 |
| 676203-3 | 2-Critical | BT676203 | Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. | 12.1.3.2, 13.1.0.8 |
| 665362-2 | 2-Critical | BT665362 | MCPD might crash if the AOM restarts | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 581851-6 | 2-Critical | K16234725, BT581851 | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands | 11.5.9, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0 |
| 711249-1 | 3-Major | BT711249 | NAS-IP-Address added to RADIUS packet unexpectedly | 12.1.4, 13.1.0.8, 14.0.0.3 |
| 710976-1 | 3-Major | BT710976 | Network Map can take a long time to load. | 13.1.0.8, 14.0.0.3 |
| 708484-2 | 3-Major | BT708484 | Network Map might take a long time to load | 13.1.0.8, 14.0.0.3 |
| 707445-3 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover | 11.5.9, 11.6.3.3, 12.1.3.6, 13.1.0.8 |
| 705818-1 | 3-Major | BT705818 | GUI Network Map Policy with forward Rule to Pool, Pool does not show up | 13.1.0.8, 14.0.0 |
| 704804-1 | 3-Major | BT704804 | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | 12.1.3.3, 13.1.0.8, 14.0.0.3 |
| 704733-1 | 3-Major | BT704733 | NAS-IP-Address is sent with the bytes in reverse order | 12.1.3.3, 13.1.0.8, 14.0.0.3 |
| 704247-2 | 3-Major | BT704247 | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | 12.1.3.7, 13.1.0.8, 14.0.0.3 |
| 701249-1 | 3-Major | BT701249 | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | 12.1.3.3, 13.1.0.8, 14.0.0.3 |
| 700895-1 | 3-Major | K34944451, BT700895 | GUI Network Map objects in subfolders are not being shown | 13.1.0.8 |
| 696260-1 | 3-Major | K53103420, BT696260 | GUI Network Map as Start Screen presents database error | 13.1.0.8 |
| 694696-5 | 3-Major | BT694696 | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | 12.1.3.2, 13.1.0.8 |
| 694547-2 | 3-Major | K74203532, BT694547 | TMSH save sys config creates unneeded generate_config processes. | 13.1.0.8 |
| 689730-3 | 3-Major | BT689730 | Software installations from v13.1.0 might fail&start; | 12.1.3.5, 13.1.0.8 |
| 687658 | 3-Major | BT687658 | Monitor operations in transaction will cause it to stay unchecked | 11.6.3.3, 12.1.3.2, 13.1.0.8 |
| 686906-2 | 3-Major | BT686906 | Fragmented IPv6 packets not handled correctly on Virtual Edition | 13.1.0.8 |
| 674455-5 | 3-Major | BT674455 | Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS | 12.1.3.5, 13.1.0.8 |
| 678254-1 | 4-Minor | BT678254 | Error logged when restarting Tomcat | 12.1.3.7, 13.1.0.8 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 721571-1 | 2-Critical | BT721571 | State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade&start; | 13.1.0.8 |
| 718071-1 | 2-Critical | BT718071 | HTTP2 with ASM policy not passing traffic | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 715747 | 2-Critical | BT715747 | TMM may restart when running traffic through custom SSLO deployments. | 13.1.0.8, 14.0.0 |
| 709828-2 | 2-Critical | BT709828 | fasthttp can crash with Large Receive Offload enabled | 13.1.0.8, 14.0.0.3 |
| 707244-3 | 2-Critical | BT707244 | iRule command clientside and serverside may crash tmm | 13.1.0.8, 14.0.0 |
| 707207-1 | 2-Critical | BT707207 | iRuleLx returning undefined value may cause TMM restart | 12.1.3.6, 13.1.0.8, 14.0.0.5 |
| 700597-1 | 2-Critical | BT700597 | Local Traffic Policy on HTTP/2 virtual server no longer matches | 13.1.0.8 |
| 700056-1 | 2-Critical | BT700056 | MCPD process may lock up and restart when applying Local Traffic Policy to virtual server | 13.1.0.8, 14.0.0.3 |
| 690756-1 | 2-Critical | BT690756 | APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated | 13.1.0.8 |
| 571651-4 | 2-Critical | BT571651 | Reset Nitrox3 crypto accelerator queue if it becomes stuck. | 11.5.9, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.5 |
| 713951-5 | 3-Major | BT713951 | tmm core files produced by nitrox_diag may be missing data | 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 713934-2 | 3-Major | BT713934 | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 712819-2 | 3-Major | BT712819 | 'HTTP::hsts preload' iRule command cannot be used | 13.1.0.8, 14.0.0.3 |
| 712475-3 | 3-Major | K56479945, BT712475 | DNS zones without servers will prevent DNS Express reading zone data | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 712437-3 | 3-Major | K20355559, BT712437 | Records containing hyphens (-) will prevent child zone from loading correctly | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 711281-5 | 3-Major | BT711281 | nitrox_diag may run out of space on /shared | 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 710996-2 | 3-Major | BT710996 | VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP | 13.1.0.8 |
| 709133-2 | 3-Major | BT709133 | When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur | 13.1.0.8, 14.0.0.3 |
| 709132-1 | 3-Major | BT709132 | When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur | 13.1.0.8, 14.0.0.3 |
| 707961-2 | 3-Major | K50013510, BT707961 | Unable to add policy to virtual server; error = Failed to compile the combined policies | 13.1.0.8, 14.0.0.3 |
| 707109-1 | 3-Major | BT707109 | Memory leak when using C3D | 13.1.0.8, 14.0.0 |
| 704381-5 | 3-Major | BT704381 | SSL/TLS handshake failures and terminations are logged at too low a level | 11.6.5.1, 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 702151-1 | 3-Major | BT702151 | HTTP/2 can garble large headers | 11.6.3.3, 12.1.3.6, 13.1.0.8 |
| 700889-3 | 3-Major | K07330445, BT700889 | Software syncookies without TCP TS improperly include TCP options that are not encoded | 11.6.3.3, 12.1.3.6, 13.1.0.8 |
| 700061-4 | 3-Major | BT700061 | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | 12.1.3.6, 13.1.0.8 |
| 699598-2 | 3-Major | BT699598 | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR or TCP RST | 12.1.5, 13.1.0.8, 14.0.0.3 |
| 696755 | 3-Major | BT696755 | HTTP/2 may truncate a response body when served from cache | 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2 |
| 693308-1 | 3-Major | BT693308 | SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain | 12.1.3.7, 13.1.0.8 |
| 689089-1 | 3-Major | BT689089 | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | 12.1.3.2, 13.1.0.8 |
| 688744-1 | 3-Major | K11793920, BT688744 | LTM Policy does not correctly handle multiple datagroups | 13.1.0.8 |
| 686890-1 | 3-Major | BT686890 | X509_EXTENSION memory blocks leak when C3D forges the certificate. | 13.1.0.8 |
| 682944-1 | 3-Major | BT682944 | key-id missing for installed netHSM key for standby BIG-IP system in high availability (HA) setup | 13.1.0.8 |
| 682283-2 | 3-Major | BT682283 | Malformed HTTP/2 request with invalid Content-Length value is served against RFC | 13.1.0.8, 14.0.0.3 |
| 678872-3 | 3-Major | BT678872 | Inconsistent behavior for virtual-address and selfip on the same ip-address | 12.1.3.6, 13.1.0.8 |
| 673399-3 | 3-Major | BT673399 | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | 12.1.3.4, 13.1.0.8 |
| 653201-2 | 3-Major | BT653201 | Update the default CA certificate bundle file to the latest version and remove expiring certificates from it | 13.1.0.8 |
| 713533-2 | 4-Minor | BT713533 | list self-ip with queries does not work | 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 708249-2 | 4-Minor | BT708249 | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3 |
| 692095-1 | 4-Minor | K65311501, BT692095 | bigd logs monitor status unknown for FQDN Node/Pool Member | 11.6.3.3, 12.1.3.2, 13.1.0.8 |
| 678801-4 | 4-Minor | BT678801 | WS::enabled returned empty string | 12.1.3.6, 13.1.0.8 |
| 677958-4 | 4-Minor | BT677958 | WS::frame prepend and WS::frame append do not insert string in the right place. | 12.1.3.6, 13.1.0.8 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 698992-1 | 3-Major | BT698992 | Performance degraded | 13.1.0.8 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 713066-1 | 2-Critical | K10620131, BT713066 | Connection failure during DNS lookup to disabled nameserver can crash TMM | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 707310-2 | 2-Critical | BT707310 | DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 721895 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | 11.5.7, 11.6.4, 12.1.4.1, 13.1.0.8, 14.0.0.5 | |
| 715448-2 | 3-Major | BT715448 | Providing LB::status with a GTM Pool name in a variable caused validation issues | 12.1.3.7, 13.1.0.8, 14.0.0.3 |
| 710032-1 | 3-Major | BT710032 | 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. | 13.1.0.8, 14.0.0.3 |
| 706128-2 | 3-Major | BT706128 | DNSSEC Signed Zone Transfers Can Leak Memory | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 703545-1 | 3-Major | BT703545 | DNS::return iRule "loop" checking disabled | 13.1.0.8, 14.0.0 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 718152 | 2-Critical | K14591455, BT718152 | ASM GUI request log does not load on cluster | 13.1.0.8 |
| 716788-2 | 2-Critical | BT716788 | TMM may crash while response modifications are being performed within DoSL7 filter | 12.1.3.7, 13.1.0.8, 14.0.0.5 |
| 713390-1 | 2-Critical | ASM Signature Update cannot be performed on hourly billing cloud instance | 13.1.0.8 | |
| 685230-3 | 2-Critical | BT685230 | memory leak on a specific server scenario | 12.1.3.7, 13.1.0.8 |
| 606983-2 | 2-Critical | BT606983 | ASM errors during policy import | 12.1.3.6, 13.1.0.8, 14.0.0.5 |
| 719459-2 | 3-Major | BT719459 | Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled | 13.1.0.8, 14.0.0.5 |
| 719005-1 | 3-Major | BT719005 | Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation | 13.1.0.8, 14.0.0.5 |
| 717756-2 | 3-Major | BT717756 | High CPU usage from asm_config_server | 13.1.0.8, 14.0.0 |
| 716940-2 | 3-Major | BT716940 | Traffic Learning screen graphs shows data for the last day only | 13.1.0.8, 14.0.0.5 |
| 715128-1 | 3-Major | BT715128 | Simple mode Signature edit does not escape semicolon | 13.1.0.8, 14.0.0.5 |
| 713282-1 | 3-Major | BT713282 | Remote logger violation_details field does not appear when virtual server has more than one remote logger | 12.1.3.7, 13.1.0.8, 14.0.0.5 |
| 712362-3 | 3-Major | BT712362 | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | 12.1.3.6, 13.1.0.8, 14.0.0.5 |
| 711405-1 | 3-Major | K14770331, BT711405 | ASM GUI Fails to Display Policy List After Upgrade | 13.1.0.8, 14.0.0.5 |
| 710327-1 | 3-Major | BT710327 | Remote logger message is truncated at NULL character. | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 707147-1 | 3-Major | BT707147 | High CPU consumed by asm_config_server_rpc_handler_async.pl | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 706845-2 | 3-Major | BT706845 | False positive illegal multipart violation | 12.1.3.6, 13.1.0.8 |
| 706665-2 | 3-Major | BT706665 | ASM policy is modified after pabnagd restart | 13.1.0.8, 14.0.0 |
| 704643-1 | 3-Major | BT704643 | Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule | 13.1.0.8, 14.0.1.1 |
| 702008-1 | 3-Major | BT702008 | ASM REST: Missing DB Cleanup for some tables | 13.1.0.8 |
| 700143-2 | 3-Major | BT700143 | ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages | 12.1.3.2, 13.1.0.8 |
| 691897-3 | 3-Major | BT691897 | Names of the modified cookies do not appear in the event log | 12.1.3.6, 13.1.0.8 |
| 687759-1 | 3-Major | BT687759 | bd crash | 12.1.3.6, 13.1.0.8, 14.0.0.5, 14.1.0.6 |
| 686765-2 | 3-Major | BT686765 | Database cleaning failure may allow MySQL space to fill the disk entirely | 12.1.3.6, 13.1.0.8 |
| 674256-2 | 3-Major | K60745057, BT674256 | False positive cookie hijacking violation | 13.1.0.8, 13.1.1.4, 14.0.0 |
| 675232-6 | 4-Minor | BT675232 | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction | 11.6.3.2, 12.1.3.2, 13.1.0.8 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 710315-1 | 2-Critical | BT710315 | AVR-profile might cause issues when loading a configuration or when using config sync | 13.1.0.8, 14.0.0 |
| 698226-1 | 2-Critical | BT698226 | Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly | 13.1.0.8 |
| 696642-1 | 2-Critical | BT696642 | monpd core is sometimes created when the system is under heavy load. | 13.1.0.8 |
| 721474-1 | 3-Major | BT721474 | AVR does not send all SSLO statistics to offbox machine. | 13.1.0.8, 14.0.0 |
| 715110 | 3-Major | BT715110 | AVR should report 'resolutions' in module GtmWideip | 13.1.0.8, 14.1.0.2 |
| 712118 | 3-Major | BT712118 | AVR should report on all 'global tags' in external logs | 13.1.0.8, 14.0.0 |
| 706361 | 3-Major | BT706361 | IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0&start; | 13.1.0.8 |
| 696212-1 | 3-Major | BT696212 | monpd does not return data for multi-dimension query | 13.1.0.8 |
| 648242-2 | 3-Major | K73521040, BT648242 | Administrator users unable to access all partition via TMSH for AVR reports | 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1 |
| 649161-2 | 4-Minor | K42340304, BT649161 | AVR caching mechanism not working properly | 12.1.3.2, 13.1.0.8 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 720214-1 | 2-Critical | BT720214 | NTLM Authentication might fail if Strict Update in iApp is modified | 13.1.0.8, 14.0.0 |
| 720189-1 | 2-Critical | BT720189 | VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download | 13.1.0.8, 14.0.0 |
| 719149-2 | 2-Critical | BT719149 | VDI plugin might hang while processing native RDP connections | 13.1.0.8, 14.0.0 |
| 716747-2 | 2-Critical | TMM my crash while processing APM or SWG traffic | 12.1.3.6, 13.1.0.8, 14.0.0 | |
| 715250-1 | 2-Critical | BT715250 | TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED | 12.1.3.6, 13.1.0.8 |
| 713156-1 | 2-Critical | BT713156 | AGC cannot do redeploy in Exchange and ADFS use cases | 13.1.0.8, 14.0.0 |
| 710116-1 | 2-Critical | BT710116 | VPN clients experience packet loss/disconnection | 13.1.0.8, 14.0.0 |
| 694078-1 | 2-Critical | BT694078 | In rare cases, TMM may crash with high APM traffic | 13.1.0.8 |
| 720695-1 | 3-Major | BT720695 | Export then import of APM access Profile/Policy with advanced customization is failing | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 719192 | 3-Major | BT719192 | In VPE Agent VMware View Policy shows no properties | 13.1.0.8 |
| 715207-3 | 3-Major | BT715207 | coapi errors while modifying per-request policy in VPE | 12.1.3.6, 13.1.0.8, 14.0.0 |
| 714961-1 | 3-Major | BT714961 | antserver creates large temporary file in /tmp directory | 13.1.0.8, 14.0.0 |
| 714700-2 | 3-Major | BT714700 | SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy | 13.1.0.8, 14.0.0 |
| 713111-1 | 3-Major | BT713111 | When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging. | 13.1.0.8 |
| 710305-1 | 3-Major | BT710305 | When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging. | 13.1.0.8 |
| 709274-1 | 3-Major | BT709274 | RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0 | 13.1.0.8, 14.0.0 |
| 699267-2 | 3-Major | BT699267 | LDAP Query may fail to resolve nested groups | 11.6.3.3, 12.1.3.4, 13.1.0.8 |
| 658278-1 | 3-Major | BT658278 | Network Access configuration with Layered-VS does not work with Edge Client | 11.6.4, 13.1.0.8, 14.0.0 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 703515-3 | 2-Critical | K44933323, BT703515 | MRF SIP LB - Message corruption when using custom persistence key | 11.6.3.2, 12.1.3.6, 13.1.0.8 |
| 692310-2 | 3-Major | K69250459, BT692310 | ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body | 13.1.0.8 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 677473-3 | 2-Critical | BT677473 | MCPD core is generated on multiple add/remove of Mgmt-Rules | 12.1.3.6, 13.1.0.8 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 711570-3 | 3-Major | BT711570 | PEM iRule subscriber policy name query using subscriber ID, may not return applied policies | 12.1.3.6, 13.1.0.8 |
| 663874-2 | 3-Major | K77173309, BT663874 | Off-box HSL logging does not work with PEM in SPAN mode. | 13.1.0.8 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 719186-2 | 3-Major | BT719186 | Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts | 13.1.0.8, 14.0.1.1 |
| 716318-2 | 3-Major | BT716318 | Engine/Signatures automatic update check may fail to find/download the latest update | 12.1.3.7, 13.1.0.8, 14.0.0.5 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 714334-1 | 2-Critical | BT714334 | admd stops responding and generates a core while under stress. | 13.1.0.8, 14.0.0.5 |
| 718772-2 | 3-Major | BT718772 | The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) | 13.1.0.8, 14.0.0.5 |
| 718685-1 | 3-Major | BT718685 | The measured number of pending requests is two times higher than actual one | 13.1.0.8 |
| 701288-1 | 3-Major | BT701288 | Server health significantly increases during DoSL7 TPS prevention | 13.1.0.8, 14.0.0 |
iApp Technology Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 693694-1 | 3-Major | BT693694 | tmsh::load within IApp template results in unpredicted behavior | 13.1.0.8 |
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 716392-1 | 1-Blocking | BT716392 | Support for 24 vCMP guests on a single 4450 blade | 13.1.0.7, 14.0.0.2 |
| 712429 | 1-Blocking | BT712429 | Serverside packets excluded from DoS stats | 13.1.0.7 |
| 704552 | 3-Major | BT704552 | Support for ONAP site licensing | 13.1.0.7, 14.0.0.2, 14.1.4.1 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 707100 | 2-Critical | BT707100 | Potentially fail to create user in AzureStack | 13.1.0.7, 14.0.0.1 |
| 706688 | 2-Critical | BT706688 | Automatically add additional certificates to BIG-IP system in C2S and IC environments | 13.1.0.7, 14.0.0.1 |
| 709936 | 3-Major | BT709936 | Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. | 13.1.0.7, 14.0.0.1 |
| 707585-1 | 3-Major | BT707585 | Use native driver for 82599 NICs instead of UNIC | 13.1.0.7, 14.0.0.1 |
| 703869 | 3-Major | BT703869 | Waagent updated to 2.2.21 | 12.1.3.3, 13.1.0.7, 14.0.0.1 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 713273 | 2-Critical | BT713273 | BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart | 13.1.0.7, 14.0.0 |
| 715153-1 | 3-Major | BT715153 | AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem | 13.1.0.7, 14.0.0 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 716746 | 3-Major | BT716746 | Possible tmm restart when disabling single endpoint vector while attack is ongoing | 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2 |
| 712710 | 3-Major | BT712710 | TMM may halt and restart when threshold mode is set to stress-based mitigation | 13.1.0.7, 14.0.0 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 699103-1 | 3-Major | BT699103 | tmm continuously restarts after provisioning AFM | 13.1.0.7, 14.0.0 |
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 709972-6 | CVE-2017-12613 | K52319810, BT709972 | CVE-2017-12613: APR Vulnerability | 12.1.3.6, 13.1.0.6, 14.0.0.3 |
| 707186-1 | CVE-2018-5514 | K45320419, BT707186 | TMM may crash while processing HTTP/2 traffic | 13.1.0.6, 14.0.0 |
| 702232-1 | CVE-2018-5517 | K25573437, BT702232 | TMM may crash while processing FastL4 TCP traffic | 13.1.0.6, 14.0.0 |
| 693312-1 | CVE-2018-5518 | K03165684, BT693312 | vCMPd may crash when processing bridged network traffic | 12.1.3.4, 13.1.0.6 |
| 688516-1 | CVE-2018-5518 | K03165684, BT688516 | vCMPd may crash when processing bridged network traffic | 12.1.3.4, 13.1.0.6 |
| 686305-1 | CVE-2018-5534 | K64552448, BT686305 | TMM may crash while processing SSL forward proxy traffic | 11.5.7, 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.6 |
| 589233-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic | 13.1.0.6 |
| 714369 | CVE-2018-5526 | K62201098, BT714369 | ADM may fail when processing HTTP traffic | 13.1.0.6, 14.0.0 |
| 714350 | CVE-2018-5526 | K62201098, BT714350 | BADOS mitigation may fail | 13.1.0.6, 14.0.0 |
| 710314-1 | CVE-2018-5537 | K94105051, BT710314 | TMM may crash while processing HTML traffic | 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0 |
| 706176-1 | CVE-2018-5512 | K51754851, BT706176 | TMM crash can occur when using LRO | 13.1.0.6, 14.0.0 |
| 706086-3 | CVE-2018-5515 | K62750376, BT706086 | PAM RADIUS authentication subsystem hardening | 12.1.3.3, 13.1.0.6, 14.0.0 |
| 703940-2 | CVE-2018-5530 | K45611803, BT703940 | Malformed HTTP/2 frame consumes excessive system resources | 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0 |
| 699346-3 | CVE-2018-5524 | K53931245, BT699346 | NetHSM capacity reduces when handling errors | 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.6 |
| 688011-7 | CVE-2018-5520 | K02043709, BT688011 | Dig utility does not apply best practices | 12.1.3.2, 13.0.1, 13.1.0.6, 14.0.0 |
| 688009-7 | CVE-2018-5519 | K46121888, BT688009 | Appliance Mode TMSH hardening | 12.1.3.4, 13.0.1, 13.1.0.6, 14.0.0 |
| 677088-2 | CVE-2018-15321 | K01067037, BT677088 | BIG-IP tmsh vulnerability CVE-2018-15321 | 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.6, 14.0.0.3 |
| 708653-1 | CVE-2018-15311 | K07550539, BT708653 | TMM may crash while processing TCP traffic | 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.6, 14.0.0 |
| 632875-5 | CVE-2018-5516 | K37442533, BT632875 | Non-Administrator TMSH users no longer allowed to run dig | 12.1.3, 13.0.1, 13.1.0.6, 14.0.0 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 708389 | 3-Major | BT708389 | BADOS monitoring with Grafana requires admin privilege | 13.1.0.6, 14.0.0.5 |
| 680850-2 | 3-Major | K48342409, BT680850 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. | 12.1.3.4, 13.1.0.6 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 694897-2 | 1-Blocking | BT694897 | Unsupported Copper SFP can trigger a crash on i4x00 platforms. | 13.1.0.6 |
| 708054-1 | 2-Critical | BT708054 | Web Acceleration: TMM may crash on very large HTML files with conditional comments | 12.1.3.4, 13.1.0.6, 14.0.0 |
| 706305-1 | 2-Critical | BT706305 | bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled | 12.1.3.4, 13.1.0.6, 14.0.0 |
| 706087 | 2-Critical | BT706087 | Entry for SSL key replaced by config-sync causes tmsh load config to fail | 13.1.0.6, 14.0.0 |
| 703761-2 | 2-Critical | Disable DSA keys for public-key and host-based authentication in Common Criteria mode | 12.1.3.4, 13.1.0.6 | |
| 696113-3 | 2-Critical | BT696113 | Extra IPsec reference added per crypto operation overflows connflow refcount | 12.1.3.6, 13.1.0.6 |
| 692683-1 | 2-Critical | BT692683 | Core with /usr/bin/tmm.debug at qa_device_mgr_uninit | 13.1.0.6 |
| 690793-1 | 2-Critical | K25263287, BT690793 | TMM may crash and dump core due to improper connflow tracking | 12.1.3.7, 13.1.0.6 |
| 689577-3 | 2-Critical | K45800333, BT689577 | ospf6d may crash when processing specific LSAs | 12.1.3.2, 13.1.0.6 |
| 688911-1 | 2-Critical | K94296004, BT688911 | LTM Policy GUI incorrectly shows conditions with datagroups | 13.1.0.6 |
| 563661-1 | 2-Critical | BT563661 | Datastor may crash | 11.6.3.3, 12.1.3.2, 13.1.0.6 |
| 704282-2 | 3-Major | BT704282 | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | 12.1.3.6, 13.1.0.6 |
| 703298-2 | 3-Major | BT703298 | Licensing and phonehome_upload are not using the sync'd key/certificate | 13.1.0.6, 14.0.0 |
| 701626-2 | 3-Major | K16465222, BT701626 | GUI resets custom Certificate Key Chain in child client SSL profile | 11.6.3.3, 12.1.3.4, 13.1.0.6 |
| 698429-1 | 3-Major | BT698429 | Misleading log error message: Store Read invalid store addr 0x3800, len 10 | 12.1.5.3, 13.1.0.6 |
| 693964-1 | 3-Major | BT693964 | Qkview utility may generate invalid XML in files contained in Qkview | 13.1.0.6 |
| 691497-2 | 3-Major | BT691497 | tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions | 13.1.0.6 |
| 691210-1 | 3-Major | BT691210 | Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE. | 13.1.0.6 |
| 687353-1 | 3-Major | K35595105, BT687353 | Qkview truncates tmstat snapshot files | 12.1.3.2, 13.0.1, 13.1.0.6 |
| 631316-2 | 3-Major | K62532020, BT631316 | Unable to load config with client-SSL profile error&start; | 11.6.3.2, 12.1.3.2, 13.1.0.6 |
| 514703-3 | 4-Minor | BT514703 | gtm listener cannot be listed across partitions | 13.0.1, 13.1.0.6 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 709334-1 | 2-Critical | BT709334 | Memory leak when SSL Forward proxy is used and ssl re-negotiates | 12.1.3.6, 13.1.0.6, 14.0.0 |
| 708114-1 | 2-Critical | K33319853, BT708114 | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed | 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0 |
| 707447-1 | 2-Critical | BT707447 | Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. | 12.1.3.6, 13.1.0.6, 14.0.0 |
| 707246-1 | 2-Critical | BT707246 | TMM would crash if SSL Client profile could not load cert-key-chain successfully | 13.1.0.6, 14.0.0 |
| 706631-2 | 2-Critical | BT706631 | A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. | 12.1.3.4, 13.1.0.6, 14.0.0 |
| 705611-2 | 2-Critical | BT705611 | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | 12.1.3.4, 13.1.0.6, 14.0.0 |
| 704666-1 | 2-Critical | BT704666 | memory corruption can occur when using certain certificates | 12.1.3.4, 13.1.0.6, 14.0.0 |
| 704435-1 | 2-Critical | BT704435 | Client connection may hang when NTLM and OneConnect profiles used together | 13.1.0.6 |
| 703914-2 | 2-Critical | BT703914 | TMM SIGSEGV crash in poolmbr_conn_dec. | 12.1.3.6, 13.1.0.6, 14.0.0 |
| 703191-2 | 2-Critical | BT703191 | HTTP2 requests may contain invalid headers when sent to servers | 13.1.0.6 |
| 701244-1 | 2-Critical | K81742541, BT701244 | An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT | 13.1.0.6 |
| 701202-3 | 2-Critical | K35023432, BT701202 | SSL memory corruption | 12.1.3.4, 13.1.0.6 |
| 700393-3 | 2-Critical | K53464344, BT700393 | Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash | 11.6.3.3, 12.1.3.4, 13.1.0.6, 14.0.0 |
| 697259-2 | 2-Critical | K14023450, BT697259 | Different versioned vCMP guests on the same chassis may crash. | 12.1.3.7, 13.1.0.6 |
| 694656-1 | 2-Critical | K05186205, BT694656 | Routing changes may cause TMM to restart | 12.1.3.7, 13.1.0.6 |
| 686228-1 | 2-Critical | K23243525, BT686228 | TMM may crash in some circumstances with VLAN failsafe | 11.5.9, 11.6.4, 12.1.3.2, 13.1.0.6 |
| 680074-2 | 2-Critical | BT680074 | TMM crashes when serverssl cannot provide certificate to backend server. | 13.1.0.6 |
| 667770-1 | 2-Critical | K12472293, BT667770 | SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore | 13.1.0.6 |
| 648320-5 | 2-Critical | K38159538, BT648320 | Downloading via APM tunnels could experience performance downgrade. | 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.6 |
| 705794-2 | 3-Major | BT705794 | Under certain circumstances a stale HTTP/2 stream might cause a tmm crash | 11.6.3.3, 12.1.3.4, 13.1.0.6, 14.0.0 |
| 701147-2 | 3-Major | K36563645, BT701147 | ProxySSL does not work properly with Extended Master Secret and OCSP | 13.1.0.6 |
| 700057-4 | 3-Major | BT700057 | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | 11.6.4, 12.1.3.6, 13.1.0.6 |
| 693910-4 | 3-Major | BT693910 | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | 12.1.4, 13.1.0.6 |
| 693244-2 | 3-Major | BT693244 | BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned | 13.1.0.6, 14.0.0.3 |
| 690042-1 | 3-Major | K43412307, BT690042 | Potential Tcl leak during iRule suspend operation | 11.6.4, 12.1.3.4, 13.1.0.6 |
| 689561-1 | 3-Major | BT689561 | HTTPS request hangs when multiple virtual https servers shares the same ip address | 13.1.0.6 |
| 686972-4 | 3-Major | BT686972 | The change of APM log settings will reset the SSL session cache. | 12.1.3.4, 13.1.0.6 |
| 685615-4 | 3-Major | K24447043, BT685615 | Incorrect source mac for TCP Reset with vlangroup for host traffic | 11.5.6, 11.6.5.1, 12.1.3.6, 13.1.0.6 |
| 677525-2 | 3-Major | BT677525 | Translucent VLAN group may use unexpected source MAC address | 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.6 |
| 663821-1 | 3-Major | K41344010, BT663821 | SNAT Stats may not include port FTP traffic | 12.1.3.2, 13.0.1, 13.1.0.6 |
| 653976-4 | 3-Major | K00610259, BT653976 | SSL handshake fails if server certificate contains multiple CommonNames | 12.1.3.4, 13.1.0.6 |
| 594751-1 | 3-Major | K90535529, BT594751 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN | 12.1.5.1, 13.1.0.6 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 710424-2 | 2-Critical | BT710424 | Possible SIGSEGV in GTMD when GTM persistence is enabled. | 11.6.5.2, 12.1.3.4, 13.1.0.6, 14.0.0 |
| 678861-1 | 2-Critical | BT678861 | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other&start; | 12.1.3.2, 13.1.0.6 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 710870 | 2-Critical | BT710870 | Temporary browser challenge failure after installing older ASU | 13.1.0.6 |
| 711011-2 | 3-Major | BT711011 | 'API Security' security policy template changes | 13.1.0.6, 14.0.0 |
| 683241-1 | 3-Major | K70517410, BT683241 | Improve CSRF token handling | 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.6 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 710947-1 | 2-Critical | BT710947 | AVR does not send errdef for entity DosIpLogReporting. | 13.1.0.6, 14.0.0 |
| 710110-1 | 2-Critical | BT710110 | AVR does not publish DNS statistics to external log when usr-offbox is enabled. | 13.1.0.6, 14.0.0 |
| 711929-1 | 3-Major | BT711929 | AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth | 13.1.0.6, 14.0.0 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 679221-2 | 1-Blocking | BT679221 | APMD may generate core file or appears locked up after APM configuration changed | 12.1.3.4, 13.1.0.6 |
| 708005-1 | 2-Critical | K12423316, BT708005 | Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources | 13.1.0.6, 14.0.0 |
| 703208-1 | 2-Critical | BT703208 | PingAccessAgent causes TMM core | 13.1.0.6, 14.0.0 |
| 702278-2 | 2-Critical | Potential XSS security exposure on APM logon page. | 12.1.3.4, 13.0.1, 13.1.0.6, 14.0.0 | |
| 700522-1 | 2-Critical | BT700522 | APMD may unexpectedly restart when worker threads are stuck | 13.1.0.6 |
| 700090-2 | 2-Critical | BT700090 | tmm crash during execution of a per-request policy when modified during execution. | 13.1.0.6, 14.0.0 |
| 699686-1 | 2-Critical | BT699686 | localdbmgr can occasionally crash during shutdown | 13.1.0.6, 14.0.0 |
| 697452-1 | 2-Critical | BT697452 | Websso crashes because of bad argument in logging | 13.0.1, 13.1.0.6 |
| 712924-1 | 3-Major | BT712924 | In VPE SecurID servers list are not being displayed in SecurID authentication dialogue | 12.1.3.6, 13.1.0.6 |
| 703793-3 | 3-Major | BT703793 | tmm restarts when using ACCESS::perflow get' in certain events | 12.1.3.7, 13.1.0.6, 14.0.0 |
| 703171-1 | 3-Major | BT703171 | High CPU usage for apmd, localdbmgr and oauth processes | 13.1.0.6, 14.0.0 |
| 702487-3 | 3-Major | BT702487 | AD/LDAP admins with spaces in names are not supported | 12.1.3.4, 13.1.0.6 |
| 684937-3 | 3-Major | K26451305, BT684937 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users | 11.5.6, 11.6.3.2, 12.1.3.6, 13.0.1, 13.1.0.6 |
| 683113-3 | 3-Major | K22904904, BT683113 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users | 11.5.6, 11.6.3.2, 12.1.3.6, 13.0.1, 13.1.0.6 |
| 681415-3 | 3-Major | BT681415 | Copying of profile with advanced customization or images might fail | 12.1.3.4, 13.1.0.6 |
| 678427-1 | 3-Major | K03138339, BT678427 | Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice | 13.1.0.6 |
| 675775-4 | 3-Major | BT675775 | TMM crashes inside dynamic ACL building session db callback | 12.1.3.4, 13.1.0.6 |
| 671597-3 | 3-Major | BT671597 | Import, export, copy and delete is taking too long on 1000 entries policy | 12.1.3.2, 13.0.1, 13.1.0.6 |
| 673717-3 | 4-Minor | BT673717 | VPE loading times can be very long | 12.1.3.2, 13.0.1, 13.1.0.6 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 701889-1 | 2-Critical | BT701889 | Setting log.ivs.level or log-config filter level to informational causes crash | 13.1.0.6 |
| 679114-4 | 3-Major | BT679114 | Persistence record expires early if an error is returned for a BYE command | 11.6.3, 12.1.3.6, 13.1.0.6 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 708888-1 | 2-Critical | K79814103, BT708888 | Some DNS truncated responses may not be processed by BIG-IP | 13.1.0.6, 14.0.0 |
| 667353 | 2-Critical | BT667353 | Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table | 13.1.0.6, 14.0.0 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 702705-2 | 2-Critical | BT702705 | Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile | 13.1.0.6 |
| 699531-1 | 2-Critical | BT699531 | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | 12.1.3.6, 13.1.0.6, 14.0.0.3 |
| 696294-1 | 2-Critical | BT696294 | TMM core may be seen when using Application reporting with flow filter in PEM | 12.1.3.6, 13.1.0.6 |
| 711093-1 | 3-Major | BT711093 | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | 12.1.3.6, 13.1.0.6, 14.0.0.3 |
| 709610-3 | 3-Major | BT709610 | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | 12.1.3.6, 13.1.0.6, 14.0.0.3 |
| 697718-1 | 3-Major | BT697718 | Increase PEM HSL reporting buffer size to 4K. | 12.1.3.6, 13.1.0.6 |
| 677494-1 | 3-Major | BT677494 | Flow filter with Periodic content insertion action could leak insert content record | 13.1.0.6 |
| 677148-1 | 3-Major | BT677148 | Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific | 13.1.0.6 |
| 676346-2 | 3-Major | BT676346 | PEM displays incorrect policy action counters when the gate status is disabled. | 13.1.0.6, 14.0.0.3 |
| 648802-1 | 3-Major | BT648802 | Required custom AVPs are not included in an RAA when reporting an error. | 12.1.3.6, 13.1.0.6, 14.0.0.3 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 710701-1 | 3-Major | BT710701 | "Application Layer Encryption" option is not saved in DataSafe GUI | 13.1.0.6, 14.0.0 |
| 709319-2 | 3-Major | BT709319 | Post-login client-side alerts are missing username in bigIQ | 13.1.0.6, 14.0.0 |
| 706835 | 3-Major | BT706835 | When cloning a profile, URL parameters are not shown | 13.1.0.6 |
| 706771-1 | 3-Major | BT706771 | FPS ajax-mapping property may be set even when it should be blocked | 13.1.0.6, 14.0.0 |
| 706651-1 | 3-Major | BT706651 | Cloning URL does not clone "Description" field | 13.1.0.6, 14.0.0 |
| 706276-1 | 4-Minor | BT706276 | Unnecessary pop-up appears | 13.1.0.6 |
Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 708305-2 | 3-Major | BT708305 | Discover task may get stuck in CHECK_IS_ACTIVE step | 13.1.0.6, 14.0.0 |
| 705593-5 | 4-Minor | CVE-2015-7940: Bouncy Castle Java Vulnerability | 13.1.0.6, 14.0.0 |
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 633441-1 | 3-Major | BT633441 | Datasync Background Tasks running even without features requiring it | 13.1.0.5 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 708189 | 4-Minor | BT708189 | OAuth Discovery Auto Pilot is implemented | 13.1.0.5 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 708840 | 3-Major | BT708840 | 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured | 13.1.0.5, 14.0.0 |
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 705161-1 | CVE-2018-5505 | K23520761, BT705161 | BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505 | 13.1.0.4, 14.0.0 |
| 703517 | CVE-2018-5505 | K23520761, BT703517 | BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505 | 13.1.0.4 |
| 700556-1 | CVE-2018-5504 | K11718033, BT700556 | TMM may crash when processing WebSockets data | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 699012-1 | CVE-2018-5502 | K43121447, BT699012 | TMM may crash when processing SSL/TLS data | 13.0.1, 13.1.0.4 |
| 698080-3 | CVE-2018-5503 | K54562183, BT698080 | TMM may consume excessive resources when processing with PEM | 12.1.3.2, 13.1.0.4 |
| 695901-1 | CVE-2018-5513 | K46940010, BT695901 | TMM may crash when processing ProxySSL data | 11.5.6, 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4 |
| 691504-1 | CVE-2018-5503 | K54562183, BT691504 | PEM content insertion in a compressed response may cause a crash. | 12.1.3.2, 13.1.0.4 |
| 704580-1 | CVE-2018-5549 | K05018525, BT704580 | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP | 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4, 14.0.0 |
| 701447-1 | CVE-2017-5754 | K91229003, BT701447 | CVE-2017-5754 (Meltdown) | 13.0.1, 13.1.0.4, 14.0.0 |
| 701445-1 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003, BT701445 | CVE-2017-5753 (Spectre Variant 1) | 13.0.1, 13.1.0.4, 14.0.0 |
| 701359-4 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 | 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4 |
| 699455-4 | CVE-2018-5523 | K50254952, BT699455 | SAML export does not follow best practices | 11.5.6, 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.4 |
| 699451-3 | CVE-2018-5511 | K30500703, BT699451 | OAuth reports do not follow best practices | 13.0.1, 13.1.0.4 |
| 676457-5 | CVE-2017-6153 | K52167636, BT676457 | TMM may consume excessive resource when processing compressed data | 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4 |
| 640766-2 | CVE-2016-10088 CVE-2016-9576 |
K05513373, BT640766 | Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576 | 13.0.1, 13.1.0.4 |
| 636986-1 | CVE-2021-22982 | K72708443, BT636986 | big3d agent vulnerability CVE-2021-22982 | 13.1.0.4 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 686389-1 | 3-Major | BT686389 | APM does not honor per-farm HTML5 client disabling at the View Connection Server | 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4 |
| 678524-1 | 3-Major | BT678524 | Join FF02::2 multicast group when router-advertisement is configured | 13.1.0.4 |
| 693007-1 | 4-Minor | BT693007 | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC | 12.1.3.6, 13.1.0.4 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 707226 | 1-Blocking | BT707226 | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | 11.5.6, 11.6.3.1, 12.1.3.3, 13.0.1, 13.1.0.4, 14.0.0 |
| 700315-2 | 1-Blocking | K26130444, BT700315 | Ctrl+C does not terminate TShark | 12.1.3.6, 13.1.0.4 |
| 667148-3 | 1-Blocking | K02500042, BT667148 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 706998-3 | 2-Critical | BT706998 | Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication | 13.1.0.4, 14.0.0 |
| 692890-3 | 2-Critical | BT692890 | Adding support for BIG-IP 800 in 13.1.x | 13.1.0.4 |
| 685458-7 | 2-Critical | K44738140, BT685458 | merged fails merging a table when a table row has incomplete keys defined. | 12.1.5, 13.1.0.4 |
| 665354-1 | 2-Critical | K31190471, BT665354 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log | 12.1.3, 13.0.1, 13.1.0.4 |
| 703848-1 | 3-Major | BT703848 | Possible memory leak when reusing statistics rows in tables | 13.0.1, 13.1.0.4 |
| 702520-2 | 3-Major | K53330514, BT702520 | Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address. | 13.1.0.4 |
| 694740-3 | 3-Major | BT694740 | BIG-IP reboot during a TMM core results in an incomplete core dump | 12.1.3.6, 13.1.0.4 |
| 692753-1 | 3-Major | BT692753 | shutting down trap not sent when shutdown -r or shutdown -h issued from shell | 13.1.0.4 |
| 689691-2 | 3-Major | BT689691 | iStats line length greater than 4032 bytes results in corrupted statistics or merge errors | 13.0.1, 13.1.0.4 |
| 686029-2 | 3-Major | BT686029 | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces | 12.1.3.4, 13.1.0.4 |
| 669462-2 | 3-Major | BT669462 | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | 12.1.3.2, 13.1.0.4 |
| 589083-6 | 3-Major | BT589083 | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. | 12.1.2, 13.1.0.4, 14.0.0 |
| 699281-1 | 4-Minor | BT699281 | Version format of hypervisor bundle matches Version format of ISO | 12.1.3.2, 13.1.0.4 |
| 685475-1 | 4-Minor | K93145012, BT685475 | Unexpected error when applying hotfix | 12.1.3.6, 13.1.0.4 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 706534-1 | 1-Blocking | BT706534 | L7 connection mirroring may not be fully mirrored on standby BIG-IP system | 13.1.0.4, 14.0.0 |
| 698424-1 | 1-Blocking | K11906514, BT698424 | Traffic over a QinQ VLAN (double tagged) will not pass | 13.1.0.4 |
| 700862-1 | 2-Critical | K15130240, BT700862 | tmm SIGFPE 'valid node' | 12.1.3.4, 13.1.0.4 |
| 699298-2 | 2-Critical | BT699298 | 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV. | 13.0.1, 13.1.0.4 |
| 698461-1 | 2-Critical | BT698461 | Tmm may crash in fastl4 TCP | 13.1.0.4, 14.0.0 |
| 692970-2 | 2-Critical | BT692970 | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 691095-1 | 2-Critical | BT691095 | CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes | 13.1.0.4 |
| 687635-1 | 2-Critical | K58002142, BT687635 | Tmm becomes unresponsive and might restart | 13.0.1, 13.1.0.4 |
| 687205-2 | 2-Critical | BT687205 | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | 12.1.3.4, 13.1.0.4 |
| 681175-3 | 2-Critical | K32153360, BT681175 | TMM may crash during routing updates | 12.1.3.2, 13.1.0.4 |
| 674576-3 | 2-Critical | BT674576 | Outage may occur with VIP-VIP configurations | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 452283-5 | 2-Critical | BT452283 | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | 11.6.3.3, 12.1.3.4, 13.1.0.4 |
| 440620-1 | 2-Critical | BT440620 | New connections may be reset when a client reuses the same port as it used for a recently closed connection | 11.6.5.1, 12.1.3.6, 13.1.0.4 |
| 704073-1 | 3-Major | K24233427, BT704073 | Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm | 12.1.3.2, 13.1.0.4 |
| 702439 | 3-Major | K04964898, BT702439 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset | 13.1.0.4 |
| 698916-1 | 3-Major | BT698916 | TMM crash with HTTP/2 under specific condition | 12.1.3.6, 13.1.0.4 |
| 698379-2 | 3-Major | K61238215, BT698379 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( | 12.1.3.6, 13.1.0.4 |
| 698000-3 | 3-Major | K04473510, BT698000 | Connections may stop passing traffic after a route update | 11.6.3, 12.1.3.2, 13.1.0.4 |
| 695707-5 | 3-Major | BT695707 | BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection | 13.1.0.4 |
| 691806-1 | 3-Major | K61815412, BT691806 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state | 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.4 |
| 689449-1 | 3-Major | BT689449 | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | 11.6.4, 12.1.3.4, 13.1.0.4, 14.0.0 |
| 688571-2 | 3-Major | K40332712, BT688571 | Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile. | 13.1.0.4 |
| 688570-5 | 3-Major | BT688570 | BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes | 13.1.0.4 |
| 686307-3 | 3-Major | K10665315, BT686307 | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later | 12.1.3.2, 13.1.0.4 |
| 686065-2 | 3-Major | BT686065 | RESOLV::lookup iRule command can trigger crash with slow resolver | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 682104-3 | 3-Major | BT682104 | HTTP PSM leaks memory when looking up evasion descriptions | 12.1.3.2, 13.1.0.4 |
| 680264-2 | 3-Major | BT680264 | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags | 12.1.4, 13.0.1, 13.1.0.4 |
| 677666-2 | 3-Major | BT677666 | /var/tmstat/blades/scripts segment grows in size. | 13.0.1, 13.1.0.4 |
| 664528-2 | 3-Major | K53282793, BT664528 | SSL record can be larger than maximum fragment size (16384 bytes) | 12.1.3.4, 13.1.0.4 |
| 251162-1 | 3-Major | K11564 | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name | 12.1.3.6, 13.1.0.4 |
| 685467-1 | 4-Minor | K12933087, BT685467 | Certain header manipulations in HTTP profile may result in losing connection. | 12.1.3.6, 13.1.0.4 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 699135-1 | 2-Critical | BT699135 | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | 12.1.3.4, 13.1.0.4 |
| 692941-1 | 2-Critical | BT692941 | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | 11.5.9, 12.1.3.2, 13.1.0.4 |
| 691287-1 | 2-Critical | BT691287 | tmm crashes on iRule with GTM pool command | 12.1.3.4, 13.1.0.4 |
| 682335-1 | 2-Critical | BT682335 | TMM can establish multiple connections to the same gtmd | 12.1.3.4, 13.1.0.4 |
| 580537-3 | 2-Critical | BT580537 | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 562921-5 | 2-Critical | BT562921 | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4 |
| 705503-3 | 3-Major | BT705503 | Context leaked from iRule DNS lookup | 12.1.3.6, 13.1.0.4, 14.0.0 |
| 703702 | 3-Major | BT703702 | Fixed iControl REST not listing GTM Listeners | 13.1.0.4 |
| 700527-3 | 3-Major | BT700527 | cmp-hash change can cause repeated iRule DNS-lookup hang | 12.1.3.2, 13.1.0.4 |
| 699339-3 | 3-Major | K24634702, BT699339 | Geolocation upgrade files fail to replicate to secondary blades | 12.1.3.4, 13.1.0.4 |
| 696808-1 | 3-Major | BT696808 | Disabling a single pool member removes all GTM persistence records | 12.1.3.4, 13.1.0.4 |
| 691498-3 | 3-Major | BT691498 | Connection failure during iRule DNS lookup can crash TMM | 12.1.3.2, 13.1.0.4 |
| 690166-1 | 3-Major | BT690166 | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | 12.1.3.2, 13.1.0.4 |
| 687128-1 | 3-Major | BT687128 | gtm::host iRule validation for ipv4 and ipv6 addresses | 12.1.3.4, 13.1.0.4 |
| 680069-1 | 3-Major | K81834254, BT680069 | zxfrd core during transfer while network failure and DNS server removed from DNS zone config&start; | 12.1.3.6, 13.1.0.4 |
| 679149-1 | 3-Major | BT679149 | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | 12.1.3.4, 13.1.0.4 |
| 667469-3 | 3-Major | K35324588, BT667469 | Higher than expected CPU usage when using DNS Cache | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 636997-1 | 4-Minor | big3d may crash | 13.1.0.4 | |
| 636994-1 | 4-Minor | big3d may crash | 13.1.0.4 | |
| 636992-1 | 4-Minor | big3d may crash | 13.1.0.4 | |
| 636982-1 | 4-Minor | big3d may crash | 13.1.0.4 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 705774-1 | 3-Major | BT705774 | Add a set of disallowed file types to RDP template | 13.1.0.4, 14.0.0 |
| 703833-1 | 3-Major | BT703833 | Some bot detected features might not work as expected on Single Page Applications | 13.1.0.4 |
| 702946-3 | 3-Major | BT702946 | Added option to reset staging period for signatures | 12.1.3.2, 13.1.0.4 |
| 701841-2 | 3-Major | BT701841 | Unnecessary file recovery_db/conf.tar.gz consumes /var disk space | 12.1.3.2, 13.1.0.4 |
| 701327-2 | 3-Major | BT701327 | failed configuration deletion may cause unwanted bd exit | 12.1.3.2, 13.1.0.4 |
| 700812-1 | 3-Major | BT700812 | asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview | 12.1.3.6, 13.1.0.4 |
| 700726-2 | 3-Major | BT700726 | Search engine list was updated, and fixing case of multiple entries | 12.1.3.6, 13.1.0.4, 14.0.0 |
| 698919-3 | 3-Major | BT698919 | Anti virus false positive detection on long XML uploads | 12.1.3.2, 13.1.0.4 |
| 697756-1 | 3-Major | BT697756 | Policy with CSRF URL parameter cannot be imported as binary policy file | 13.1.0.4 |
| 697303-1 | 3-Major | BT697303 | BD crash | 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4 |
| 696265-5 | 3-Major | K60985582, BT696265 | BD crash | 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4 |
| 696073-2 | 3-Major | BT696073 | BD core on a specific scenario | 13.1.0.4 |
| 695563-1 | 3-Major | Improve speed of ASM initialization on first startup | 13.1.0.4 | |
| 694922-5 | 3-Major | BT694922 | ASM Auto-Sync Device Group Does Not Sync | 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4 |
| 693780-1 | 3-Major | BT693780 | Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices | 13.1.0.4 |
| 693663-1 | 3-Major | BT693663 | Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode | 13.1.0.4 |
| 691477-2 | 3-Major | BT691477 | ASM standby unit showing future date and high version count for ASM Device Group | 12.1.3.2, 13.1.0.4 |
| 679384-3 | 3-Major | K85153939, BT679384 | The policy builder is not getting updates about the newly added signatures. | 12.1.3.2, 13.1.0.4 |
| 678293-2 | 3-Major | K25066531, BT678293 | Uncleaned policy history files cause /var disk exhaustion | 12.1.3.2, 13.1.0.4 |
| 665992-2 | 3-Major | K40510140, BT665992 | Live Update via Proxy No Longer Works | 13.1.0.4 |
| 608988-1 | 3-Major | BT608988 | Error when deleting multiple ASM Policies | 13.1.0.4 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 703233 | 3-Major | BT703233 | Some filters don't work in Security->Reporting->URL Latencies page | 13.1.0.4 |
Access Policy Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 707676-1 | 2-Critical | BT707676 | Memory leak in Machine Certificate Check agent of the apmd process | 13.1.0.4, 14.0.0 |
| 700724-2 | 2-Critical | BT700724 | Client connection with large number of HTTP requests may cause tmm to restart | 13.0.1, 13.1.0.4 |
| 692557-1 | 2-Critical | BT692557 | When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted. | 13.0.1, 13.1.0.4 |
| 690116-1 | 2-Critical | BT690116 | websso daemon might crash when logging set to debug | 13.1.0.4 |
| 689591-2 | 2-Critical | BT689591 | When pingaccess SDK processes certain POST requests from the client, the TMM may restart | 13.0.1, 13.1.0.4 |
| 677368-2 | 2-Critical | BT677368 | Websso crash due to uninitialized member in websso context object while processing a log message | 13.0.1, 13.1.0.4 |
| 631286-3 | 2-Critical | BT631286 | TMM Memory leak caused by APM URI cache entries | 12.1.3.7, 13.0.1, 13.1.0.4 |
| 703429-2 | 3-Major | BT703429 | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 702263-1 | 3-Major | BT702263 | An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading. | 13.1.0.4 |
| 702222-1 | 3-Major | BT702222 | RADIUS and SecurID Auth fails with empty password | 13.1.0.4 |
| 701740-1 | 3-Major | BT701740 | apmd leaks memory when updating Access V2 policy | 13.1.0.4 |
| 701737-1 | 3-Major | BT701737 | apmd may leak memory on destroying Kerberos cache | 13.1.0.4 |
| 701736-1 | 3-Major | BT701736 | Memory leak in Machine Certificate Check agent of the apmd process | 13.1.0.4 |
| 701639-1 | 3-Major | BT701639 | Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP. | 13.1.0.4, 14.0.0 |
| 697636-3 | 3-Major | BT697636 | ACCESS is not replacing headers while replacing POST body | 13.0.1, 13.1.0.4 |
| 695953-1 | 3-Major | BT695953 | Custom URL Filter object is missing after load sys config TMSH command | 13.0.1, 13.1.0.4 |
| 694624-1 | 3-Major | BT694624 | SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor | 13.0.1, 13.1.0.4 |
| 693844-1 | 3-Major | K58335157, BT693844 | APMD may restart continuously and cannot come up | 13.1.0.4 |
| 692307-3 | 3-Major | BT692307 | User with 'operator' role may not be able to view some session variables | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 687937-1 | 3-Major | BT687937 | RDP URIs generated by APM Webtop are not properly encoded | 13.1.0.4 |
| 685862-1 | 3-Major | BT685862 | BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message | 12.1.5.1, 13.1.0.4 |
| 684583-1 | 3-Major | BT684583 | Buitin Okta Scopes Request object uses client -id and client-secret | 13.1.0.4 |
| 684325-1 | 3-Major | BT684325 | APMD Memory leak when applying a specific access profile | 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4 |
| 683389-3 | 3-Major | BT683389 | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 683297-2 | 3-Major | BT683297 | Portal Access may use incorrect back-end for resources referenced by CSS | 13.0.1, 13.1.0.4 |
| 682500-2 | 3-Major | BT682500 | VDI Profile and Storefront Portal Access resource do not work together | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 678851-3 | 3-Major | BT678851 | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 675866-4 | 3-Major | BT675866 | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4 |
| 671627-3 | 3-Major | K06424790, BT671627 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. | 12.1.3.2, 13.1.0.4 |
| 632646-1 | 3-Major | BT632646 | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.4 |
| 629334-1 | 3-Major | BT629334 | Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly | 13.1.0.4 |
| 612792-1 | 3-Major | BT612792 | Support RDP redirection for connections launched from APM Webtop on iOS | 13.0.1, 13.1.0.4 |
| 612118-2 | 3-Major | BT612118 | Nexthop explicit proxy is not used for the very first connection to communicate with the backend. | 13.0.1, 13.1.0.4 |
| 536831-1 | 3-Major | BT536831 | APM PAM module does not handle local-only users list correctly | 13.1.0.4 |
Service Provider Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 698338-1 | 2-Critical | BT698338 | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | 11.6.5.2, 12.1.3.6, 13.1.0.4 |
| 689343-2 | 2-Critical | BT689343 | Diameter persistence entries with bi-directional flag created with 10 sec timeout | 13.1.0.4 |
| 685708-4 | 2-Critical | BT685708 | Routing via iRule to a host without providing a transport from a transport-config created connection cores | 11.6.3.2, 12.1.3.6, 13.1.0.4 |
| 700571-4 | 3-Major | BT700571 | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | 11.6.3.2, 12.1.3.6, 13.1.0.4 |
| 696049-1 | 3-Major | BT696049 | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.4 |
| 674747-4 | 3-Major | K30837366, BT674747 | sipdb cannot delete custom bidirectional persistence entries. | 11.6.3, 12.1.3.6, 13.1.0.4 |
| 656901-3 | 3-Major | BT656901 | MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands | 13.1.0.4 |
Advanced Firewall Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 704207-1 | 2-Critical | BT704207 | DNS query name is not showing up in DNS AVR reporting | 13.1.0.4, 14.0.0 |
| 692328-1 | 2-Critical | BT692328 | Tmm core due to incorrect memory allocation | 13.1.0.4 |
| 703959 | 3-Major | BT703959 | Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI | 13.1.0.4 |
| 631418-1 | 3-Major | BT631418 | Packets dropped by HW grey list may not be counted toward AVR. | 13.1.0.4, 14.0.0 |
Policy Enforcement Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 696383-1 | 2-Critical | BT696383 | PEM Diameter incomplete flow crashes when sweeped | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 694717-1 | 2-Critical | BT694717 | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 616008-1 | 2-Critical | K23164003, BT616008 | TMM core may be seen when using an HSL format script for HSL reporting in PEM | 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4 |
| 696789-1 | 3-Major | BT696789 | PEM Diameter incomplete flow crashes when TCL resumed | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 695968-1 | 3-Major | BT695968 | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 694319-1 | 3-Major | BT694319 | CCA without a request type AVP cannot be tracked in PEM. | 12.1.3.2, 13.1.0.4 |
| 694318-1 | 3-Major | BT694318 | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | 12.1.3.2, 13.1.0.4 |
| 684333-1 | 3-Major | BT684333 | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 678820-1 | 3-Major | BT678820 | Potential memory leak if PEM Diameter sessions are not created successfully. | 12.1.3.2, 13.0.1, 13.1.0.4 |
| 642068-4 | 3-Major | BT642068 | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4 |
| 624231-4 | 3-Major | BT624231 | No flow control when using content-insertion with compression | 12.1.3.2, 13.1.0.4 |
| 680729-1 | 4-Minor | K64307999, BT680729 | DHCP Trace log incorrectly marked as an Error log. | 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 697363-1 | 2-Critical | BT697363 | FPS should forward all XFF header values | 13.1.0.4 |
| 705559-1 | 3-Major | BT705559 | FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request | 13.1.0.4, 14.0.0 |
| 662311-1 | 3-Major | BT662311 | CS alerts should contain actual client IP address in XFF header | 13.1.0.4 |
Protocol Inspection Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 671716-1 | 3-Major | BT671716 | UCS version check was too strict for IPS hitless upgrade | 13.1.0.4 |
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 702419 | 3-Major | BT702419 | Protocol Inspection needs add-on license to work | 13.1.0.3 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 660239-6 | 4-Minor | BT660239 | When accessing the dashboard, invalid HTTP headers may be present | 11.5.7, 11.6.3.3, 12.1.3.2, 13.0.1, 13.1.0.3 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 677919-4 | 3-Major | BT677919 | Enhanced Data Manipulation AJAX Support | 13.1.0.3 |
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 681955-1 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 | K23565223, BT681955 | Apache CVE-2017-9788 | 13.1.0.2 |
| 673595-9 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 | 12.1.3.1, 12.1.3.2, 13.0.1, 13.1.0.2 |
| 694274-1 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223, BT694274 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 | 12.1.3.2, 13.0.1, 13.1.0.2 |
| 672124-6 | CVE-2018-5541 | K12403422, BT672124 | Excessive resource usage when BD is processing requests | 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.2 |
| 679861 | CVE-2019-6655 | K31152411, BT679861 | Weak Access Restrictions on the AVR Reporting Interface | 11.5.10, 11.6.5, 12.1.5, 13.1.0.2 |
| 673607-9 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 | 12.1.3.2, 13.0.1, 13.1.0.2 |
| 672667-6 | CVE-2017-7679 | K75429050, BT672667 | CVE-2017-7679: Apache vulnerability | 12.1.3.2, 13.0.1, 13.1.0.2 |
| 641101-7 | CVE-2016-8743 | K00373024 | httpd security and bug fix update CVE-2016-8743 | 13.1.0.2 |
| 684033-3 | CVE-2017-9798 | K70084351, BT684033 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) | 12.1.3.2, 13.0.1, 13.1.0.2 |
| 661939-2 | CVE-2017-2647 | K32115847, BT661939 | Linux kernel vulnerability CVE-2017-2647 | 13.1.0.2 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 685056 | 3-Major | BT685056 | VE OVAs is not the supported platform to run VMware guest OS customization | 13.1.0.2 |
| 670103-1 | 3-Major | BT670103 | No way to query logins to BIG-IP in TMUI | 13.1.0.2 |
| 681385-2 | 4-Minor | Forward proxy forged cert lifespan can be configured from days into hours. | 13.1.0.2 |
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 700247 | 2-Critical | K60053504, BT700247 | APM Client Software may be missing after doing fresh install of BIG-IP VE | 13.1.0.2 |
| 693979 | 3-Major | BT693979 | Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document | 13.1.0.2 |
| 683131-1 | 3-Major | BT683131 | Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present&start; | 13.1.0.2 |
| 682213-1 | 3-Major | K31623549, BT682213 | TLS v1.2 support in IP reputation daemon | 12.1.3.2, 13.1.0.2 |
| 669585-1 | 3-Major | BT669585 | The tmsh sys log filter is unable to display information in uncompressed log files. | 13.1.0.2 |
| 668826-1 | 3-Major | BT668826 | File named /root/.ssh/bigip.a.k.bak is present but should not be | 13.1.0.2 |
| 668276-1 | 3-Major | BT668276 | BIG-IP does not display failed login attempts since last login in GUI | 13.1.0.2 |
| 668273-1 | 3-Major | K12541531, BT668273 | Logout button not available in Configuration Utility when using Client Cert LDAP | 13.1.0.2 |
| 471237-4 | 3-Major | K12155235, BT471237 | BIG-IP VE instances do not work with an encrypted disk in AWS. | 12.1.3.2, 13.1.0.2 |
Local Traffic Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 699624-1 | 2-Critical | BT699624 | Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade&start; | 13.1.0.2 |
| 463097-5 | 3-Major | BT463097 | Clock advanced messages with large amount of data maintained in DNS Express zones | 12.1.3.1, 13.1.0.2 |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 672504-2 | 2-Critical | K52325625, BT672504 | Deleting zones from large databases can take excessive amounts of time. | 12.1.3.1, 13.1.0.2 |
| 667542-6 | 2-Critical | BT667542 | DNS Express does not correctly process multi-message DNS IXFR updates. | 13.1.0.2 |
| 645615-6 | 2-Critical | K70543226, BT645615 | zxfrd may fail and restart after multiple failovers between blades in a chassis. | 11.5.7, 11.6.3, 12.1.3.1, 13.1.0.2 |
| 655233-2 | 3-Major | K93338593, BT655233 | DNS Express using wrong TTL for SOA RRSIG record in NoData response | 12.1.3.1, 13.1.0.2 |
| 648766-2 | 3-Major | K57853542, BT648766 | DNS Express responses missing SOA record in NoData responses if CNAMEs present | 12.1.3.1, 13.1.0.2 |
| 646615-2 | 4-Minor | BT646615 | Improved default storage size for DNS Express database | 12.1.3.1, 13.1.0.2 |
Application Security Manager Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 699720-1 | 2-Critical | BT699720 | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | 12.1.3.2, 13.1.0.2 |
| 691670-5 | 2-Critical | BT691670 | Rare BD crash in a specific scenario | 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.2 |
| 686108-1 | 2-Critical | BT686108 | User gets blocking page instead of captcha during brute force attack | 13.1.0.2 |
| 684312-1 | 2-Critical | K54140729, BT684312 | During Apply Policy action, bd agent crashes, causing the machine to go Offline | 11.6.3.2, 12.1.3.2, 13.1.0.2 |
| 698940-1 | 3-Major | BT698940 | Add new security policy template for API driven systems - "API Security" | 13.1.0.2 |
| 690883-1 | 3-Major | BT690883 | BIG-IQ: Changing learning mode for elements does not always take effect | 13.1.0.2 |
| 686517-2 | 3-Major | BT686517 | Changes to a parent policy that has no active children are not synced to the secondary chassis slots. | 13.1.0.2 |
| 686470-1 | 3-Major | BT686470 | Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load. | 13.1.0.2 |
| 686452-1 | 3-Major | BT686452 | File Content Detection Formats are not exported in Policy XML | 13.1.0.2 |
| 685964-1 | 3-Major | BT685964 | cs_qualified_urls bigdb does not cause configured URLs to be qualified. | 13.1.0.2 |
| 685771-1 | 3-Major | BT685771 | Policies cannot be created with SAP, OWA, or SharePoint templates | 13.1.0.2 |
| 685207-1 | 3-Major | DoS client side challenge does not encode the Referer header. | 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.2 | |
| 685164-1 | 3-Major | K34646484, BT685164 | In partitions with default route domain != 0 request log is not showing requests | 12.1.5, 13.1.0.2 |
| 683508-1 | 3-Major | K00152663, BT683508 | WebSockets: umu memory leak of binary frames when remote logger is configured | 12.1.3.2, 13.1.0.2 |
| 680353-1 | 3-Major | BT680353 | Brute force sourced based mitigation is not working as expected | 13.1.0.2 |
| 674494-4 | 3-Major | K77993010, BT674494 | BD memory leak on specific configuration and specific traffic | 12.1.3.2, 13.1.0.2 |
| 668184-2 | 3-Major | BT668184 | Huge values are shown in the AVR statistics for ASM violations | 12.1.3.2, 13.1.0.2 |
| 694073-3 | 4-Minor | BT694073 | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | 11.6.3, 12.1.3.2, 13.1.0.2 |
| 685193-1 | 4-Minor | BT685193 | If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies | 13.1.0.2 |
Application Visibility and Reporting Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 697421 | 3-Major | BT697421 | Monpd core when trying to restart | 13.1.0.2 |
| 688813-2 | 3-Major | K23345645, BT688813 | Some ASM tables can massively grow in size. | 13.1.0.2 |
| 686510-1 | 3-Major | BT686510 | If tmm was restarted during an attack, the attack might appear ongoing in GUI | 13.1.0.2 |
| 683474 | 3-Major | The case-sensitive problem during comparison of 2 Virtual Servers | 13.1.0.2 | |
| 679088-1 | 3-Major | BT679088 | Avr reporting and analytics does not display statistics of many source regions | 13.1.0.2 |
Fraud Protection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 684852-1 | 2-Critical | BT684852 | Obfuscator not producing deterministic output | 13.1.0.2 |
| 692123 | 3-Major | BT692123 | GET parameter is grayed out if MobileSafe is not licensed | 12.1.3.2, 13.1.0.2 |
Anomaly Detection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 700320 | 2-Critical | BT700320 | tmm core under stress when BADOS configured and attack signatures enabled | 13.1.0.2 |
| 691462-1 | 3-Major | BT691462 | Bad actors detection might not work when signature mitigation blocks bad traffic | 13.1.0.2 |
| 687987 | 3-Major | BT687987 | Presentation of signatures in human-readable format | 13.1.0.2 |
| 687986 | 3-Major | BT687986 | High CPU consumption during signature generation, not limited number of signatures per virtual server | 13.1.0.2 |
| 687984 | 3-Major | BT687984 | Attacks with randomization of HTTP headers parameters generates too many signatures | 13.1.0.2 |
Traffic Classification Engine Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 698396-1 | 2-Critical | BT698396 | Config load failed after upgrade from 12.1.2 to 13.x or 14.x&start; | 13.1.0.2 |
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 686190-1 | 2-Critical | BT686190 | LRO performance impact with BWC and FastL4 virtual server | 13.1.0.1 |
| 667173-1 | 2-Critical | BT667173 | 13.1.0 cannot join a device group with 13.1.0.1 | 11.6.3, 12.1.3.1, 13.1.0.1 |
| 683114-2 | 3-Major | BT683114 | Need support for 4th element version in Update Check | 12.1.3.1, 13.1.0.1 |
Performance Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 685628-1 | 1-Blocking | BT685628 | Performance regression on B4450 blade&start; | 13.1.0.1 |
| 673832-1 | 1-Blocking | BT673832 | Performance impact for certain platforms after upgrading to 13.1.0. | 13.1.0.1, 14.0.0 |
| 696525-1 | 2-Critical | BT696525 | B2250 blades experience degraded performance. | 13.1.0.1 |
Cumulative fix details for BIG-IP v13.1.5 that are included in this release
999125-4 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
13.1.5
997137-5 : CSRF token modification may allow WAF bypass on GET requests
Component: Application Security Manager
Symptoms:
Under certain conditions a parameter is not processed as expected.
Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter
Impact:
Malicious request will bypass signatures and will not raise any attack signature violation
Workaround:
N/A
Fix:
The parameter is now processed as expected.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1
996381-5 : ASM attack signature may not match as expected
Links to More Info: K41503304, BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
996113-5 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1
995853-4 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.
Links to More Info: BT995853
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.
Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.
Impact:
GSLB Server object creation fails.
Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.
Fix:
GSLB Server object creation no longer fails.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4
995629-1 : Loading UCS files may hang if ASM is provisioned&start;
Links to More Info: BT995629
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.
Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.
Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html
Fix:
Loading UCS files no longer hangs if ASM is provisioned.
Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
994801-5 : SCP file transfer system
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.
Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.
Workaround:
None
Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
993981-5 : TMM may crash when ePVA is enabled
Component: Local Traffic Manager
Symptoms:
When ePVA is enabled on the BIG-IP system, Increased CMP redirections can cause tmm to core and report an error:
tmm SIGFPE "nexthop ref valid".
Conditions:
-- ePVA acceleration is enabled on the BIG-IP system.
-- High rate of CMP redirections.
Impact:
Traffic disrupted while TMM restarts, and systems configured as part of a high availability (HA) group may failover.
Workaround:
Disable ePVA acceleration option.
Note: Performing this procedure may increase CPU use because TCP connections are subsequently processed in software by the Traffic Management Microkernel (TMM).
Fix:
TMM now operates as expected with ePVA enabled.
Fixed Versions:
13.1.5
993613-3 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
993489-6 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
992073-5 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS
Component: Access Policy Manager
Symptoms:
End user clients frequently get a prompt to enter credentials when they should not.
Conditions:
APM Access Profile with NTLM authentication enabled.
Impact:
NTLM handshake failure causing user authentication failures.
Workaround:
N/A
Fix:
APM now processes NTLM requests as expected.
Fixed Versions:
13.1.5
990849-4 : Loading UCS with platform-migrate option hangs and requires exiting from the command&start;
Links to More Info: BT990849
Component: TMOS
Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:
Platform migrate loaded successfully. Saving configuration.
Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate
Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html
Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.
Workaround:
None.
Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.
Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
989701-3 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
987157 : BIG-IP ASM system may not properly perform attack signature checks
Links to More Info: K05391775
Component: Application Security Manager
Symptoms:
For more information see: https://support.f5.com/csp/article/K05391775
Conditions:
For more information see: https://support.f5.com/csp/article/K05391775
Impact:
For more information see: https://support.f5.com/csp/article/K05391775
Workaround:
N/A
Fix:
For more information see: https://support.f5.com/csp/article/K05391775
Fixed Versions:
13.1.5
985953-1 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
984593-4 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
982757-7 : APM Access Guided Configuration hardening
Component: Guided Configuration
Symptoms:
APM Guided Configuration does not follow current best practices
Conditions:
- APM provisioned
- Authenticated administrative user
Impact:
Guided Configuration does not follow current best practices.
Workaround:
N/A
Fix:
Guided Configuration now follows current best practices.
Fixed Versions:
13.1.5
982697-3 : ICMP hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM does not follow current best practices for ICMP traffic.
Conditions:
- ICMP traffic
- DNS in use
Impact:
TMM does not follow current best practices.
Workaround:
N/A
Fix:
TMM now follows current best practices while processing ICMP traffic.
Behavior Change:
The change randomly adjusts the BIG-IP's ICMP rate limit to within 1/8% of the configured rate. While the average rate will remain the same, the number of ICMP packets issued second-to-second will vary randomly.
Fixed Versions:
13.1.5
982341-3 : iControl REST endpoint hardening
Component: TMOS
Symptoms:
iControl REST endpoints do not apply current best practices.
Conditions:
- Authenticated administrative user
- Request to iControl endpoint
Impact:
iControl REST endpoints do not follow current best practices.
Workaround:
N/A
Fix:
iControl REST endpoints now follow current best practices.
Fixed Versions:
13.1.5
981385-5 : AVRD does not send HTTP events to BIG-IQ DCD
Links to More Info: BT981385
Component: Application Visibility and Reporting
Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).
Conditions:
This happens under normal operation.
Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.
Workaround:
None.
Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
980325-3 : Chmand core due to memory leak from dossier requests.
Links to More Info: BT980325
Component: TMOS
Symptoms:
Chmand generates a core file when get_dossier is run continuously.
Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.
Conditions:
Repeated/continuous dossier requests during licensing operations.
Impact:
Chmand crashes; potential traffic impact while chmand restarts.
Workaround:
None.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4
976501-4 : Failed to establish VPN connection
Links to More Info: BT976501
Component: Access Policy Manager
Symptoms:
VPN client exits with message "Failed to establish VPN connection"
Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser
Impact:
Client will be unable to launch the VPN tunnel from the browser.
Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3
975593-1 : TMM may crash while processing IPSec traffic
Component: Carrier-Grade NAT
Symptoms:
Under certain conditions, TMM may crash while processing IPSec traffic.
Conditions:
-IPSecAGL enabled
Impact:
TMM crash leading to a failover event.
Workaround:
N/A
Fix:
TMM now processes IPSec traffic as expected.
Fixed Versions:
13.1.5, 14.1.4.5
974093-2 : Linux kernel vulnerability CVE-2020-25705
Links to More Info: K09604370
973261-5 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
Links to More Info: BT973261
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:
err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.
Conditions:
GTM HTTPS monitor with non-default cert/key.
Impact:
Unable to use HTTPs monitor.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
970329-5 : ASM hardening
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1
969105-5 : HA failover connections via the management address do not work on vCMP guests running on VIPRION
Links to More Info: BT969105
Component: TMOS
Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.
BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.
HA failover connections using self IPs are unaffected.
Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)
Impact:
Failover state determination over the management port is permanently down.
Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).
To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid
The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.
Add this line to the end of /config/startup:
(sleep 120; touch /var/run/chmand.pid) &
Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.
Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:
#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready
# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.
You may also request an Engineering Hotfix from F5.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4
968733-4 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
968421-5 : ASM attack signature doesn't matched
Links to More Info: K30291321, BT968421
Component: Application Security Manager
Symptoms:
A specific attack signature doesn't match as expected.
Conditions:
Undisclosed conditions.
Impact:
Attack signature does not match as expected, request is not logged.
Workaround:
N/A
Fix:
Attack signature now matches as expected.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
967905-1 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Links to More Info: BT967905
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
967745-4 : Last resort pool error for the modify command for Wide IP
Links to More Info: BT967745
Component: TMOS
Symptoms:
System reports error for the modify command for Wide IP.
01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.
Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.
Impact:
The object is not modified, and the system reports an error.
Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Append the command with last-resort-pool a <pool_name>, for example:
modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test
Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
965853-5 : IM package file hardening&start;
Component: Protocol Inspection
Symptoms:
IM package file uploads do not follow current best practices.
Conditions:
- IM package file uploaded to BIG-IP
Impact:
IM package file uploads do not follow current best practices.
Workaround:
N/A
Fix:
IM package file uploads now follow current best practices.
Fixed Versions:
13.1.5
965485-1 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
Links to More Info: K41523201
965229-4 : ASM Load hangs after upgrade&start;
Links to More Info: BT965229
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1
964245-4 : ASM reports and enforces username always
Links to More Info: BT964245
Component: Application Security Manager
Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.
Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.
Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.
Workaround:
None
Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4
963705-1 : Proxy ssl server response not forwarded
Links to More Info: BT963705
Component: Local Traffic Manager
Symptoms:
A server response may not be forwarded after TLS renegotiation.
Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs
Impact:
Server response may not be not forwarded
Fix:
Proxy ssl will now forward server response after renegotiation
Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1
962497-5 : BD crash after ICAP response
Links to More Info: BT962497
Component: Application Security Manager
Symptoms:
BD crash when checking ICAP job after ICAP response
Conditions:
BD is used with ICAP feature
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
962433-2 : HTTP::retry for a HEAD request fails to create new connection
Links to More Info: BT962433
Component: Local Traffic Manager
Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.
Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version
Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.
Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4
962177-4 : Results of POLICY::names and POLICY::rules commands may be incorrect
Links to More Info: BT962177
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
960749-4 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
Links to More Info: BT960749
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes, dumps a core file, and restarts.
Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.
-- The DNS Cache or Network DNS Resolver objects receive traffic.
Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.
Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960437-4 : The BIG-IP system may initially fail to resolve some DNS queries
Links to More Info: BT960437
Component: Global Traffic Manager (DNS)
Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.
Subsequent queries for the same domain name, however, work as expected.
Only some domain names are affected.
Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.
- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).
- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.
In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.
For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.
1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.
You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
958093-1 : IPv6 routes missing after BGP graceful restart
Links to More Info: BT958093
Component: TMOS
Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.
Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.
Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.
Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1
957905-4 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.
Links to More Info: BT957905
Component: Service Provider
Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.
SIP Responses that don't contain a content_length header are accepted and forwarded to the client.
The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.
Conditions:
SIP request / response without content_length header.
Impact:
RFC 6731 non compliance.
Workaround:
N/A
Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.
content_length header is treated as optional for UDP and SCTP.
Fixed Versions:
13.1.5
957897-3 : Unable to modify gateway-ICMP monitor fields in the GUI
Links to More Info: BT957897
Component: TMOS
Symptoms:
While modifying a gateway-ICMP monitor you see the following error:
01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.
Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.
Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.
Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]
For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description
Fix:
You can now update the Gateway-ICMP monitor fields via the GUI.
Fixed Versions:
13.1.5
956937 : Duplicate Attack signature sets in policy containing server technologies
Component: Application Security Manager
Symptoms:
When creating a new security policy, choosing a server technology for the policy causes duplicate signature sets to be created.
Conditions:
-- Create a new security policy using a server technology
-- Create another security policy using the same server technology
Impact:
Duplicate signature sets are created.
Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.
Fixed Versions:
13.1.5
956589-4 : The tmrouted daemon restarts and produces a core file
Links to More Info: BT956589
Component: TMOS
Symptoms:
The tmrouted daemon restarts and produces a core file.
Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover
Impact:
Traffic disrupted while tmrouted restarts.
Workaround:
None
Fix:
Tmrouted daemon should not restart during blade reset
Fixed Versions:
13.1.5, 15.1.2.1
955617-5 : Cannot modify properties of a monitor that is already in use by a pool
Links to More Info: BT955617
Component: Local Traffic Manager
Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties can't be modified if they are in use by a pool.
Workaround:
Remove monitor, modify it, and then add it back.
Fixed Versions:
13.1.5
955017-5 : Excessive CPU consumption by asm_config_event_handler
Links to More Info: BT955017
Component: Application Security Manager
Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync
Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.
Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.
Workaround:
Disable the signature staging action item for all policies.
Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
953845-5 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
Links to More Info: BT953845
Component: Local Traffic Manager
Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.
This can occur when using administrative commands such as:
-- tmsh run util fips-util init
-- fipsutil init
-- tmsh run util fips-util loginreset -r
-- fipsutil loginreset -r
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
+ vCMP guest on i5820-DF / i7820-DF
+ vCMP guest on 10350v-F
Impact:
BIG-IP is unable to communicate with the onboard HSM.
Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.
Immediately before doing this:
-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:
sys fipsuser f5cu {
password $M$Et$b3R0ZXJzCg==
}
Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.
Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
953729-4 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
953677-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
951257-2 : FTP active data channels are not established
Component: Local Traffic Manager
Symptoms:
Under certain conditions FTP active data channels may not be established as expected.
Conditions:
-- The FTP profile has "allow-active-mode" enabled and "port" set to a non-zero value.
Impact:
FTP transfers with active data channels are not processed as expected.
Workaround:
- Disable 'active' FTP and only use passive FTP or
- Use a custom FTP profile with port set to '0' on FTP virtual servers.
Fix:
FTP active data channels are now established as expected.
Fixed Versions:
13.1.5
951033-1 : Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'
Links to More Info: BT951033
Component: Local Traffic Manager
Symptoms:
Virtual server resets all the connections for rstcause 'VIP disabled (administrative)', after all the conditions are met.
Once it happens, the virtual server starts resetting all the incoming connections for rstcause 'VIP disabled (administrative)'. This continues even after the connection limit is deactivated.
Conditions:
-- There is at least one pool member that is DISABLED.
-- Other pool members have a connection limit configured.
-- A configuration change occurs while the connection limit is activated, and the change lowers the connection limit value, for example, the value is changed from 10 to 5.
Impact:
A virtual server continues resetting new connections.
Workaround:
Use Forced offline instead of disabled to prevent this issue.
Fix:
The BIG-IP system no longer continually resets new connections when the connection limit is lowered while it is being enforced.
Fixed Versions:
13.1.3.5, 14.1.3.1
950917-3 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Links to More Info: BT950917
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4
950077-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
949889-1 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
949593-1 : Unable to load config if AVR widgets were created under '[All]' partition&start;
Links to More Info: BT949593
Component: Application Visibility and Reporting
Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.
Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.
Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.
Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':
# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config
This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.
Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2
949145-3 : Improve TCP's response to partial ACKs during loss recovery
Links to More Info: BT949145
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
948573-3 : Wr_urldbd list of valid TLDs needs to be updated
Links to More Info: BT948573
Component: Traffic Classification Engine
Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.
Conditions:
New TLD is being queried
Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.
Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
948113-5 : User-defined report scheduling fails
Links to More Info: BT948113
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
947529-3 : Security tab in virtual server menu renders slowly
Links to More Info: BT947529
Component: TMOS
Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.
Conditions:
Large number of virtual servers using the same ASM policy
Impact:
Loading of Security tab of a virtual server takes a long time
Workaround:
NA
Fix:
Security tab of a virtual server loads fast
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1
946325-4 : PEM subscriber GUI hardening
Component: Policy Enforcement Manager
Symptoms:
The PEM subscriber GUI does not follow current best practices.
Conditions:
- Authenticated administrative user
- PEM GUI request
Impact:
PEM subscriber GUI does not follow current best practices.
Workaround:
N/A
Fix:
PEM subscriber GUI now follows current best practices.
Fixed Versions:
13.1.5
946081-4 : Getcrc tool help displays directory structure instead of version
Links to More Info: BT946081
Component: Application Security Manager
Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.
Conditions:
Displaying help in getcrc utility.
Impact:
Version information is not displayed.
Fix:
Getcrc utility help now displays version information.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
944441-4 : BD_XML logs memory usage at TS_DEBUG level
Links to More Info: BT944441
Component: Application Security Manager
Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)
Conditions:
These messages can occur when XML/JSON profiles are configured.
Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.
Workaround:
None
Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
944121-2 : Missing SNI information when using non-default domain https monitor running in TMM mode.
Links to More Info: BT944121
Component: In-tmm monitors
Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.
In-TMM monitors do not send any packet when TLS1.3 monitor is used.
Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.
- Another Condition :
TLS1.3 Monitor is used
Impact:
The TLS connection might fail in case of SNI
No SYN packet is sent in case of TLS1.3 monitor
Workaround:
N/A
Fix:
N/A
Fixed Versions:
13.1.5
943913-5 : ASM attack signature does not match
Links to More Info: K30150004, BT943913
Component: Application Security Manager
Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.
Conditions:
- ASM enabled
- Undisclosed attack signature variation
Impact:
ASM attack signature does not match or trigger further processing.
Workaround:
N/A
Fix:
ASM now processes traffic as expected.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
943889 : Reopening the publisher after a failed publishing attempt
Links to More Info: BT943889
Component: Fraud Protection Services
Symptoms:
TMM crashes repeatedly on SIGSEGV.
Conditions:
This can occur after a HSL disconnect and re-connect.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system publishes data to HSL publisher on a second attempt successfully (after a reconnect).
Fixed Versions:
13.1.3.5, 14.1.4
941853-3 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Links to More Info: BT941853
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
941621-4 : Brute Force breaks server's Post-Redirect-Get flow
Links to More Info: K91414704, BT941621
Component: Application Security Manager
Symptoms:
Brute Force breaks server's Post-Redirect-Get flow
Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.
Impact:
Brute Force breaks server's Post-Redirect-Get flow
Workaround:
None
Fix:
Support PRG mechanism in brute force mitigations.
Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.1
941257-3 : Occasional Nitrox3 ZIP engine hang
Links to More Info: BT941257
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.
You can check if your platform has the nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable http compression
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4
941249-1 : Improvement to getcrc tool to print cookie names when cookie attributes are involved
Links to More Info: BT941249
Component: Application Security Manager
Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server
Conditions:
This is applicable when domain and path cookie attributes are present in response from server
Impact:
ASM cookie name which is displayed is incorrect
Workaround:
None
Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
941089-4 : TMM core when using Multipath TCP
Links to More Info: BT941089
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
940897-4 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
Links to More Info: BT940897
Component: Application Security Manager
Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".
Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.
Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.
Workaround:
N/A
Fix:
No false positives detected.
Fixed Versions:
12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
940401-4 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Links to More Info: BT940401
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
940249-4 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached
Links to More Info: BT940249
Component: Application Security Manager
Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.
Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.
Impact:
Data after last allowed element is not masked.
Fix:
Now the values are masked.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
940021-1 : Syslog-ng hang may lead to unexpected reboot
Links to More Info: BT940021
Component: TMOS
Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.
The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.
Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.
At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).
Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.
Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.
Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.
A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.
Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
The final log will of a broken connection only, usually one minute after the last established/broken pair.
Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'
Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.
Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.
Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.
This fix is not a complete fix. You will still need to remove unused syslog-ng servers from the BIG-IP configuration.
ID 1040277 tracks the remaining issue.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
939529-4 : Branch parameter not parsed properly when topmost via header received with comma separated values
Links to More Info: BT939529
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
938233-4 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
Links to More Info: K93231374
936557-4 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
Links to More Info: BT936557
Component: Local Traffic Manager
Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.
Conditions:
This issue occurs when the following conditions are true:
-- Standard TCP virtual server.
-- TCP profile with Verified Accept enabled.
-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.
Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.
Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.
Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.
Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1
935593-2 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
Links to More Info: BT935593
Component: Local Traffic Manager
Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.
Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.
Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.
Workaround:
Do not use TCP timestamp rewrite.
Fixed Versions:
13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1
935293-1 : 'Detected Violation' Field for event logs not showing
Links to More Info: BT935293
Component: Application Security Manager
Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.
Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.
Impact:
You cannot see the violation details.
Workaround:
Disabling parameter learning helps.
Note: This happens only with a large number of parameters. Usually it works as expected.
Fix:
The eventlog is reserving space for violations.
Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
933777-3 : Context use and syntax changes clarification
Links to More Info: BT933777
Component: Application Visibility and Reporting
Symptoms:
There are two context and syntax-related issues:
-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.
-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.
Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.
Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.
Workaround:
None
Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).
-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.
Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
933461-2 : BGP multi-path candidate selection does not work properly in all cases.
Links to More Info: BT933461
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
932485-1 : Incorrect sum(hits_count) value in aggregate tables
Links to More Info: BT932485
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
932137-3 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Links to More Info: BT932137
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
932133-4 : Payloads with large number of elements in XML take a lot of time to process
Links to More Info: BT932133
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
931677-3 : IPv6 hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions, handling of IPv6 traffic to BIG-IP owned addressed (e.g. self-IPs) do not follow current best practices.
Conditions:
-- IPv6 strict compliance is enabled (tmsh modify sys db ipv6.strictcompliance value true)
-- IPv6 traffic to BIG-IP owned addresses
Impact:
Handling of IPv6 traffic does not follow current best practices.
Workaround:
Disable IPv6 strict compliance with the command:
tmsh modify sys db ipv6.strictcompliance value false
Fix:
BIG-IP now handles IPv6 traffic in compliance with current best practices.
Fixed Versions:
13.1.5
930741-4 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
Links to More Info: BT930741
Component: TMOS
Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.
One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.
Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.
Impact:
Traffic disruption caused by the reboot.
Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2
929001-5 : ASM form handling improvements
Links to More Info: K48321015, BT929001
Component: Application Security Manager
Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.
Conditions:
- Brute force protection is configured
Impact:
Enforcement not triggered as expected.
Workaround:
N/A
Fix:
ASM now processes forms as expected.
Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
928685-4 : ASM Brute Force mitigation not triggered as expected
Links to More Info: K49549213, BT928685
Component: Application Security Manager
Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.
Conditions:
- ASM enabled
- Brute Force mitigation enabled
Impact:
Brute Force mitigation is not triggered as expected.
Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:
when ASM_REQUEST_DONE
{
if { [catch { HTTP::username } ] } {
log local0. "ERROR: bad username";
ASM::raise bad_auth_header_custom_violation
}
}
Fix:
Brute Force mitigation is now triggered as expected.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
927993-5 : Built-in SSL Orchestrator RPM installation failure
Links to More Info: K97501254, BT927993
Component: SSL Orchestrator
Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:
Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.
Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.
Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.
Workaround:
Step 1. Run the following commands in the BIG-IP command line:
# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')
# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')
# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1
# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done
# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
---
Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.
---
Step 3. Run the following commands in the BIG-IP command line:
# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2
---
Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.
Fix:
Built-in SSL Orchestrator RPM installation failure
Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1
927941-2 : IPv6 static route BFD does not come up after OAMD restart
Links to More Info: BT927941
Component: TMOS
Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"
Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.
Impact:
BFD session is not shown in 'show bfd session'.
Workaround:
Restart tmrouted:
bigstart restart tmrouted
Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
927617-4 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
Links to More Info: BT927617
Component: Application Security Manager
Symptoms:
A valid request that should be passed to the backend server is blocked.
Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.
-- The cookie header that contain the valid cookie value is encoded to base64.
Impact:
A request is blocked that should not be.
Workaround:
Disable 'Base64 Decoding' for the desired cookie.
Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
926929-1 : RFC Compliance Enforcement lacks configuration availability
Links to More Info: BT926929
Component: Local Traffic Manager
Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.
Conditions:
The configuration has a virtual server with an HTTP profile.
Impact:
Some applications that require certain constructions after a header name may not function.
Workaround:
None
Fix:
A configuration item has been introduced to manage RFC-compliance options.
In releases 13.1.4, 14.1.4, 15.1.2.1 and 16.0.1.2 and in subsequent releases in those families, a global flag is used to control the enforcement:
sys db tmm.http.rfc.allowwsheadername
The possible values are "enabled" and "disabled"; the default is "enabled".
In release 16.1.0 and subsequent releases, there are two per-profile options; these have been added to the Configuration Utility's configuration page for HTTP profiles, in the 'Enforcement' section:
-- Enforce RFC Compliance
-- Allow Space Header Name
The following sample output shows how the RFC-compliance and whitespace-enforcement settings might appear in tmsh, if enabled:
(tmos)# list ltm profile http http-wsheader
ltm profile http http-wsheader {
app-service none
defaults-from http
enforcement {
allow-ws-header-name enabled
rfc-compliance enabled
}
proxy-type reverse
}
Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
926845-3 : Inactive ASM policies are deleted upon upgrade
Links to More Info: BT926845
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
Fixed Versions:
13.1.5
926341-4 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start;
Links to More Info: BT926341
Component: Application Visibility and Reporting
Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.
Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.
Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.
Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.
When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4
924929 : Logging improvements for VDI plugin
Links to More Info: BT924929
Component: Access Policy Manager
Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.
Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts
Impact:
Event names are not displayed in the APM log.
Workaround:
None.
Fix:
Event names along with the exceptions are also seen in the APM log file.
Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
924493-5 : VMware EULA has been updated
Links to More Info: BT924493
Component: TMOS
Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.
Conditions:
The EULA is presented to the user when deploying an OVF template.
Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).
Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.
Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.
Fix:
The EULA presented in VMware was out of date and has been updated.
Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
922317-1 : Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections
Links to More Info: BT922317
Component: Local Traffic Manager
Symptoms:
-- Stalled serverside connections visible in connection table.
-- No traffic going out towards pool member.
-- Sometimes tmm crashes may occur.
Conditions:
The LSN::persistence_entry Tcl command is used inside of an iRule triggered by a serverside event, e.g., SERVER_CONNECTED.
Impact:
-- Traffic not reaching pool members.
-- System disruption while tmm restarts in case of crash.
Workaround:
Do not use the LSN::persistence_entry command in iRules triggered by serverside events.
Fix:
Traffic now reaches pool members, no stalled connections occur, and crashes are eliminated.
Fixed Versions:
12.1.6, 13.1.4
922297-4 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs
Links to More Info: BT922297
Component: TMOS
Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.
You see the following log entries in /var/log/tmm:
-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...
In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:
-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...
Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.
Impact:
TMM does not start.
Workaround:
Configure fewer network interfaces or vCPUs.
Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).
Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
922105-5 : Avrd core when connection to BIG-IQ data collection device is not available
Links to More Info: BT922105
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
921625-5 : The certs extend function does not work for GTM/DNS sync group
Links to More Info: BT921625
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.
As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.
The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.
You might see messages similar to the following:
-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....
Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.
-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.
Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.
Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.
Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
921549-7 : The gtmd process does not receive updates from local big3d.
Links to More Info: BT921549
Component: Global Traffic Manager (DNS)
Symptoms:
Oversized server.crt file prevents gtmd (other devices in a same syncgroup) from receiving from local big3d.
Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.
Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.
Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.
Fixed Versions:
13.1.3.6
920265 : TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option.
Links to More Info: BT920265
Component: Local Traffic Manager
Symptoms:
TMM crashes and produces a core dump.
Conditions:
This issue occurs when:
- You initially enable the transparent-nexthop setting on a virtual server.
- You then disable the option.
- You then disable auto-lasthop for the virtual server.
- The virtual server receives traffic.
Impact:
Traffic is impacted while TMM restarts.
Workaround:
There is no workaround that you can instantiate to prevent this issue. However, if you are aware that you have already performed the necessary configuration changes to cause this issue to occur, and TMM has not crashed yet, you can delete the virtual server and recreate it (with the intended/final configuration) to prevent the crash.
Fix:
TMM no longer crashes after modifying a virtual server as described under Conditions.
Fixed Versions:
13.1.4
920197-1 : Brute force mitigation can stop mitigating without a notification
Links to More Info: BT920197
Component: Application Security Manager
Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.
Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).
Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.
Workaround:
None.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
919553-4 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
Links to More Info: BT919553
Component: Global Traffic Manager (DNS)
Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.
Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
919317-2 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes
Links to More Info: BT919317
Component: TMOS
Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.
Conditions:
ECMP routes reachable via recursive nexthops.
Impact:
NSM is stuck at 100% CPU usage.
Workaround:
Avoid using EMCP routes reachable via recursive nexthops.
Fixed Versions:
13.1.5
919301-5 : GTP::ie count does not work with -message option
Links to More Info: BT919301
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1
919049 : Guest fails to come up when vCMP guest and host both run BIG-IP v13.1.3.3, assigning FIPS partition
Links to More Info: BT919049
Component: Local Traffic Manager
Symptoms:
The vCMP guest fails to come up.
Conditions:
-- Using i5820-DF, i7820-DF, or 10350v-F platforms.
-- Running BIG-IP software v13.1.3.3 on the hypervisor.
-- Once FIPS card is initialized on the hypervisor:
1. Create vCMP guest.
2. Assign FIPS partition (can be default PARTITION_1, or you can resize PARTITION_1 and create a different partition).
3. Change state of vCMP guest to 'deployed'.
Impact:
The vCMP guest fails to come up with an attached N3FIPS partition.
Note: This happens only when the host is running v13.1.3.3 and the vCMP guest tries to come up with v13.1.3.3.
Workaround:
None.
Fixed Versions:
13.1.4
918933-4 : The BIG-IP ASM system may not properly perform signature checks on cookies
Links to More Info: K88162221, BT918933
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221
Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
918597-1 : Under certain conditions, deleting a topology record can result in a crash.
Links to More Info: BT918597
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.
Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
918409-5 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
Links to More Info: BT918409
Component: TMOS
Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.
Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.
Impact:
Traffic disrupted on the tmm process that is looping indefinitely.
Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.
Note: The change does not persist across software installs.
a. mount -o remount,rw /usr
b. Edit /defaults/daemon.conf and put these contents at the top of the file:
sys daemon-ha tmm24 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm25 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm26 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
sys daemon-ha tmm27 {
description none
heartbeat enabled
heartbeat-action go-offline-downlinks-restart
running enabled
running-timeout 2
}
c. mount -o remount,ro /usr
2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:
tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm
Fixed Versions:
13.1.5
918169-3 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
Links to More Info: BT918169
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.
Conditions:
This issue occurs when all of the following conditions are true:
-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).
-- The server's HTTP response does not terminate with a newline.
Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.
Workaround:
This issue can be worked around by performing any one of the following actions:
-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.
-- Ensure the server's HTTP response ends with a newline.
Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.
Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
917005-3 : ISC BIND Vulnerability: CVE-2020-8619
Links to More Info: K19807532
915981-1 : BIG-IP SCP hardening
Component: TMOS
Symptoms:
Under certain conditions SCP does not follow current best practices.
Conditions:
- Authenticated high-privilege user
- SCP file transfer
Impact:
BIG-IP do not follow current best practices for filesystem protection.
Workaround:
N/A
Fix:
All filesystem protections now follow best practices.
Fixed Versions:
13.1.5
915825-5 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
Links to More Info: BT915825
Component: TMOS
Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.
Configuration error: Can't associate folder (/User/Drafts) folder does not exist.
Conditions:
This occurs in the following scenario:
1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.
Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.
Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1
915689-5 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
Links to More Info: BT915689
Component: Local Traffic Manager
Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.
Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.
Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.
Workaround:
None.
Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.
Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915605-4 : Image install fails if iRulesLX is provisioned and /usr mounted read-write&start;
Links to More Info: K56251674, BT915605
Component: Local Traffic Manager
Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.
tmsh show software status will report the status for the target volume as one of the following:
-- Could not access configuration source.
-- Unable to get hosting system product info.
Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.
Impact:
Unable to upgrade or more generally insta