Supplemental Document : BIG-IP 13.1.5 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.1.5

BIG-IP APM

  • 13.1.5

BIG-IP Link Controller

  • 13.1.5

BIG-IP Analytics

  • 13.1.5

BIG-IP LTM

  • 13.1.5

BIG-IP AFM

  • 13.1.5

BIG-IP PEM

  • 13.1.5

BIG-IP FPS

  • 13.1.5

BIG-IP DNS

  • 13.1.5

BIG-IP ASM

  • 13.1.5
Updated Date: 04/18/2022

BIG-IP Release Information

Version: 13.1.5
Build: 32.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v13.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.1 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release
Known Issues in BIG-IP v13.1.x

Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
999933-5 CVE-2022-23017 K28042514, BT999933 TMM may crash while processing DNS traffic on certain platforms 13.1.5, 14.1.4.5, 15.1.4.1
989701-3 CVE-2020-25212 K42355373, BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
981461-2 CVE-2021-23032 K45407662, BT981461 Unspecified DNS responses cause TMM crash 13.1.5, 14.1.4.4, 15.1.3.1
966901-4 CVE-2020-14364 K09081535, BT966901 CVE-2020-14364: Qemu Vulnerability 13.1.5, 14.1.4.4, 15.1.4.1
940317-2 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
937333-5 CVE-2022-23013 K29500533, BT937333 Incomplete validation of input in unspecified forms 13.1.5, 14.1.4.4, 15.1.4
904165-4 CVE-2020-27716 K51574311, BT904165 BIG-IP APM vulnerability CVE-2020-27716 13.1.5, 14.1.3.1, 15.1.1
550928-3 CVE-2022-23010 K34360320, BT550928 TMM may crash when processing HTTP traffic with a FastL4 virtual server 13.1.5, 14.1.4.4, 15.1.4.1
1089373-3 CVE-2022-0778 K31323265 OpenSSL Vulnerability: CVE-2022-0778 13.1.5
1089237-2 CVE-2022-0778 K31323265 OpenSSL Vulnerability: CVE-2022-0778 13.1.5
1087201-3 CVE-2022-0778 K31323265 OpenSSL Vulnerability: CVE-2022-0778 13.1.5
1032405-5 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1030689-4 CVE-2022-23019 K82793463, BT1030689 TMM may consume excessive resources while processing Diameter traffic 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
1028669-3 CVE-2019-9948 K28622040, BT1028669 Python vulnerability: CVE-2019-9948 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1028497-3 CVE-2019-15903 K05295469, BT1028497 libexpat vulnerability: CVE-2019-15903 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1007489-3 CVE-2022-23018 K24358905, BT1007489 TMM may crash while handling specific HTTP requests&start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
997193-3 CVE-2022-23028 K16101409, BT997193 TCP connections may fail when AFM global syncookies are in operation. 13.1.5, 14.1.4.5, 15.1.5
981693-5 CVE-2022-23024 K54892865, BT981693 TMM may consume excessive resources while processing IPSec ALG traffic 13.1.5, 14.1.4.2, 15.1.4.1
981273-4 CVE-2021-23054 K41997459, BT981273 APM webtop hardening 13.1.5, 15.1.4
974341-4 CVE-2022-23026 K08402414, BT974341 REST API: File upload 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
974093-2 CVE-2020-25705 K09604370 Linux kernel vulnerability CVE-2020-25705 13.1.5
962069-6 CVE-2021-23047 K79428827, BT962069 Excessive resource consumption while processing OSCP requests via APM 13.1.5, 14.1.4.4, 15.1.3.1
941649-5 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
940185-4 CVE-2022-23023 K11742742, BT940185 icrd_child may consume excessive resources while processing REST requests 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
907201-5 CVE-2021-23039 K66782293, BT907201 TMM may crash when processing IPSec traffic 13.1.5, 14.1.2.8, 15.1.3, 16.0.1.2
887965-4 CVE-2022-23027 K30573026, BT887965 Virtual server may stop responding while processing TCP traffic 13.1.5, 14.1.4.4, 15.1.4
870273-2 CVE-2020-5936 K44020030, BT870273 TMM may consume excessive resources when processing SSL traffic 12.1.5.2, 13.1.5, 14.1.2.8, 15.1.1
803965-4 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
1013145-4 CVE-2021-23052 K32734107 APM Hardening 13.1.5, 14.1.4.4
1009725-5 CVE-2022-23030 K53442005, BT1009725 Excessive resource usage when ixlv drivers are enabled 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1008561-2 CVE-2022-23025 K44110411, BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1008077-3 CVE-2022-23029 K50343028, BT1008077 TMM may crash while processing TCP traffic with a FastL4 VS 13.1.5, 14.1.4.4, 15.1.4.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
818169-4 2-Critical   TMM may consume excessive resources when processing DNS profiles with DNS queing enabled 13.1.5, 15.1.0.2
1050537-4 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 13.1.5
911141-5 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1046669-4 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 13.1.5
1015133-1 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
985953-1 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
982697-3 4-Minor   ICMP hardening 13.1.5
1033837-4 4-Minor   REST authentication tokens persist on reboot&start; 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1042993-4 1-Blocking K19272127, BT1042993 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 13.1.5, 14.1.4.5, 15.1.4.1
1002109-5 1-Blocking BT1002109 Xen binaries do not follow security best practices 13.1.5, 14.1.4.4, 15.1.4
980325-3 2-Critical BT980325 Chmand core due to memory leak from dossier requests. 13.1.5, 14.1.4.4, 15.1.4
957897-3 2-Critical BT957897 Unable to modify gateway-ICMP monitor fields in the GUI 13.1.5
915981-1 2-Critical   BIG-IP SCP hardening 13.1.5
817709-4 2-Critical BT817709 IPsec: TMM cored with SIGFPE in racoon2 13.1.5, 14.1.2.8, 15.1.0.2
775897-3 2-Critical BT775897 High Availability failover restarts tmipsecd when tmm connections are closed 13.1.5, 14.1.2.5
741676-1 2-Critical BT741676 Intermittent crash switching between tunnel mode and interface mode 13.1.5, 14.1.2.8
1059185-4 2-Critical   iControl REST Hardening 13.1.5
1051561-4 2-Critical   iControl REST request hardening 13.1.5
1043277-1 2-Critical K06520200, BT1043277 'No access' error page displays for APM policy export and apply options. 13.1.5, 14.1.4.5, 15.1.4.1
1024325-1 2-Critical BT1024325 EHF installation is not updating the Linux Kernel 13.1.5
1004929-3 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 13.1.5, 14.1.4.5, 15.1.5
999125-4 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 13.1.5
982341-3 3-Major   iControl REST endpoint hardening 13.1.5
969105-5 3-Major BT969105 HA failover connections via the management address do not work on vCMP guests running on VIPRION 13.1.5, 14.1.4.4, 15.1.4
958093-1 3-Major BT958093 IPv6 routes missing after BGP graceful restart 13.1.5, 14.1.4.5, 15.1.4.1
956589-4 3-Major BT956589 The tmrouted daemon restarts and produces a core file 13.1.5, 15.1.2.1
947529-3 3-Major BT947529 Security tab in virtual server menu renders slowly 13.1.5, 14.1.4.4, 15.1.4.1
919317-2 3-Major BT919317 NSM consumes 100% CPU processing nexthops for recursive ECMP routes 13.1.5
918409-5 3-Major BT918409 BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures 13.1.5
856953-6 3-Major BT856953 IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 13.1.5, 14.1.2.8, 15.1.4.1
809657-4 3-Major BT809657 HA Group score not computed correctly for an unmonitored pool when mcpd starts 13.1.5, 14.1.4.4, 15.1.4.1
760950-2 3-Major BT760950 Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment 12.1.5.3, 13.1.5, 14.1.2.7
755976-1 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 13.1.5
719555 3-Major BT719555 Interface listed as 'disable' after SFP insertion and enable 13.1.5, 14.1.4, 15.1.1
1066285-2 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 13.1.5
1047169-4 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 13.1.5
1045421-4 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1042009-4 3-Major BT1042009 Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes 13.1.5
1032077 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1022637-4 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 13.1.5, 15.1.5
1020789-1 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use. 13.1.5
1019085-3 3-Major BT1019085 Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.&start; 13.1.5
1010393-2 3-Major BT1010393 Unable to relax AS-path attribute in multi-path selection 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
1008269-5 3-Major BT1008269 Error: out of stack space 13.1.5
1003257-2 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
884165-1 4-Minor BT884165 Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG 13.1.5, 14.1.4.4, 15.1.4.1
713614-6 4-Minor BT713614 Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) 13.1.5, 15.1.0.5
528894-8 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 13.1.5, 15.1.5
1071365-2 4-Minor   iControl SOAP WSDL hardening 13.1.5
1051797-4 4-Minor   Linux kernel vulnerability: CVE-2018-18281 13.1.5
1046693-1 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 13.1.5
1045549-1 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 13.1.5
1040821-1 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 13.1.5
1034589-4 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 13.1.5
1024621-1 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 13.1.5
1002809-5 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 13.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1005433-1 1-Blocking BT1005433 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured 13.1.5, 14.1.4.5
931677-3 2-Critical   IPv6 hardening 13.1.5
910213-5 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 13.1.5
757407-2 2-Critical BT757407 Error reading RRD file may induce processes to mutually wait for each other forever 13.1.5
1064617-4 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 13.1.5
1019081-1 2-Critical K97045220, BT1019081 HTTP/2 hardening 13.1.5, 14.1.4.5, 15.1.3.1
1016657-5 2-Critical   TMM may crash while processing LSN traffic 13.1.5
993981-5 3-Major   TMM may crash when ePVA is enabled 13.1.5
963705-1 3-Major BT963705 Proxy ssl server response not forwarded 13.1.5, 14.1.4.5, 15.1.4.1
955617-5 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 13.1.5
951257-2 3-Major   FTP active data channels are not established 13.1.5
941257-3 3-Major BT941257 Occasional Nitrox3 ZIP engine hang 13.1.5, 14.1.4.4, 15.1.4
912517-5 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 13.1.5
904041-5 3-Major BT904041 Ephemeral pool members may be incorrect when modified via various actions 13.1.5, 14.1.4.5, 15.1.4.1
819329-3 3-Major BT819329 Specific FIPS device errors will not trigger failover 13.1.5, 14.1.3.1, 15.1.4, 16.0.1.2
803629-4 3-Major BT803629 SQL monitor fails with 'Analyze Response failure' message even if recv string is correct 13.1.5, 14.1.4.5, 15.1.4.1, 16.0.1.1
793669-4 3-Major BT793669 FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. 13.1.5
757446-1 3-Major BT757446 Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. 13.1.5, 14.1.2.7
672963-4 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 13.1.5
1052929-1 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 13.1.5
1038629-2 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1034365 3-Major BT1034365 DTLS handshake fails with DTLS1.2 client version 13.1.5, 14.1.4.5, 15.1.5
1029897-4 3-Major K63312282, BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 13.1.5
1023341-4 3-Major   HSM hardening 13.1.5, 16.1.1
1018577-1 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1017513-1 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier 13.1.5, 14.1.4.5, 16.1.2.1
1015161-4 3-Major BT1015161 Ephemeral pool member may not be created when FQDN resolves to address that matches static node 13.1.5, 14.1.4.5
1008017-3 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
936557-4 4-Minor BT936557 Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. 13.1.5, 14.1.4.5, 15.1.4.1
935593-2 4-Minor BT935593 Incorrect SYN re-transmission handling with FastL4 timestamp rewrite 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1
757777-2 4-Minor BT757777 bigtcp does not issue a RST in all circumstances 13.1.5, 14.1.2.5
717806-4 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 13.1.5
1026605-1 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 13.1.5
1018493-4 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
898929-1 5-Cosmetic BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
873249-4 5-Cosmetic BT873249 Switching from fast_merge to slow_merge can result in incorrect tmm stats 13.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
995853-4 2-Critical BT995853 Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. 13.1.5, 14.1.4.4, 15.1.4
905557-5 2-Critical BT905557 Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure 13.1.5, 14.1.4, 15.1.2
850509-2 2-Critical BT850509 Zone Trusted Signature inadequately maintained, following change of master key 13.1.5, 14.1.4.4, 15.1.2
741862-2 2-Critical BT741862 DNS GUI may generate error or display names with special characters incorrectly. 13.1.5
1064961-5 2-Critical   big3d may consume excessive resources when processing route domains 13.1.5
1062513-1 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 13.1.5
1035853-5 2-Critical K41415626, BT1035853 Transparent DNS Cache can consume excessive resources. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
993489-6 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
847105-4 3-Major BT847105 The bigip_gtm.conf is reverted to default after rebooting with license expired&start; 13.1.5, 14.1.4.4, 15.1.4.1
644192-6 3-Major K23022557, BT644192 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN 11.6.5.3, 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1
1046785-5 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded. 13.1.5
1044425-5 3-Major   NSEC3 record improvements for NXDOMAIN 13.1.5
1024553-4 3-Major BT1024553 GTM Pool member set to monitor type "none" results in big3d: timed out 13.1.5, 14.1.4.5, 15.1.5
1021417-5 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1021061-1 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1018613-5 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 13.1.5
1011285-5 3-Major BT1011285 The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. 13.1.5, 15.1.5
816277-3 4-Minor BT816277 Extremely long nameserver name causes GUI Error 13.1.5, 14.1.4.4
753821-1 4-Minor BT753821 Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
997137-5 2-Critical   CSRF token modification may allow WAF bypass on GET requests 13.1.5, 14.1.4.4, 15.1.4.1
993613-3 2-Critical BT993613 Device fails to request full sync 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
970329-5 2-Critical   ASM hardening 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
965229-4 2-Critical BT965229 ASM Load hangs after upgrade&start; 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
912149-3 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
879841-2 2-Critical BT879841 Domain cookie same-site option is missing the "None" as value in GUI and rest 13.1.5, 14.1.4.5, 15.1.4.1
723061-1 2-Critical BT723061 Possible tmm core during high load, or when an ASM policy is enabled by other modules 13.1.5
1069449-4 2-Critical   ASM attack signatures may not match cookies as expected 13.1.5
1019853-4 2-Critical K30911244, BT1019853 Some signatures are not matched under specific conditions 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1011061-5 2-Critical   Certain attack signatures may not match in multipart content 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
987157 3-Major K05391775 BIG-IP ASM system may not properly perform attack signature checks 13.1.5
984593-4 3-Major BT984593 BD crash 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
964245-4 3-Major BT964245 ASM reports and enforces username always 13.1.5, 14.1.4.4, 15.1.4
962497-5 3-Major BT962497 BD crash after ICAP response 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
956937 3-Major   Duplicate Attack signature sets in policy containing server technologies 13.1.5
946081-4 3-Major BT946081 Getcrc tool help displays directory structure instead of version 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
932133-4 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
926845-3 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 13.1.5
920197-1 3-Major BT920197 Brute force mitigation can stop mitigating without a notification 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
871905-5 3-Major K02705117, BT871905 Incorrect masking of parameters in event log 13.1.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
871881-3 3-Major BT871881 Apply Policy action is not synchronized after making bulk signature changes 13.1.5
867825-1 3-Major BT867825 Export/Import on a parent policy leaves children in an inconsistent state 13.1.5, 14.1.4.4, 15.1.4
857633-4 3-Major BT857633 Attack Type (SSRF) appears incorrectly in REST result 13.1.5, 14.1.4.5, 15.1.4.1
842013-5 3-Major BT842013 ASM Configuration is Lost on License Reactivation&start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
818889-4 3-Major BT818889 False positive malformed json or xml violation. 13.1.5
785873-1 3-Major BT785873 ASM should treat 'Authorization: Negotiate TlR' as NTLM 13.1.5, 14.1.4.5
767057-3 3-Major BT767057 In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server 13.1.5, 14.1.4.4
753715-3 3-Major BT753715 False positive JSON max array length violation 13.1.5, 14.1.4.4, 15.1.4.1
731168-2 3-Major BT731168 BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash. 13.1.5, 14.1.4.5
712336-2 3-Major BT712336 bd daemon restart loop 12.1.5.3, 13.1.5, 14.1.4.4
1072197-4 3-Major   Issue with input normalization in WebSocket. 13.1.5
1067285-4 3-Major   Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 13.1.5
1060933-4 3-Major   Issue with input normalization. 13.1.5
1051213-4 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 13.1.5
1051209-4 3-Major   BD may not process certain HTTP payloads as expected 13.1.5
1045101-1 3-Major   Bd may crash while processing ASM traffic 13.1.5, 15.1.5, 16.1.2.1
1043385-1 3-Major   No Signature detected If Authorization header is missing padding. 13.1.5
1042069-4 3-Major   Some signatures are not matched under specific conditions. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2.1
1038733-1 3-Major   Attack signature not detected for unsupported authorization types. 13.1.5
1037457-4 3-Major   High CPU during specific dos mitigation 13.1.5
1031445 3-Major   Intermittent false positive unparseable request violations with unknown authorization 13.1.5
1030853-4 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 13.1.5
1023993-1 3-Major   Brute Force is not blocking requests, even when auth failure happens multiple times 13.1.5
1022269-4 3-Major BT1022269 False positive RFC compliant violation 13.1.5, 14.1.4.4, 15.1.4, 16.1.2
1011069-5 3-Major   Group/User R/W permissions should be changed for .pid and .cfg files. 13.1.5
1004069-3 3-Major BT1004069 Brute force attack is detected too soon 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
944441-4 4-Minor BT944441 BD_XML logs memory usage at TS_DEBUG level 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
941249-1 4-Minor BT941249 Improvement to getcrc tool to print cookie names when cookie attributes are involved 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
844045-1 4-Minor   ASM Response event logging for "Illegal response" violations. 13.1.5
1055453-1 4-Minor BT1055453 Blocking page trims the last digit of the Support ID. 13.1.5
1050697-1 4-Minor   Traffic learning page counts Disabled signatures when they are ready to be enforced 13.1.5
1038741-1 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 13.1.5
1036521-5 4-Minor BT1036521 TMM crash in certain cases 13.1.5
1034941-4 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 13.1.5
1020717-1 4-Minor   Policy versions cleanup process sometimes removes newer versions 13.1.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-3 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
926341-4 3-Major BT926341 RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start; 13.1.5, 14.1.4.4, 15.1.4
922105-5 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
909161-5 3-Major BT909161 A core file is generated upon avrd process restart or stop 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
832805-3 3-Major BT832805 AVR should make sure file permissions are correct (tmstat_tables.xml) 13.1.5, 14.1.4.5, 15.1.4.1
787677-1 3-Major BT787677 AVRD stays at 100% CPU constantly on some systems 13.1.5, 14.1.4.5, 15.1.4.1
1038913-1 3-Major   The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 13.1.5
1035133-1 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
948113-5 4-Minor BT948113 User-defined report scheduling fails 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
579219-1 2-Critical BT579219 Access keys missing from SessionDB after multi-blade reboot. 13.1.5, 14.1.2.8, 15.1.1
992073-5 3-Major   APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 13.1.5
827393-4 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 13.1.5, 14.1.4.5, 16.1.2.1
470346-4 3-Major BT470346 Some IPv6 client connections get RST when connecting to APM virtual 13.1.5, 14.1.4.3, 15.1.4
423519-1 3-Major   Bypass disabling the redirection controls configuration of APM RDP Resource. 13.1.5
1007629-3 3-Major BT1007629 APM policy configured with many ACL policies can create APM memory pressure 13.1.5, 14.1.4.4, 15.1.4.1
1002557-4 3-Major BT1002557 Tcl free object list growth 13.1.5, 14.1.4.4, 15.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1047053-4 2-Critical   TMM may consume excessive resources while processing RTSP traffic 13.1.5, 15.1.5
1012721-3 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.1
996113-5 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
957905-4 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 13.1.5
805821-5 3-Major BT805821 GTP log message contains no useful information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1078721-3 3-Major   TMM may consume excessive resources while processing ICAP traffic 13.1.5
919301-5 4-Minor BT919301 GTP::ie count does not work with -message option 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913413-5 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913409-5 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913393-5 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1049229-4 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
756595-2 1-Blocking BT756595 Traffic redirection to an internal virtual server may fail. 13.1.5
946325-4 3-Major   PEM subscriber GUI hardening 13.1.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
975593-1 3-Major   TMM may crash while processing IPSec traffic 13.1.5, 14.1.4.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
873617-4 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 13.1.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1023437-5 3-Major   Buffer overflow during attack with large HTTP Headers 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1060409-1 4-Minor   Behavioral DoS enable checkbox is wrong. 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
686783-4 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
965853-5 3-Major   IM package file hardening&start; 13.1.5


Guided Configuration Fixes

ID Number Severity Links to More Info Description Fixed Versions
982757-7 3-Major   APM Access Guided Configuration hardening 13.1.5


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121-2 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 13.1.5



Cumulative fixes from BIG-IP v13.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
989009-5 CVE-2021-23033 K05314769, BT989009 BD daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
980125-5 CVE-2021-23030 K42051445, BT980125 BD Daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
935433-5 CVE-2021-23026 K53854428, BT935433 iControl SOAP 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
794561-4 CVE-2020-5874 K46901953, BT794561 TMM may crash while processing JWT/OpenID traffic. 13.1.4.1, 14.0.1.1, 14.1.2.5, 15.0.1.3
968349-4 CVE-2021-23048 K19012930, BT968349 TMM crashes with unspecified message 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
965485-1 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
950017-4 CVE-2021-23045 K94941221, BT950017 TMM may crash while processing SCTP traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
949889-1 CVE-2019-3900 K04107324, BT949889 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
942701-4 CVE-2021-23044 K35408374, BT942701 TMM may consume excessive resources while processing HTTP traffic 13.1.4.1, 14.1.4.2, 15.1.3.1
937365-5 CVE-2021-23041 K42526507, BT937365 LTM UI does not follow best practices 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907245-4 CVE-2021-23040 K94255403, BT907245 AFM UI Hardening 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
906377-5 CVE-2021-23038 K61643620, BT906377 iRulesLX hardening 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
842829-5 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730, BT842829 Multiple tcpdump vulnerabilities 13.1.4.1, 14.1.3.1, 15.1.3
803933-4 CVE-2018-20843 K51011533, BT803933 Expat XML parser vulnerability CVE-2018-20843 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
797769-3 CVE-2019-11599 K51674118 Linux vulnerability : CVE-2019-11599 13.1.4.1, 15.1.4, 16.0.1.2
968733-4 CVE-2018-1120 K42202505, BT968733 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
995629-1 2-Critical BT995629 Loading UCS files may hang if ASM is provisioned&start; 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
990849-4 2-Critical BT990849 Loading UCS with platform-migrate option hangs and requires exiting from the command&start; 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
967905-1 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1000973-1 2-Critical BT1000973 Unanticipated restart of TMM due to heartbeat failure 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
994801-5 3-Major   SCP file transfer system 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
756820-1 3-Major BT756820 Non-UTF8 characters returned from /bin/createmanifest 13.1.4.1
713708 3-Major BT713708 Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI 13.1.4.1
819053-4 4-Minor   CVE-2019-13232 unzip: overlapping of files in ZIP container 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004417-2 4-Minor BT1004417 Provisioning error message during boot up&start; 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
754143-2 2-Critical K45456231, BT754143 TCP connection may hang after FIN 13.1.4.1, 14.1.0.2
760050-4 3-Major BT760050 "cwnd too low" warning message seen in logs 13.1.4.1, 14.1.2.7, 15.1.4
752530-3 3-Major BT752530 TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. 13.1.4.1, 14.1.2.7
752334-3 3-Major BT752334 Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation 13.1.4.1, 14.1.2.7
962433-2 4-Minor BT962433 HTTP::retry for a HEAD request fails to create new connection 13.1.4.1, 14.1.4.3, 15.1.4
962177-4 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
830833-3 4-Minor BT830833 HTTP PSM blocking resets should have better log messages 13.1.4.1, 14.1.2.5, 15.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918597-1 2-Critical BT918597 Under certain conditions, deleting a topology record can result in a crash. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
973261-5 3-Major BT973261 GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
912001-1 3-Major BT912001 TMM cores on secondary blades of the Chassis system. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
863917-4 3-Major BT863917 The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
996381-5 2-Critical K41503304, BT996381 ASM attack signature may not match as expected 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
968421-5 2-Critical K30291321, BT968421 ASM attack signature doesn't matched 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
943913-5 2-Critical K30150004, BT943913 ASM attack signature does not match 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
1017645-4 2-Critical BT1017645 False positive HTTP compliance violation 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
955017-5 3-Major BT955017 Excessive CPU consumption by asm_config_event_handler 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
950917-3 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 13.1.4.1, 14.1.4.2, 15.1.4
928685-4 3-Major K49549213, BT928685 ASM Brute Force mitigation not triggered as expected 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907337-5 3-Major BT907337 BD crash on specific scenario 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
888289-4 3-Major BT888289 Add option to skip percent characters during normalization 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
830341-4 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1
792341-4 3-Major BT792341 Google Analytics shows incorrect stats. 13.1.4.1, 14.1.4.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932485-1 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
913085-5 3-Major BT913085 Avrd core when avrd process is stopped or restarted 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
889497-1 2-Critical BT889497 Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage 13.1.4.1
866109-4 3-Major BT866109 JWK keys frequency does not support fewer than 60 minutes 13.1.4.1, 14.1.4.2, 15.1.4
673748-2 3-Major K19534801, BT673748 ng_export, ng_import might leave security.configpassword in invalid state 12.1.3.2, 13.1.4.1
747234-4 4-Minor BT747234 Macro policy does not find corresponding access-profile directly 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
685888-1 4-Minor BT685888 OAuth client stores incorrectly escaped JSON values in session variables 13.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
868781-3 2-Critical BT868781 TMM crashes while processing MRF traffic 13.1.4.1, 14.1.4.2, 15.1.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
948573-3 3-Major BT948573 Wr_urldbd list of valid TLDs needs to be updated 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2



Cumulative fixes from BIG-IP v13.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
980809-4 CVE-2021-23031 K41351250, BT980809 ASM REST Signature Rule Keywords Tool Hardening 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
962341-3 CVE-2021-23028 K00602225, BT962341 BD crash while processing JSON content 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2
882633-5 CVE-2021-23008 K51213246, BT882633 Active Directory authentication does not follow current best practices 12.1.6, 13.1.4, 14.1.4, 15.1.3
754855-4 CVE-2020-27714 K60344652, BT754855 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile 13.1.4, 14.1.3.1, 15.1.1
990333-3 CVE-2021-23016 K75540265, BT990333 APM may return unexpected content when processing HTTP requests 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
945109-5 CVE-2015-9382 K46641512, BT945109 Freetype Parser Skip Token Vulnerability CVE-2015-9382 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
938233-4 CVE-2021-23042 K93231374 An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
932697-1 CVE-2021-23000 K34441555, BT932697 BIG-IP TMM vulnerability CVE-2021-23000 12.1.5.3, 13.1.4, 14.1.4
877109-5 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
718189-2 CVE-2021-23011 K10751325, BT718189 Unspecified IP traffic can cause low-memory conditions 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
1003557-5 CVE-2021-23015 K74151369, BT1003557 Not following best practices in Guided Configuration Bundle Install worker 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
1002561-4 CVE-2021-23007 K37451543, BT1002561 TMM vulnerability CVE-2021-23007 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
838909-6 CVE-2020-5893 K97733133, BT838909 BIG-IP APM Edge Client vulnerability CVE-2020-5893 11.6.5.2, 12.1.5.2, 13.1.4, 14.1.2.4, 15.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
912289-4 2-Critical BT912289 Cannot roll back after upgrading on certain platforms&start; 12.1.6, 13.1.4, 14.1.4, 15.1.1
933777-3 3-Major BT933777 Context use and syntax changes clarification 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
913829-2 3-Major BT913829 i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
794417-2 3-Major BT794417 Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
719338-4 4-Minor BT719338 Concurrent management SSH connections are unlimited 13.1.4, 14.1.4, 15.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
915305-2 2-Critical BT915305 Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
888341-3 2-Critical BT888341 HA Group failover may fail to complete Active/Standby state transition 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
886693-1 2-Critical BT886693 System might become unresponsive after upgrading.&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
785017-4 2-Critical BT785017 Secondary blades go offline after new primary is elected 13.1.4, 14.1.4, 15.1.3
743975-2 2-Critical BT743975 TMM crash (SIGFPE) when starting on a vCMP guest 12.1.6, 13.1.4
967745-4 3-Major BT967745 Last resort pool error for the modify command for Wide IP 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
922297-4 3-Major BT922297 TMM does not start when using more than 11 interfaces with more than 11 vCPUs 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
838901-1 3-Major BT838901 TMM receives invalid rx descriptor from HSB hardware 13.1.4, 14.1.4, 15.1.2
829821-4 3-Major BT829821 Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
829317-1 3-Major BT829317 Memory leak in icrd_child due to concurrent REST usage 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
922317-1 2-Critical BT922317 Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections 12.1.6, 13.1.4
920265 2-Critical BT920265 TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option. 13.1.4
876801-1 2-Critical BT876801 Tmm crash: invalid route type 13.1.4, 14.1.4, 15.1.2
953845-5 3-Major BT953845 After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
926929-1 3-Major BT926929 RFC Compliance Enforcement lacks configuration availability 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
919049 3-Major BT919049 Guest fails to come up when vCMP guest and host both run BIG-IP v13.1.3.3, assigning FIPS partition 13.1.4
889601-5 3-Major K14903688, BT889601 OCSP revocation not properly checked 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
888517-4 3-Major BT888517 Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.&start; 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
858701-4 3-Major BT858701 Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
825689-5 3-Major   Enhance FIPS crypto-user storage 12.1.6, 13.1.4, 14.1.4, 15.1.1
809597-1 3-Major BT809597 Memory leak in icrd_child observed during REST usage 13.1.4, 14.1.3, 15.1.0.2
784565-4 3-Major BT784565 VLAN groups are incompatible with fast-forwarded flows 11.6.5.3, 12.1.5.2, 13.1.4, 15.0.1.1
763093-1 3-Major BT763093 LRO packets are not taken into account for ifc_stats (VLAN stats) 13.1.4
773253-2 4-Minor BT773253 The BIG-IP may send VLAN failsafe probes from a disabled blade 13.1.4, 14.1.4.2, 15.1.2.1
724746-1 4-Minor BT724746 Incorrect RST message after 'reject' command 13.1.4
693901-4 4-Minor BT693901 Active FTP data connection may change source port on client-side 11.6.5.3, 12.1.6, 13.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
858973-4 3-Major BT858973 DNS request matches less specific WideIP when adding new wildcard wideips 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
712335-1 4-Minor BT712335 GTMD may intermittently crash under unusual conditions. 12.1.6, 13.1.4, 14.1.2.7


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941621-4 3-Major K91414704, BT941621 Brute Force breaks server's Post-Redirect-Get flow 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
929001-5 3-Major K48321015, BT929001 ASM form handling improvements 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
846057-1 3-Major BT846057 UCS backup archive may include unnecessary files 13.1.4, 14.1.4, 15.1.3
673272-5 3-Major BT673272 Search by "Signature ID is" does not return results for some signature IDs 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2
824093-1 4-Minor BT824093 Parameters payload parser issue 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
981385-5 3-Major BT981385 AVRD does not send HTTP events to BIG-IQ DCD 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
949593-1 3-Major BT949593 Unable to load config if AVR widgets were created under '[All]' partition&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
628645 3-Major BT628645 Classification signatures fails to update and there are no errors in the GUI&start; 13.1.4



Cumulative fixes from BIG-IP v13.1.3.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
975233-4 CVE-2021-22992 K52510511, BT975233 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
973333-2 CVE-2021-22991 K56715231, BT973333 TMM buffer-overflow vulnerability CVE-2021-22991 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
955145-4 CVE-2021-22986 K03009991, BT955145 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
954381-4 CVE-2021-22986 K03009991, BT954381 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
953677-4 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT953677 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
950077-4 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT950077 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
981169-4 CVE-2021-22994 K66851119, BT981169 F5 TMUI XSS vulnerability CVE-2021-22994 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
959121-1 CVE-2021-23015 K74151369, BT959121 Not following best practices in Guided Configuration Bundle Install worker 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
953729-4 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101, BT953729 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
949933-3 CVE-2021-22980 K29282483, BT949933 BIG-IP APM CTU vulnerability CVE-2021-22980 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1
941449-5 CVE-2021-22993 K55237223, BT941449 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
931837-3 CVE-2020-13817 K55376430, BT931837 NTP has predictable timestamps 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
931513-4 CVE-2021-22977 K14693346, BT931513 TMM vulnerability CVE-2021-22977 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1
921337-1 CVE-2021-22976 K88230177, BT921337 BIG-IP ASM WebSocket vulnerability CVE-2021-22976 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
916821-5 CVE-2021-22974 K68652018, BT916821 iControl REST vulnerability CVE-2021-22974 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
834257-5 CVE-2020-5931 K25400442, BT834257 TMM may crash when processing HTTP traffic 13.1.3.6, 14.1.2.5, 15.1.1
976925-4 CVE-2021-23002 K71891773, BT976925 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
948769-3 CVE-2021-23013 K05300051, BT948769 TMM panic with SCTP traffic 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
939845-4 CVE-2021-23004 K31025212, BT939845 BIG-IP MPTCP vulnerability CVE-2021-23004 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
939841-4 CVE-2021-23003 K43470422, BT939841 BIG-IP MPTCP vulnerability CVE-2021-23003 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
937637-5 CVE-2021-23002 K71891773, BT937637 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
935401-5 CVE-2021-23001 K06440657, BT935401 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
832757-4 CVE-2017-18551 K48073202, BT832757 Linux kernel vulnerability CVE-2017-18551 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3
743105-6 CVE-2021-22998 K31934524, BT743105 BIG-IP SNAT vulnerability CVE-2021-22998 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
693360-5 CVE-2020-27721 K52035247, BT693360 A virtual server status changes to yellow while still available 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
825413-1 CVE-2021-23053 K36942191, BT825413 ASM may consume excessive resources when matching signatures 13.1.3.6, 14.1.3.1, 15.1.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
742860 3-Major BT742860 VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. 13.1.3.6, 14.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
940021-1 2-Critical BT940021 Syslog-ng hang may lead to unexpected reboot 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
769169-1 2-Critical BT769169 BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring 13.1.3.6, 14.0.0.5, 14.1.2.5
737322-4 2-Critical BT737322 tmm may crash at startup if the configuration load fails 12.1.5.3, 13.1.3.6
703039-2 2-Critical BT703039 Empty results on /tm/sys/config-diff/stats 13.1.3.6, 14.0.0
930741-4 3-Major BT930741 Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot 13.1.3.6, 14.1.3.1, 15.1.2
927941-2 3-Major BT927941 IPv6 static route BFD does not come up after OAMD restart 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
913433-4 3-Major BT913433 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
896553-4 3-Major BT896553 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3
867181-4 3-Major BT867181 ixlv: double tagging is not working 13.1.3.6, 14.1.3.1, 15.1.2
865241-4 3-Major BT865241 Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" 13.1.3.6, 14.1.3.1, 15.1.2
843597-4 3-Major BT843597 Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle 13.1.3.6, 14.1.3.1, 15.1.2
842189-3 3-Major BT842189 Tunnels removed when going offline are not restored when going back online 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1
829193-5 3-Major BT829193 REST system unavailable due to disk corruption 13.1.3.6, 14.1.3.1, 15.1.0.4
820845-1 3-Major BT820845 Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
759596-3 3-Major BT759596 Tcl errors in iRules 'table' command 12.1.5.3, 13.1.3.6, 14.1.4
754132-3 3-Major BT754132 A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command 13.1.3.6, 14.1.4
749007-3 3-Major BT749007 South Sudan, Sint Maarten, and Curacao country missing in GTM region list 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
744252-3 3-Major BT744252 BGP route map community value: either component cannot be set to 65535 13.1.3.6, 14.1.4
933461-2 4-Minor BT933461 BGP multi-path candidate selection does not work properly in all cases. 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
892677-3 4-Minor BT892677 Loading config file with imish adds the newline character 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
800193 4-Minor BT800193 Update OpenSSH to version 7 or later for disabling of DSA keys 13.1.3.6


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726518-4 2-Critical BT726518 Tmsh show command terminated with CTRL-C can cause TMM to crash. 13.1.3.6, 14.1.2.8, 15.1.2
705768-5 2-Critical BT705768 The dynconfd process may core and restart with multiple DNS name servers configured 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
949145-3 3-Major BT949145 Improve TCP's response to partial ACKs during loss recovery 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
879413-4 3-Major BT879413 Statsd fails to start if one or more of its *.info files becomes corrupted 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
860005-4 3-Major BT860005 Ephemeral nodes/pool members may be created for wrong FQDN name 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
857845-5 3-Major BT857845 TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule 13.1.3.6, 14.1.3.1, 15.1.2
851045-4 3-Major BT851045 LTM database monitor may hang when monitored DB server goes down 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1
814761-3 3-Major BT814761 PostgreSQL monitor fails on second ping with count != 1 12.1.5.3, 13.1.3.6, 14.1.2.3, 15.0.1.3
805017-3 3-Major BT805017 DB monitor marks pool member down if no send/recv strings are configured 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.3
803233-4 3-Major BT803233 Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
772545-1 3-Major BT772545 Tmm core in SSLO environment 13.1.3.6, 14.1.2.3, 15.0.1.1
759056-1 3-Major BT759056 stpd memory leak on secondary blades in a multi-blade system 13.1.3.6, 14.1.3.1
747077-1 3-Major BT747077 Potential crash in TMM when updating pool members 13.1.3.6
745682-2 3-Major BT745682 Failed to parse X-Forwarded-For header in HTTP requests 13.1.3.6, 14.1.3.1
722707-4 3-Major BT722707 mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall 12.1.5.3, 13.1.3.6, 14.1.3.1
720440-1 3-Major BT720440 Radius monitor marks pool members down after 6 seconds 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5
714642-1 3-Major BT714642 Ephemeral pool-member state on the standby is down 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
705387 3-Major BT705387 HTTP/2, ALPN and SSL 13.1.3.6
686062-1 3-Major BT686062 The dynconfd daemon uses UDP ports inefficiently 13.1.3.6
608952-4 3-Major BT608952 MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5
824365-1 4-Minor BT824365 Need informative messages for HTTP iRule runtime validation errors 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2
822025-4 4-Minor BT822025 HTTP response not forwarded to client during an early response 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2
808409-1 4-Minor BT808409 Unable to specify if giaddr will be modified in DHCP relay chain 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
801705-2 4-Minor BT801705 When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC 13.1.3.6, 14.1.3.1
738032-2 4-Minor BT738032 BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
859717-4 5-Cosmetic BT859717 ICMP-limit-related warning messages in /var/log/ltm 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918169-3 2-Critical BT918169 The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
921625-5 3-Major BT921625 The certs extend function does not work for GTM/DNS sync group 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
921549-7 3-Major BT921549 The gtmd process does not receive updates from local big3d. 13.1.3.6
852101-4 3-Major BT852101 Monitor fails. 13.1.3.6, 14.1.3.1, 15.1.2
853585-5 4-Minor BT853585 REST Wide IP object presents an inconsistent lastResortPool value 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
940249-4 2-Critical BT940249 Sensitive data is not masked after "Maximum Array/Object Elements" is reached 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
927617-4 2-Critical BT927617 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
940897-4 3-Major BT940897 Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
918933-4 3-Major K88162221, BT918933 The BIG-IP ASM system may not properly perform signature checks on cookies 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
904053-5 3-Major BT904053 Unable to set ASM Main Cookie/Domain Cookie hashing to Never 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
742549-1 3-Major BT742549 Cannot create non-ASCII entities in non-UTF ASM policy using REST 13.1.3.6, 14.1.2.7, 15.1.0.5
767941-2 4-Minor BT767941 Gracefully handle policy builder errors 13.1.3.6, 14.1.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
743826-3 3-Major BT743826 Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
727031-1 1-Blocking BT727031 TMM restart in B2250 vCMP systems, and ping/monitor failures in non-B2250 vCMP systems. 12.1.5.3, 13.1.3.6
896709-1 2-Critical BT896709 Add support for Restart Desktop for webtop in VMware VDI 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
976501-4 3-Major BT976501 Failed to establish VPN connection 13.1.3.6, 14.1.4, 15.1.3
924929 3-Major BT924929 Logging improvements for VDI plugin 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
914649-1 3-Major BT914649 Support USB redirection through VVC (VMware virtual channel) with BlastX 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
760629-2 3-Major BT760629 Remove Obsolete APM keys in BigDB 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
739570-2 3-Major BT739570 Unable to install EPSEC package&start; 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
554228-7 3-Major BT554228 OneConnect does not work when WEBSSO is enabled/configured. 11.6.1, 13.1.3.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
939529-4 3-Major BT939529 Branch parameter not parsed properly when topmost via header received with comma separated values 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
755854-1 3-Major BT755854 TMM crash due to missing classification category 13.1.3.6


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
927993-5 1-Blocking K97501254, BT927993 Built-in SSL Orchestrator RPM installation failure 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1



Cumulative fixes from BIG-IP v13.1.3.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
943125-4 CVE-2021-23010 K18570111, BT943125 ASM bd may crash while processing WebSocket traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
935721-3 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291, BT935721 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1
933741-5 CVE-2021-22979 K63497634, BT933741 BIG-IP FPS XSS vulnerability CVE-2021-22979 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
933297 CVE-2020-5949 K20984059, BT933297 FTP virtual server passive data channels do not pass traffic 13.1.3.5
932065-4 CVE-2021-22978 K87502622, BT932065 iControl REST vulnerability CVE-2021-22978 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
917509-1 CVE-2020-27718 K58102101, BT917509 BIG-IP ASM vulnerability CVE-2020-27718 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
912221-3 CVE-2020-12662
CVE-2020-12663
K37661551, BT912221 CVE-2020-12662 & CVE-2020-12663 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5
911761-5 CVE-2020-5948 K42696541, BT911761 F5 TMUI XSS vulnerability CVE-2020-5948 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
908673-2 CVE-2020-27717 K43850230, BT908673 TMM may crash while processing DNS traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
891457-5 CVE-2020-5939 K75111593, BT891457 NIC driver may fail while transmitting data 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1
882189-4 CVE-2020-5897 K20346072, BT882189 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
882185-4 CVE-2020-5897 K20346072, BT882185 BIG-IP Edge Client Windows ActiveX 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881317-3 CVE-2020-5896 K15478554, BT881317 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881293-4 CVE-2020-5896 K15478554, BT881293 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
879745-5 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
879025-6 CVE-2020-5913 K72752002, BT879025 When processing TLS traffic, LTM may not enforce certificate chain restrictions 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2
846917-5 CVE-2019-10744 K47105354, BT846917 lodash Vulnerability: CVE-2019-10744 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2
839453-2 CVE-2019-10744 K47105354, BT839453 lodash library vulnerability CVE-2019-10744 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1
788057-1 CVE-2020-5921 K00103216, BT788057 MCPD may crash while processing syncookies 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
946581 CVE-2020-27713 K37960100, BT946581 TMM vulnerability CVE-2020-27713 13.1.3.5, 14.1.4
928037-4 CVE-2020-27729 K15310332, BT928037 APM Hardening 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
917005-3 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1
912969-5 CVE-2020-27727 K50343630, BT912969 iAppsLX REST vulnerability CVE-2020-27727 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
909837-3 CVE-2020-5950 K05204103, BT909837 TMM may consume excessive resources when AFM is provisioned 13.1.3.5, 14.1.2.7, 15.1.0.5
905125-4 CVE-2020-27726 K30343902, BT905125 Security hardening for APM Webtop 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904937-5 CVE-2020-27725 K25595031, BT904937 Excessive resource consumption in zxfrd 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
898949-4 CVE-2020-27724 K04518313, BT898949 APM may consume excessive resources while processing VPN traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
889557-3 CVE-2019-11358 K20455158, BT889557 jQuery Vulnerability CVE-2019-11358 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
881445-4 CVE-2020-5898 K69154630, BT881445 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
880361-4 CVE-2021-22973 K13323323, BT880361 iRules LX vulnerability CVE-2021-22973 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
856961-4 CVE-2018-12207 K17269881, BT856961 INTEL-SA-00201 MCE vulnerability CVE-2018-12207 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5
848405-1 CVE-2020-5933 K26244025, BT848405 TMM may consume excessive resources while processing compressed HTTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1
842717-3 CVE-2020-5855 K55102004, BT842717 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
831777-2 CVE-2020-27723 K42933418, BT831777 Tmm crash in Ping access use case 13.1.3.5, 14.1.3.1
816413-4 CVE-2019-1125 K31085564, BT816413 CVE-2019-1125: Spectre SWAPGS Gadget 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
811965-3 CVE-2020-27722 K73657294, BT811965 Some VDI use cases can cause excessive resource consumption 13.1.3.5, 14.1.3.1, 15.0.1.4
778049-6 CVE-2018-13405 K00854051, BT778049 Linux Kernel Vulnerability: CVE-2018-13405 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
751036-3 CVE-2020-27721 K52035247, BT751036 Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8
888493-5 CVE-2020-5928 K40843345, BT888493 ASM GUI Hardening 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
852929-2 CVE-2020-5920 K25160703, BT852929 AFM WebUI Hardening 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1
818213-6 CVE-2019-10639 K32804955, BT818213 CVE-2019-10639: KASLR bypass using connectionless protocols 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
818177-1 CVE-2019-12295 K06725231, BT818177 CVE-2019-12295 Wireshark Vulnerability 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1
773693-3 CVE-2020-5892 K15838353, BT773693 CVE-2020-5892: APM Client Vulnerability 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
682352-2 CVE-2017-3735 K21462542 OpenSSL vulnerability CVE-2017-3735 13.1.3.5
834533-4 CVE-2019-15916 K57418558, BT834533 Linux kernel vulnerability CVE-2019-15916 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
890229-4 3-Major BT890229 Source port preserve setting is not honored 13.1.3.5, 14.1.2.8, 15.1.1
738330-1 3-Major BT738330 /mgmt/toc endpoint issue after configuring remote authentication 13.1.3.5, 14.1.2.5, 15.0.1.4
657912-3 3-Major BT657912 PIM can be configured to use a floating self IP address 12.1.5.3, 13.1.3.5
745465-3 4-Minor BT745465 The tcpdump file does not provide the correct extension 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
749738-2 1-Blocking BT749738 After upgrade to 13.1.3.3 or 13.1.3.4, B2250 blades may fail to detect HSB and have restarting chmand&start; 13.1.3.5, 14.1.2.2
910201-5 2-Critical BT910201 OSPF - SPF/IA calculation scheduling might get stuck infinitely 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
896217-5 2-Critical BT896217 BIG-IP GUI unresponsive 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
860517-4 2-Critical BT860517 MCPD may crash on startup with many thousands of monitors on a system with many CPUs. 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
829677-4 2-Critical BT829677 .tmp files in /var/config/rest/ may cause /var directory exhaustion 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1
812237-3 2-Critical BT812237 i10000 series appliances with HDVC part number 505-0030 missing name in show sys hardware and on LCD 12.1.6, 13.1.3.5
810593-4 2-Critical K10963690, BT810593 Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade&start; 13.1.3.5, 14.1.2.7
796601-6 2-Critical BT796601 Invalid parameter in errdefsd while processing hostname db_variable 13.1.3.5, 14.1.3.1, 15.1.2
770989-1 2-Critical BT770989 Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.&start; 13.1.3.5, 14.1.3.1
769817 2-Critical BT769817 BFD fails to propagate sessions state change during blade restart 11.6.5.1, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4
769581 2-Critical BT769581 Timeout when sending many large iControl Rest requests 13.1.3.5, 14.0.0.5, 14.1.2.7
706521-5 2-Critical K21404407, BT706521 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
649205-1 2-Critical BT649205 Failure of mcpd during setup of HA communication 13.1.3.5
924493-5 3-Major BT924493 VMware EULA has been updated 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
915825-5 3-Major BT915825 Configuration error caused by Drafts folder in a deleted custom partition while upgrading. 13.1.3.5, 14.1.3.1, 15.1.1
908021-3 3-Major BT908021 Management and VLAN MAC addresses are identical 13.1.3.5, 14.1.3.1, 15.1.3
898705-2 3-Major BT898705 IPv6 static BFD configuration is truncated or missing 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
888497-5 3-Major BT888497 Cacheable HTTP Response 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
887089-5 3-Major BT887089 Upgrade can fail when filenames contain spaces 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
871657-3 3-Major BT871657 Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
867013-5 3-Major BT867013 Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout 13.1.3.5, 14.1.2.7, 15.1.1
858197-4 3-Major BT858197 Merged crash when memory exhausted 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1
846441-4 3-Major BT846441 Flow-control is reset to default for secondary blade's interface 13.1.3.5, 14.1.3.1, 15.1.2
846137-5 3-Major BT846137 The icrd returns incorrect route names in some cases 13.1.3.5, 14.1.3.1, 15.1.2
814585-5 3-Major BT814585 PPTP profile option not available when creating or modifying virtual servers in GUI 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1
810821-4 3-Major BT810821 Management interface flaps after rebooting the device. 13.1.3.5, 14.1.2.7, 15.1.2
810381-1 3-Major BT810381 The SNMP max message size check is being incorrectly applied. 13.1.3.5, 14.1.2.8, 15.1.0.4
808281 3-Major BT808281 OVA/Azure template sets '/var' partition with not enough space 13.1.3.5
802685-4 3-Major BT802685 Unable to configure performance HTTP virtual server via GUI 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
802281-4 3-Major BT802281 Gossip shows active even when devices are missing 13.1.3.5, 14.1.2.5, 15.1.0.2
797829-3 3-Major BT797829 The BIG-IP system may fail to deploy new or reconfigure existing iApps 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
795649-2 3-Major BT795649 Loading UCS from one iSeries model to another causes FPGA to fail to load 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3
788577 3-Major BT788577 BFD sessions may be reset after CMP state change 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
783113 3-Major BT783113 BGP sessions remain down upon new primary slot election 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.1
767737-3 3-Major BT767737 Timing issues during startup may make an HA peer stay in the inoperative state 13.1.3.5, 14.1.3.1, 15.1.2.1
755197-1 3-Major BT755197 UCS creation might fail during frequent config save transactions 13.1.3.5, 14.1.3.1, 15.1.2
754971-1 3-Major BT754971 OSPF inter-process redistribution might break OSPF route redistribution of various types. 13.1.3.5, 14.1.3.1
751021-3 3-Major BT751021 One or more TMM instances may be left without dynamic routes. 13.1.3.5, 14.1.4
750194-2 3-Major   Moderate: net-snmp security update 13.1.3.5, 14.1.4
746704-1 3-Major BT746704 Syslog-ng Memory Leak 13.1.3.5, 14.1.2.8
745261-1 3-Major BT745261 The TMM process may crash in some tunnel cases 12.1.5.3, 13.1.3.5, 14.1.2.8
740589-3 3-Major BT740589 Mcpd crash with core after 'tmsh edit /sys syslog all-properties' 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
737098-3 3-Major BT737098 ASM Sync does not work when the configsync IP address is an IPv6 address 13.1.3.5, 14.1.3.1, 15.1.2
725985-1 3-Major BT725985 REST API takes more than 20 seconds when 1000+ virtual servers with SNAT-Pool configured 13.1.3.5
720569-1 3-Major BT720569 Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition 12.1.5.3, 13.1.3.5
707320-2 3-Major BT707320 Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs 13.1.3.5, 14.0.0
705655-2 3-Major BT705655 Virtual address not responding to ICMP when ICMP Echo set to Selective 13.1.3.5
699091-2 3-Major BT699091 SELinux denies console access for remote users. 12.1.5.3, 13.1.3.5
658716-1 3-Major BT658716 Failure of mcpd when closing out CMI connection 13.1.3.5
658715-1 3-Major BT658715 Mcpd crash 13.1.3.5
615934-3 3-Major BT615934 Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. 13.1.3.5, 14.1.4, 15.1.3
605675-2 3-Major BT605675 Sync requests can be generated faster than they can be handled 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2
489572-3 3-Major K60934489, BT489572 Sync fails if file object is created and deleted before sync to peer BIG-IP 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
431503-6 3-Major K14838, BT431503 TMSH crashes in rare initial tunnel configurations 13.1.3.5, 14.1.2.8, 15.1.1
902417-5 4-Minor BT902417 Configuration error caused by Drafts folder in a deleted custom partition&start; 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1
890277-1 4-Minor BT890277 Full config sync to a device group operation takes a long time when there are a large number of partitions. 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
864757-1 4-Minor BT864757 Traps that were disabled are enabled after configuration save 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
831293-2 4-Minor BT831293 SNMP address-related GET requests slow to respond. 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2
804309-3 4-Minor BT804309 [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument 13.1.3.5, 14.1.2.7, 15.1.0.5
801637-1 4-Minor BT801637 Cmp_dest on C2200 platform may give incorrect results 12.1.5.3, 13.1.3.5
779857-4 4-Minor BT779857 Misleading GUI error when installing a new version in another partition&start; 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
692165-1 4-Minor BT692165 A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token 12.1.5, 13.1.3.5
591732-3 4-Minor BT591732 Local password policy not enforced when auth source is set to a remote type. 12.1.5.1, 13.1.3.5, 14.1.3.1, 15.0.1.4
583084-10 4-Minor K15101680, BT583084 iControl produces 404 error while creating records successfully 13.1.3.5, 14.1.3.1, 15.1.2
714176-4 5-Cosmetic BT714176 UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941089-4 2-Critical BT941089 TMM core when using Multipath TCP 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
851857-4 2-Critical BT851857 HTTP 100 Continue handling does not work when it arrives in multiple packets 13.1.3.5, 14.1.3.1, 15.1.1
687603-2 2-Critical K36243347, BT687603 tmsh query for dns records may cause tmm to crash 11.6.5.3, 12.1.3.2, 13.1.3.5
951033-1 3-Major BT951033 Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' 13.1.3.5, 14.1.3.1
915689-5 3-Major BT915689 HTTP/2 dynamic header table may fail to identify indexed headers on the response side. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915605-4 3-Major K56251674, BT915605 Image install fails if iRulesLX is provisioned and /usr mounted read-write&start; 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
915281-6 3-Major BT915281 Do not rearm TCP Keep Alive timer under certain conditions 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
909757 3-Major BT909757 HTTP CONNECT method with a delayed payload can cause a connection to be closed 13.1.3.5
892385-3 3-Major BT892385 HTTP does not process WebSocket payload when received with server HTTP response 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
862597-3 3-Major BT862597 Improve MPTCP's SYN/ACK retransmission handling 13.1.3.5, 14.1.3.1, 15.1.0.2
828601-4 3-Major BT828601 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.1.0.3
818853-5 3-Major BT818853 Duplicate MAC entries in FDB 13.1.3.5, 14.1.3.1, 15.1.0.2
810445-3 3-Major BT810445 PEM: ftp-data not classified or reported 13.1.3.5, 14.1.2.8
807821-3 3-Major BT807821 ICMP echo requests occasionally go unanswered 12.1.5.3, 13.1.3.5
790845-1 3-Major BT790845 An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default 13.1.3.5, 14.1.4, 15.1.2
786517-1 3-Major BT786517 Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address 13.1.3.5, 14.1.3.1, 15.1.0.5
783617-4 3-Major BT783617 Virtual server resets connections when all pool members are marked disabled 13.1.3.5, 14.1.3.1
766169-3 3-Major BT766169 Replacing all VLAN interfaces resets VLAN MTU to a default value 12.1.5.2, 13.1.3.5, 14.1.2.8
758631-2 3-Major BT758631 ec_point_formats extension might be included in the server hello even if not specified in the client hello 12.1.5, 13.1.3.5, 14.0.1.1, 14.1.2.5
758599-4 3-Major BT758599 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3
758437-4 3-Major BT758437 SYN w/ data disrupts stat collection in Fast L4 13.1.3.5, 14.1.2.8
758436-2 3-Major BT758436 Optimistic ACKs degrade Fast L4 statistics 13.1.3.5, 14.1.2.8
758041-4 3-Major BT758041 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. 13.1.3.5, 14.1.2.7, 15.1.4.1
745923-4 3-Major BT745923 Connection flow collision can cause packets to be sent with source and/or destination port 0 13.1.3.5, 14.1.2.5, 15.0.1.4
745663-2 3-Major BT745663 During traffic forwarding, nexthop data may be missed at large packet split 13.1.3.5, 14.1.2.8
724824-4 3-Major BT724824 Ephemeral nodes on peer devices report as unknown and unchecked after full config sync 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
710930-1 3-Major BT710930 Enabling BigDB key bigd.tmm may cause SSL monitors to fail 13.1.3.5, 14.1.3.1
681814-1 3-Major BT681814 Changes to a cipher group are not propagated to SSL profiles until the configuration is reloaded 13.1.3.5
522241-2 3-Major BT522241 Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
814037-1 4-Minor BT814037 No virtual server name in Hardware Syncookie activation logs. 13.1.3.5, 14.1.2.8, 15.1.1
781225-3 4-Minor BT781225 HTTP profile Response Size stats incorrect for keep-alive connections 12.1.5.3, 13.1.3.5, 14.1.3.1
726983-4 4-Minor BT726983 Inserting multi-line HTTP header not handled correctly 12.1.5.3, 13.1.3.5, 14.1.3.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
960749-4 1-Blocking BT960749 TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960437-4 2-Critical BT960437 The BIG-IP system may initially fail to resolve some DNS queries 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
919553-4 2-Critical BT919553 GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
783125-4 2-Critical BT783125 iRule drop command on DNS traffic without Datagram-LB may cause TMM crash 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
781829-4 3-Major BT781829 GTM TCP monitor does not check the RECV string if server response string not ending with \n 13.1.3.5, 14.1.3.1
760471-4 3-Major BT760471 GTM iQuery connections may be reset during SSL key renegotiation. 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2
758772-4 3-Major BT758772 DNS Cache RRSET Evictions Stat not increasing 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
757464-3 3-Major BT757464 DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
708421-2 3-Major K52142743, BT708421 DNS::question 'set' options are applied to packet, but not to already parsed dns_msg 12.1.5.2, 13.1.3.5
700118-1 3-Major BT700118 rrset statistics unavailable 11.6.5.3, 12.1.6, 13.1.3.5
529896-1 3-Major BT529896 DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared 11.6.5.3, 12.1.6, 13.1.3.5
643455-1 4-Minor BT643455 Update TTL for equally trusted records only 11.6.5.3, 12.1.6, 13.1.3.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
903453 2-Critical BT903453 TMM crash following redirect when Proactive Bot Defense is used 13.1.3.5
941853-3 3-Major BT941853 Logging Profiles do not disassociate from virtual server when multiple changes are made 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
900797-5 3-Major BT900797 Brute Force Protection (BFP) hash table entry cleanup 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900793-3 3-Major K32055534, BT900793 APM Brute Force Protection resources do not scale automatically 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900789-5 3-Major BT900789 Alert before Brute Force Protection (BFP) hash are fully utilized 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
848445-4 3-Major K86285055, BT848445 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer&start; 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
833685-1 3-Major BT833685 Idle async handlers can remain loaded for a long time doing nothing 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5
722337-3 3-Major BT722337 Always show violations in request log when post request is large 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1
692279-1 3-Major BT692279 Request logging is briefly suspended after policy re-assignment 13.1.3.5
424588-1 3-Major BT424588 iRule command [DOSL7::profile] returns empty value 13.1.3.5
935293-1 4-Minor BT935293 'Detected Violation' Field for event logs not showing 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
882769-5 4-Minor BT882769 Request Log: wrong filter applied when searching by Response contains or Response does not contain 13.1.3.5, 14.1.2.7, 15.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
722392-2 2-Critical BT722392 AVR: analytics statistics are displayed even if they are disabled 13.1.3.5
908065-5 3-Major BT908065 Logrotation for /var/log/avr blocked by files with .1 suffix 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
902485-1 3-Major BT902485 Incorrect pool member concurrent connection value 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
838685-1 3-Major BT838685 DoS report exist in per-widget but not under individual virtual 13.1.3.5, 14.1.2.7, 15.1.0.5
721408-4 3-Major BT721408 Possible to create Analytics overview widgets in '[All]' partition 13.1.3.5
866613-2 4-Minor BT866613 Missing MaxMemory Attribute 13.1.3.5, 14.1.2.8, 15.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
833049-3 3-Major BT833049 Category lookup tool in GUI may not match actual traffic categorization 13.1.3.5, 14.1.4, 15.1.2
766017-2 4-Minor BT766017 [APM][LocalDB] Local user database instance name length check inconsistencies&start; 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1
679751-3 4-Minor BT679751 Authorization header can cause a connection reset 13.1.3.5, 14.1.2.8, 15.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
815877-4 3-Major BT815877 Information Elements with zero-length value are rejected by the GTP parser 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
845461-1 5-Cosmetic BT845461 MRF DIAMETER: additional details to log event to assist debugging 13.1.3.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
703165-5 3-Major BT703165 shared memory leakage 13.1.3.5, 14.1.2.8


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
783289-3 2-Critical BT783289 PEM actions not applied in VE bigTCP. 13.1.3.5, 14.1.3.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
943889 2-Critical BT943889 Reopening the publisher after a failed publishing attempt 13.1.3.5, 14.1.4
876581-5 3-Major BT876581 JavaScript engine file is empty if the original HTML page cached for too long 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
940401-4 5-Cosmetic BT940401 Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
913441 2-Critical BT913441 Tmm cores while doing Hitless Upgrade while there are active flows 12.1.5.3, 13.1.3.5
745733-1 3-Major BT745733 TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup 13.1.3.5, 14.1.0.2
689614-1 3-Major BT689614 If DNS is not configured and management proxy is setup correctly, Webroot database fails to download 13.1.3.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
767613-3 3-Major BT767613 Restjavad can keep partially downloaded files open indefinitely 13.1.3.5, 14.1.3.1



Cumulative fixes from BIG-IP v13.1.3.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
900757-5 CVE-2020-5902 K52145254, BT900757 TMUI RCE vulnerability CVE-2020-5902 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895525-5 CVE-2020-5902 K52145254, BT895525 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909237-3 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909233-3 CVE-2020-8616 K97810133, BT909233 DNS Hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
905905-4 CVE-2020-5904 K31301245, BT905905 TMUI CSRF vulnerability CVE-2020-5904 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895993-5 CVE-2020-5902 K52145254, BT895993 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895981-5 CVE-2020-5902 K52145254, BT895981 TMUI RCE vulnerability CVE-2020-5902 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895881-4 CVE-2020-5903 K43638305, BT895881 BIG-IP TMUI XSS vulnerability CVE-2020-5903 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
883717-4 CVE-2020-5914 K37466356, BT883717 BD crash on specific server cookie scenario 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
852445-5 CVE-2019-6477 K15840535, BT852445 Big-IP : CVE-2019-6477 BIND Vulnerability 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.5
841577-6 CVE-2020-5922 K20606443, BT841577 iControl REST hardening 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
838677-5 CVE-2019-10744 K47105354, BT838677 lodash library vulnerability CVE-2019-10744 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
837773-4 CVE-2020-5912 K12936322, BT837773 Restjavad Storage and Configuration Hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
830401-5 CVE-2020-5877 K54200228, BT830401 TMM may crash while processing TCP traffic with iRules 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
819197-6 CVE-2019-13135 K20336394, BT819197 BIGIP: CVE-2019-13135 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
819189-5 CVE-2019-13136 K03512441, BT819189 BIGIP: CVE-2019-13136 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
818709-4 CVE-2020-5858 K36814487, BT818709 TMSH does not follow current best practices 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.4
778077-1 CVE-2019-6680 K53183580, BT778077 Virtual to virtual chain can cause TMM to crash 11.6.5.1, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.1, 15.0.1.1
767373-3 CVE-2019-8331 K24383845, BT767373 CVE-2019-8331: Bootstrap Vulnerability 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.4
750292-4 CVE-2019-6592 K54167061, BT750292 TMM may crash when processing TLS traffic 12.1.5.3, 13.1.3.4, 14.1.0.2
886085-1 CVE-2020-5925 K45421311, BT886085 BIG-IP TMM vulnerability CVE-2020-5925 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
872673-4 CVE-2020-5918 K26464312, BT872673 TMM can crash when processing SCTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
868349-5 CVE-2020-5935 K62830532, BT868349 TMM may crash while processing iRules with MQTT commands 13.1.3.4, 14.1.2.5, 15.1.1
860477-6 CVE-2020-5906 K82518062 SCP hardening 12.1.5.2, 13.1.3.4
859089-3 CVE-2020-5907 K00091341, BT859089 TMSH allows SFTP utility access 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
858025-5 CVE-2021-22984 K33440533, BT858025 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
832885-5 CVE-2020-5923 K05975972, BT832885 Self-IP hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
829121-5 CVE-2020-5886 K65720640, BT829121 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
829117-5 CVE-2020-5885 K17663061, BT829117 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
811789-4 CVE-2020-5915 K57214921, BT811789 Device trust UI hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
789921-4 CVE-2020-5881 K03386032, BT789921 TMM may restart while processing VLAN traffic 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
761112-5 CVE-2019-6683 K76328112, BT761112 TMM may consume excessive resources when processing FastL4 traffic 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.3, 15.0.1.4
756458-1 CVE-2018-18559 K28241423, BT756458 Linux kernel vulnerability: CVE-2018-18559 13.1.3.4, 14.1.2.1, 15.0.1.4
745103-4 CVE-2018-7159 K27228191, BT745103 NodeJS Vulnerability: CVE-2018-7159 13.1.3.4, 14.1.2.1, 15.0.1.3
715969-1 CVE-2017-5703 K19855851, BT715969 CVE-2017-5703: Unsafe Opcodes exposed in Intel SPI based products 13.1.3.4
823893-4 CVE-2020-5890 K03318649, BT823893 Qkview may fail to completely sanitize LDAP bind credentials 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
746091-3 CVE-2019-19151 K21711352, BT746091 TMSH Vulnerability: CVE-2019-19151 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
717276-5 CVE-2020-5930 K20622530, BT717276 TMM Route Metrics Hardening 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5
759536-4 CVE-2019-8912 K31739796, BT759536 Linux kernel vulnerability: CVE-2019-8912 13.1.3.4, 14.1.2.1, 15.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
819397-3 1-Blocking K50375550, BT819397 TMM does not enforce RFC compliance when processing HTTP traffic 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
858229-2 3-Major K22493037, BT858229 XML with sensitive data gets to the ICAP server 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
691499-1 3-Major BT691499 GTP::ie primitives in iRule to be certified 13.1.3.4, 14.1.2.7, 15.1.0.5
617929-4 3-Major BT617929 Support non-default route domains 13.1.3.4, 14.1.2.8, 15.0.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
747099-1 1-Blocking BT747099 AWS Cloud VE instance cannot connect to the metadata server to obtain licensing details. 13.1.3.4
841333-3 2-Critical BT841333 TMM may crash when tunnel used after returning from offline 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
792285-3 2-Critical BT792285 TMM crashes if the queuing message to all HSL pool members fails 13.1.3.4, 14.1.2.5
780817 2-Critical BT780817 TMM can crash on certain vCMP hosts after modifications to VLANs and guests. 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
767013-4 2-Critical BT767013 Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.4.4
762205-1 2-Critical BT762205 IKEv2 rekey fails to recognize VENDOR_ID payload when it appears 13.1.3.4, 14.1.2.3, 15.0.1.4
882557-5 3-Major BT882557 TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
866925-1 3-Major BT866925 The TMM pages used and available can be viewed in the F5 system stats MIB 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
865225-2 3-Major BT865225 100G modules may not work properly in i15000 and i15800 platforms 13.1.3.4, 15.1.0.2
842125-2 3-Major BT842125 Unable to reconnect outgoing SCTP connections that have previously aborted 13.1.3.4, 14.1.2.5, 15.1.0.5
812981-2 3-Major BT812981 MCPD: memory leak on standby BIG-IP device 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
807005-3 3-Major BT807005 Save-on-auto-sync is not working as expected with large configuration objects 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
804477-2 3-Major BT804477 Add HSB register logging when parts of the device becomes unresponsive 13.1.3.4, 14.1.4.3
800185-2 3-Major BT800185 Saving a large encrypted UCS archive may fail and might trigger failover 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4
762073-1 3-Major BT762073 Continuous TMM restarts when HSB drops off the PCI bus 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4
760439-2 3-Major BT760439 After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
753860-1 3-Major BT753860 Virtual server config changes causing incorrect route injection. 13.1.3.4, 14.1.2.7
749153-1 3-Major BT749153 Cannot create LTM policy from GUI using iControl 12.1.4.1, 13.1.3.4
742628-5 3-Major BT742628 A tmsh session initiation adds increased control plane pressure 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2
739872-2 3-Major BT739872 The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover 12.1.5.3, 13.1.3.4
738943-5 3-Major BT738943 imish command hangs when ospfd is enabled 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
738881-2 3-Major BT738881 Qkview does not collect any data under certain conditions that cause a timeout 13.1.3.4
734846-3 3-Major BT734846 Redirection to logon summary page does not occur after session timeout 13.1.3.4
701529-1 3-Major BT701529 Configuration may not load or not accept vlan or tunnel names as "default" or "all" 13.1.3.4, 14.1.2.7
688399-4 3-Major BT688399 HSB failure results in continuous TMM restarts 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4
648621-5 3-Major BT648621 SCTP: Multihome connections may not expire 11.6.5.3, 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.4
641450-5 3-Major K30053855, BT641450 A transaction that deletes and recreates a virtual may result in an invalid configuration 12.1.5.1, 13.1.3.4, 14.1.2.5
625901-2 3-Major BT625901 SNAT pools allow members in different partitions to be assigned, but this causes a load failure 12.1.5.1, 13.1.3.4
748940-1 4-Minor BT748940 iControl REST cert creation not working for non-Common folder 13.1.3.4
743815-3 4-Minor BT743815 vCMP guest observes connflow reset when a CMP state change occurs. 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7
726317-4 4-Minor BT726317 Improved debugging output for mcpd 12.1.5, 13.1.3.4, 14.1.0.6
722230-5 4-Minor BT722230 Cannot delete FQDN template node if another FQDN node resolves to same IP address 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
816273-4 1-Blocking BT816273 L7 Policies may execute CONTAINS operands incorrectly. 13.1.3.4, 14.1.2.3, 15.0.1.1
715032-5 1-Blocking K73302459, BT715032 iRulesLX Hardening 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
853329 2-Critical BT853329 HTTP explicit proxy can crash TMM when used with classification profile 11.6.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3
841469-3 2-Critical BT841469 Application traffic may fail after an internal interface failure on a VIPRION system. 13.1.3.4, 15.1.2.1
831325-3 2-Critical K10701310, BT831325 HTTP PSM detects more issues with Transfer-Encoding headers 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.1
826601-3 2-Critical BT826601 Prevent receive window shrinkage for looped flows that use a SYN cookie 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.3
813561-1 2-Critical BT813561 MCPD crashes when assigning an iRule that uses a proc 13.1.3.4, 14.1.2.8, 15.0.1.3
812525-5 2-Critical K27551003, BT812525 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
757578-4 2-Critical BT757578 RAM cache is not compatible with verify-accept 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.1
696908-1 2-Critical BT696908 Updating iRule causes TMM to crash 13.1.3.4
690291-1 2-Critical BT690291 tmm crash 13.1.3.4
858301-4 3-Major K27551003, BT858301 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858297-4 3-Major K27551003, BT858297 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858289-4 3-Major K27551003, BT858289 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858285-4 3-Major K27551003, BT858285 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
796993-3 3-Major BT796993 Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs 12.1.5.3, 13.1.3.4, 14.1.3.1
788753-1 3-Major BT788753 GATEWAY_ICMP monitor marks node down with wrong error code 13.1.3.4, 14.1.2.8, 15.1.0.5
778517-2 3-Major K91052217, BT778517 Large number of in-TMM monitors results in delayed processing 13.1.3.4, 14.1.2.7
776229-4 3-Major BT776229 iRule 'pool' command no longer accepts pool members with ports that have a value of zero 13.1.3.4, 14.1.3.1
761185-4 3-Major K50375550, BT761185 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
760679 3-Major BT760679 Memory corruption when using C3D on certain platforms 13.1.3.4
759480-2 3-Major BT759480 HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash 12.1.5, 13.1.3.4, 14.1.3.1
758872-2 3-Major BT758872 TMM memory leak 12.1.5, 13.1.3.4, 14.1.2.3
756494-1 3-Major BT756494 For in-tmm monitoring: multiple instances of the same agent are running on the Standby device 13.1.3.4, 14.1.2.7
753805-1 3-Major BT753805 BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. 12.1.5.3, 13.1.3.4, 14.1.3.1
716167-1 3-Major BT716167 The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp 13.1.3.4, 14.1.0.2
686059-2 3-Major BT686059 FDB entries for existing VLANs may be flushed when creating a new VLAN. 12.1.5.3, 13.1.3.4, 14.1.2.7
751586-5 4-Minor BT751586 Http2 virtual does not honour translate-address disabled 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4
747585-2 4-Minor BT747585 TCP Analytics supports ANY protocol number 12.1.5, 13.1.3.4, 14.1.2.1
594064-5 4-Minor K57004151, BT594064 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. 11.6.5.3, 12.1.5.2, 13.1.3.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
807177-1 2-Critical BT807177 HTTPS monitoring is not caching SSL sessions correctly 13.1.3.4, 14.1.2.5
802961-1 3-Major BT802961 The 'any-available' prober selection is not as random as in earlier versions 13.1.3.4, 14.1.2.5
778365-1 3-Major BT778365 dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service 13.1.3.4, 14.1.2.7
774481-3 3-Major BT774481 DNS Virtual Server creation problem with Dependency List 13.1.3.4, 14.1.2.7
756470-3 3-Major BT756470 Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. 13.1.3.4, 14.1.4.5
746348-1 3-Major BT746348 On rare occasions, gtmd fails to process probe responses originating from the same system. 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2
704198-3 3-Major K29403988, BT704198 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance 12.1.5.2, 13.1.3.4, 14.1.2.5
744280-1 4-Minor BT744280 Enabling or disabling a Distributed Application results in a small memory leak 13.1.3.4, 14.0.0.5, 14.1.2.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
803813-3 2-Critical BT803813 TMM may experience high latency when processing WebSocket traffic 13.1.3.4, 14.1.2.7
754109-3 2-Critical BT754109 ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive 13.1.3.4, 14.1.2.3
854177-2 3-Major BT854177 ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5
850673-4 3-Major BT850673 BD sends bad ACKs to the bd_agent for configuration 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
846493 3-Major BT846493 ASM CAPTCHA is not working the first time when a request contains sensitive parameters 13.1.3.4
783505 3-Major BT783505 ASU is very slow on device with hundreds of policies due to table checksums 12.1.5.1, 13.1.3.4
697269-1 3-Major BT697269 Request logging is briefly suspended after policy creation 13.1.3.4
689987-3 3-Major BT689987 Requests are not logged on new virtual servers after UCS load while ASM is running 13.1.3.4
681010-2 3-Major K33572148, BT681010 'Referer' is not masked when 'Query String' contains sensitive parameter 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
673522-1 3-Major BT673522 RST when using Bot Defense profile and surfing to a long URL on related domain 13.1.3.4
629628-1 3-Major BT629628 Request Events Missing Due to Policy Builder Restart 13.1.3.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
838709-2 2-Critical BT838709 Enabling DoS stats also enables page-load-time 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
828937-4 2-Critical K45725467, BT828937 Some systems can experience periodic high IO wait due to AVR data aggregation 13.1.3.4, 14.1.2.5, 15.1.0.5
870957-2 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
863161-5 3-Major BT863161 Scheduled reports are sent via TLS even if configured as non encrypted 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
833113-1 3-Major BT833113 Avrd core when sending large messages via https 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4
830073-5 3-Major BT830073 AVRD may core when restarting due to data collection device connection timeout 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
700035-5 3-Major BT700035 /var/log/avr/monpd.disk.provision not rotate 13.1.3.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
885241 2-Critical BT885241 TMM leaks memory when the 'ACCESS::session remove' iRule command is called in an event other than an ACCESS event. 13.1.3.4
871761-2 2-Critical BT871761 Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
747192-2 2-Critical BT747192 Small memory leak while creating Access Policy items 12.1.4.1, 13.1.3.4
660913-4 2-Critical BT660913 For ActiveSync client type, browscap info provided is incorrect.&start; 12.1.4.1, 13.1.3.4, 14.1.4.3
850277-5 3-Major BT850277 Memory leak when using OAuth 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2
803825 3-Major BT803825 WebSSO does not support large NTLM target info length 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
744407-5 3-Major BT744407 While the client has been closed, iRule function should not try to check on a closed session 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
833213-5 3-Major BT833213 Conditional requests are served incorrectly with AAM policy in webacceleration profile 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
814097-4 2-Critical BT814097 Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. 11.6.5.2, 13.1.3.4, 14.1.2.7
811105-3 2-Critical BT811105 MRF SIP-ALG drops SIP 183 and 200 OK messages 13.1.3.4, 14.1.2.5, 15.0.1.4
766405-3 2-Critical BT766405 MRF SIP ALG with SNAT: Fix for potential crash on next-active device 13.1.3.4, 14.1.0.6
745397-3 2-Critical BT745397 Virtual server configured with FIX profile can leak memory. 13.1.3.4
882273-1 3-Major BT882273 MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow 13.1.3.4, 14.1.2.5
866021-4 3-Major BT866021 Diameter Mirror connection lost on the standby due to "process ingress error" 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
842625-1 3-Major BT842625 SIP message routing remembers a 'no connection' failure state forever 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2
824149-1 3-Major BT824149 SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
815529-4 3-Major BT815529 MRF outbound messages are dropped in per-peer mode 13.1.3.4, 14.1.2.7
811033-3 3-Major BT811033 MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used 13.1.3.4, 14.1.2.5
804313-4 3-Major BT804313 MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. 13.1.3.4, 14.1.2.1, 15.0.1.2
803809-1 3-Major BT803809 SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. 13.1.3.4, 14.1.2.7, 15.1.0.2
782353-8 3-Major BT782353 SIP MRF via header shows TCP Transport when TLS is enabled 13.1.3.4, 14.1.2.7
754658-1 3-Major BT754658 Improved matching of response messages uses end-to-end ID 13.1.3.4, 14.1.2.7
754617-1 3-Major BT754617 iRule 'DIAMETER::avp read' command does not work with 'source' option 13.1.3.4, 14.1.2.7
746731-3 3-Major BT746731 BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set 13.1.3.4, 14.1.2.7
744275-3 3-Major BT744275 BIG-IP system sends Product-Name AVP in CER with Mandatory bit set 13.1.3.4, 14.1.0.2
727288-3 3-Major BT727288 Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC 13.1.3.4
696348-2 3-Major BT696348 "GTP::ie insert" and "GTP::ie append" do not work without "-message" option 13.1.3.4, 14.1.2.7, 15.1.0.5
676709-3 3-Major K37604585, BT676709 Diameter virtual server has different behavior of connection-prime when persistence is on/off 11.6.5.2, 13.1.3.4
836357-1 4-Minor BT836357 SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
793013 4-Minor BT793013 MRF DIAMETER: Implement sweeper for pending request messages queue 13.1.3.4
788513-4 4-Minor BT788513 Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
786981-1 4-Minor BT786981 Pending GTP iRule operation maybe aborted when connection is expired 13.1.3.4, 14.1.2.7
753790 4-Minor BT753790 Allow 'DIAMETER::persist reset' command in EGRESS events 13.1.3.4
711641-1 4-Minor BT711641 MRF DIAMETER: Add log events to log when stale messages are removed from pending request queue 13.1.3.4
793005-4 5-Cosmetic BT793005 'Current Sessions' statistic of MRF/Diameter pool may be incorrect 13.1.3.4, 14.1.2.7, 15.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
852289-6 3-Major K23278332, BT852289 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector 13.1.3.4, 14.1.2.5, 15.1.1
751116-3 3-Major BT751116 DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring 13.1.3.4, 14.1.4.2


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
839597-2 3-Major BT839597 Restjavad fails to start if provision.extramb has a large value 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5



Cumulative fixes from BIG-IP v13.1.3.3 that are included in this release


Functional Change Fixes

None


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
803645-1 3-Major BT803645 GTMD daemon crashes 13.1.3.3, 14.1.2.7



Cumulative fixes from BIG-IP v13.1.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
818429-2 CVE-2020-5857 K70275209, BT818429 TMM may crash while processing HTTP traffic 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1
808301-1 CVE-2019-6678 K04897373, BT808301 TMM may crash while processing IP traffic 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
805837-4 CVE-2019-6657 K22441651, BT805837 REST does not follow current design best practices 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1
795437-2 CVE-2019-6677 K06747393, BT795437 Improve handling of TCP traffic for iRules 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
795197-3 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426, BT795197 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
781377-1 CVE-2019-6681 K93417064, BT781377 tmrouted may crash while processing Multicast Forwarding Cache messages 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
780601-4 CVE-2020-5873 K03585731, BT780601 SCP file transfer hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.1.2.5, 15.0.1.1
769589-4 CVE-2019-6974 K11186236, BT769589 CVE-2019-6974: Linux Kernel Vulnerability 13.1.3.2, 14.1.2.5
762453 CVE-2020-5872 K63558580, BT762453 Hardware cryptography acceleration may fail 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.5
757357 CVE-2019-6676 K92002212, BT757357 TMM may crash while processing traffic 13.1.3.2, 14.1.2.3, 15.0.1.1
636400-1 CVE-2019-6665 K26462555, BT636400 CPB (BIG-IP->BIGIQ log node) Hardening 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2
810537-3 CVE-2020-5883 K12234501, BT810537 TMM may consume excessive resources while processing iRules 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1
809165-4 CVE-2020-5854 K50046200, BT809165 TMM may crash will processing connector traffic 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
808525-4 CVE-2019-6686 K55812535, BT808525 TMM may crash while processing Diameter traffic 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
795797-4 CVE-2019-6658 K21121741, BT795797 AFM WebUI Hardening 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
788773-4 CVE-2019-9515 K50233772, BT788773 HTTP/2 Vulnerability: CVE-2019-9515 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
788769-4 CVE-2019-9514 K01988340, BT788769 HTTP/2 Vulnerability: CVE-2019-9514 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
782529-4 CVE-2019-6685 K30215839, BT782529 iRules does not follow current design best practices 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3
781449-4 CVE-2019-6672 K14703097, BT781449 Increase efficiency of sPVA DoS protection on wildcard virtual servers 13.1.3.2, 14.1.2.1, 15.0.1.1
777737-2 CVE-2019-6671 K39225055, BT777737 TMM may consume excessive resources when processing IP traffic 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
773673-4 CVE-2019-9512 K98053339, BT773673 HTTP/2 Vulnerability: CVE-2019-9512 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
768981-4 CVE-2019-6670 K05765031, BT768981 VCMP Hypervisor Hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
761144-6 CVE-2019-6684 K95117754, BT761144 Broadcast frames may be dropped 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
761014-4 CVE-2019-6669 K11447758, BT761014 TMM may crash while processing local traffic 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
758018-3 CVE-2019-6661 K61705126, BT758018 APD/APMD may consume excessive resources 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
725551-4 CVE-2019-6682 K40452417, BT725551 ASM may consume excessive resources 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.4
636453-9 CVE-2016-10009 K31440025 OpenSSH vulnerability CVE-2016-10009 13.1.3.2
789893-4 CVE-2019-6679 K54336216, BT789893 SCP file transfer hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
779177-4 CVE-2019-19150 K37890841, BT779177 Apmd logs "client-session-id" when access-policy debug log level is enabled 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3
749324-2 CVE-2012-6708 K62532311, BT749324 jQuery Vulnerability: CVE-2012-6708 12.1.5.2, 13.1.3.2, 14.1.2.3
738236-2 CVE-2019-6688 K25607522, BT738236 UCS does not follow current best practices 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
724556-2 2-Critical BT724556 icrd_child spawns more than maximum allowed times (zombie processes) 12.1.5.3, 13.1.3.2, 14.1.2.7
769193-1 3-Major BT769193 Added support for faster congestion window increase in slow-start for stretch ACKs 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
759135-5 3-Major BT759135 AVR report limits are locked at 1000 transactions 13.1.3.2, 14.1.2.1, 15.0.1.1
788269-1 4-Minor BT788269 Adding toggle to disable AVR widgets on device-groups 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
725950 1-Blocking BT725950 Regcomp() leaks memory if passed an invalid regex. 13.1.3.2
831549 2-Critical BT831549 Marketing name does not display properly for BIG-IP i10010 (C127) 13.1.3.2, 14.1.4.4
765533-4 2-Critical K58243048, BT765533 Sensitive information logged when DEBUG logging enabled 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.1
749388 2-Critical BT749388 'table delete' iRule command can cause TMM to crash 12.1.5.2, 13.1.3.2, 14.1.2.5
747203-4 2-Critical BT747203 Fragile NATT IKEv2 interface mode tunnel suffers RST after flow-not-found after forwarding 13.1.3.2, 15.0.1.3
686996-1 2-Critical BT686996 TMM core under heavy load with PEM 13.1.3.2
809205-3 3-Major   CVE-2019-3855: libssh2 Vulnerability 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2
794501-4 3-Major BT794501 Duplicate if_indexes and OIDs between interfaces and tunnels 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
793121-1 3-Major BT793121 Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2
788557 3-Major BT788557 BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior 11.6.5.2, 13.1.3.2, 14.1.2.1, 15.0.1.1
788301-3 3-Major K58243048, BT788301 SNMPv3 Hardening 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777261-2 3-Major BT777261 When SNMP cannot locate a file it logs messages repeatedly 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
764873-4 3-Major BT764873 An accelerated flow may transmit packets to an unavailable pool member. 13.1.3.2, 14.1.4.2, 15.0.1.3
761993-4 3-Major BT761993 The nsm process may crash if it detects a nexthop mismatch 13.1.3.2, 14.1.2.1, 15.0.1.1
759735-1 3-Major BT759735 OSPF ASE route calculation for new external-LSA delayed 13.1.3.2, 14.1.2.5
758781-1 3-Major BT758781 iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates 13.1.3.2, 14.1.2.3, 15.0.1.1
758527-4 3-Major K39604784, BT758527 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.0.5, 14.1.2.3, 15.0.1.3
758119-4 3-Major K58243048, BT758119 qkview may contain sensitive information 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
747592-2 3-Major   PHP vulnerability CVE-2018-17082 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
745825-3 3-Major BT745825 The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading 13.1.3.2, 14.1.0.2
741902-3 3-Major BT741902 sod does not validate message length vs. received packet length 11.6.5.2, 12.1.5.2, 13.1.3.2
740413-3 3-Major BT740413 Sod not logging Failover Condition messages 13.1.3.2
738445-2 3-Major BT738445 IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup 12.1.5, 13.1.3.2, 14.0.1.1
724109-4 3-Major BT724109 Manual config-sync fails after pool with FQDN pool members is deleted 12.1.5.3, 13.1.3.2, 14.1.2.1, 15.0.1.1
700712-1 3-Major BT700712 MariaDB binary logging takes up disk space 13.1.3.2
687115-2 3-Major BT687115 SNMP performance can be impacted by a long list of allowed-addresses 12.1.5.3, 13.1.3.2
683135-2 3-Major BT683135 Hardware syncookies number for virtual server stats is unrealistically high 13.1.3.2, 14.1.2.7
680917-1 3-Major BT680917 Invalid monitor rule instance identifier 12.1.5.3, 13.1.3.2, 14.1.2.1
815425 4-Minor BT815425 RAID status is shown <undefined> after upgrade from 12.1.3.5 to 13.1.x&start; 13.1.3.2
755018-4 4-Minor BT755018 Egress traffic processing may be stopped on one or more VE trunk interfaces 13.1.3.2, 14.1.2.7, 15.0.1.1
484683-3 4-Minor BT484683 Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. 13.1.3.2, 14.1.2.7


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
800305-4 2-Critical BT800305 VDI::cmp_redirect generates flow with random client port 13.1.3.2, 14.1.2.3, 15.0.1.1
787825-3 2-Critical K58243048, BT787825 Database monitors debug logs have plaintext password printed in the log file 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
739927-3 2-Critical BT739927 Bigd crashes after a specific combination of logging operations 11.5.9, 11.6.4, 12.1.4, 13.1.3.2
693491-1 2-Critical BT693491 ASM with Web Acceleration Profile can rarely cause TMM to core 13.1.3.2
813673-1 3-Major BT813673 The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets. 13.1.3.2
788325-4 3-Major K39794285, BT788325 Header continuation rule is applied to request/response line 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
781753-1 3-Major BT781753 WebSocket traffic is transmitted with unknown opcodes 13.1.3.2, 14.1.2.8
773421-2 3-Major BT773421 Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
770477-3 3-Major BT770477 SSL aborted when client_hello includes both renegotiation info extension and SCSV 12.1.5.3, 13.1.3.2, 14.1.2.5
761030-1 3-Major BT761030 tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route 13.1.3.2, 14.1.2.5
758992-1 3-Major BT758992 The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address 13.1.3.2, 14.1.2.3, 15.0.1.3
757827-3 3-Major BT757827 Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution 13.1.3.2, 14.1.2.5, 15.0.1.3
755727-3 3-Major BT755727 Ephemeral pool members not created after DNS flap and address record changes 12.1.5.2, 13.1.3.2, 14.1.2.5, 15.0.1.3
749294-2 3-Major BT749294 TMM cores when query session index is out of boundary 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.0.2
747907-1 3-Major BT747907 Persistence records leak while the high availability (HA) mirror connection is down 13.1.3.2, 14.1.0.6
743257-1 3-Major BT743257 Fix block size insecurity init and assign 13.1.3.2, 14.0.0.5, 14.1.2.5
742237-2 3-Major BT742237 CPU spikes appear wider than actual in graphs 12.1.5, 13.1.3.2, 14.1.2.1
739638-2 3-Major BT739638 BGP failed to connect with neighbor when pool route is used 12.1.4.1, 13.1.3.2, 14.0.1.1
726734-1 3-Major BT726734 DAGv2 port lookup stringent may fail 13.1.3.2, 14.1.2.8
726176-4 3-Major BT726176 Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve 13.1.3.2, 14.1.2.3, 15.0.1.1
716952-2 3-Major BT716952 With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete. 13.1.3.2
704450-3 3-Major BT704450 bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration 12.1.5.2, 13.1.3.2, 14.1.0.2
693582-1 3-Major BT693582 Monitor node log not rotated for certain monitor types 12.1.4, 13.1.3.2
689361-1 3-Major BT689361 Configsync can change the status of a monitored pool member 12.1.5.2, 13.1.3.2, 14.1.2.1
687887-1 3-Major BT687887 Unexpected result from multiple changes to a monitor-related object in a single transaction 12.1.5.3, 13.1.3.2, 14.1.2.3
676990-2 3-Major BT676990 No way to enable SNAT of host traffic 13.1.3.2
676557-1 3-Major BT676557 Binary data marshalled to TCL may be converted to UTF8 13.1.3.2
636842-3 3-Major K51472519, BT636842 A FastL4 virtual server may drop a FIN packet when mirroring is enabled 12.1.5.1, 13.1.3.2, 14.1.2.5
601189-3 3-Major BT601189 The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode 12.1.5.1, 13.1.3.2, 14.1.2.5
769309-3 4-Minor BT769309 DB monitor reconnects to server on every probe when count = 0 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
760683-2 4-Minor BT760683 RST from non-floating self-ip may use floating self-ip source mac-address 13.1.3.2, 14.1.2.5
754003-1 4-Minor K73202036, BT754003 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate 13.1.3.2, 14.1.2.3, 15.0.1.3
747628-3 4-Minor BT747628 BIG-IP sends spurious ICMP PMTU message to server 13.1.3.2, 14.1.2.3, 15.0.1.1
744210-1 4-Minor BT744210 DHCPv6 does not have the ability to override the hop limit from the client. 13.1.3.2, 14.1.2.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
772233-1 3-Major BT772233 IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. 13.1.3.2, 14.1.2.5, 15.0.1.3
761032-4 3-Major K36328238, BT761032 TMSH displays TSIG keys 13.1.3.2, 14.0.1.1, 14.1.2.3
699512-1 3-Major BT699512 UDP packet may be dropped when queued in parallel with another packet 13.1.3.2
672491-5 3-Major K10990182, BT672491 net resolver uses internal IP as source if matching wildcard forwarding virtual server 11.6.5.3, 12.1.3.6, 13.1.3.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
813945-1 2-Critical BT813945 PB core dump while processing many entities 13.1.3.2, 14.1.2.3
775105-1 2-Critical BT775105 False positive on bot defense logs 13.1.3.2, 14.0.1.1
812341-1 3-Major BT812341 Patch or Delete commands take a long time to complete when modifying an ASM signature set. 13.1.3.2, 14.1.2.3
800453-1 3-Major K72252057, BT800453 False positive virus violations 13.1.3.2, 14.1.2.3, 15.0.1.3
783513-1 3-Major BT783513 ASU is very slow on device with hundreds of policies due to logging profile handling 13.1.3.2, 14.1.2.3
739618-1 3-Major BT739618 When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy 13.1.3.2, 14.1.2.3, 15.1.0.2
727107-2 3-Major BT727107 Request Logs are not stored locally due to shmem pipe blockage 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
756102-3 2-Critical BT756102 TMM can crash with core on ABORT signal due to non-responsive AVR code 13.1.3.2, 14.1.0.6, 15.0.1.1
797785-3 3-Major BT797785 AVR reports no ASM-Anomalies data. 13.1.3.2, 14.1.2.1, 15.0.1.3
792265-1 3-Major BT792265 Traffic logs does not include the BIG-IQ tags 13.1.3.2, 14.1.2.1, 15.0.1.3
781581-4 3-Major BT781581 Monpd uses excessive memory on requests for network_log data 13.1.3.2, 14.1.2.3, 15.0.1.3
703196-5 3-Major BT703196 Reports for AVR are missing data 13.1.3.2
696191-1 3-Major BT696191 AVR-related disk partitions can get full during upgrade&start; 13.1.3.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
811145-4 2-Critical BT811145 VMware View resources with SAML SSO are not working 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
784989-4 2-Critical BT784989 TMM may crash with panic message: Assertion 'cookie name exists' failed 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777173-4 2-Critical BT777173 Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
725505-2 2-Critical BT725505 SNAT settings in network resource are not applied after FastL4 profile is updated 13.1.3.2
618641-1 2-Critical BT618641 In rare cases VDI plugin might leak memory or crash while processing client connections 13.1.3.2
815753-4 3-Major BT815753 TMM leaks memory when explicit SWG is configured with Kerberos authentication 13.1.3.2, 14.0.1.1, 15.0.1.1
799149 3-Major BT799149 Authentication fails with empty password 13.1.3.2, 14.1.2.7
798261-4 3-Major BT798261 APMD fails to create session variables if spanning is enabled on SWG transparent virtual server 13.1.3.2, 14.1.2.5, 15.0.1.3
788417-3 3-Major BT788417 Remote Desktop client on macOS may show resource auth token on credentials prompt 13.1.3.2, 14.1.2.1, 15.0.1.1
787477-1 3-Major BT787477 Export fails from partitions with '-' as second character 13.1.3.2, 14.1.2.1
768025-1 3-Major BT768025 SAML requests/responses fail with "failed to find certificate" 13.1.3.2, 14.1.2.5, 15.0.1.3
766577-4 3-Major BT766577 APMD fails to send response to client and it already closed connection. 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
725040-3 3-Major BT725040 Auto-update fails for F5 Helper Applications on Linux 13.1.3.2
723278-1 3-Major BT723278 Radius Accounting-Request (STOP) always includes AVP Framed-IP-Address=0.16.0.0 when Network Access rescource configured with IPv4 & IPv6 13.1.3.2
697590-4 3-Major BT697590 APM iRule ACCESS::session remove fails outside of Access events 13.1.3.2, 14.1.2.1, 15.0.1.1
653210-1 3-Major BT653210 Rare resets during the login process 13.1.3.2, 14.1.2.4
643935-2 3-Major BT643935 Rewriting may cause an infinite loop while processing some objects 13.1.3.2, 14.0.1.1, 14.1.2.3
719589-3 4-Minor BT719589 GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic 13.1.3.2, 14.1.2.7
684414-2 4-Minor BT684414 Retrieving too many groups is causing out of memory errors in TMUI and VPE 12.1.3.2, 13.1.3.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
813657 3-Major BT813657 MRF SIP ALG with SNAT incorrectly detects ingress queue full 13.1.3.2
811745-4 3-Major BT811745 Failover between clustered DIAMETER devices can cause mirror connections to be disconnected 13.1.3.2, 14.1.2.1, 15.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
787901 2-Critical BT787901 While deleting a DoS profile, tmm might core in sPVA 13.1.3.2
778869-1 2-Critical K72423000, BT778869 ACLs and other AFM features (e.g., IPI) may not function as designed 13.1.3.2, 14.0.1.1, 14.1.2.5
747922-2 2-Critical BT747922 With AFM enabled, during bootup, there is a small possibility of a tmm crash 13.1.3.2, 14.1.0.2
761345-1 3-Major BT761345 Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode 13.1.3.2, 14.1.2.3
738284-4 3-Major BT738284 Creating or deleting rule list results in warning message: Schema object encode failed 13.1.3.2, 14.1.2.3, 15.0.1.1
679722-1 3-Major BT679722 Configuration sync failure involving self IP references 13.1.3.2


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753014-1 3-Major BT753014 PEM iRule action with RULE_INIT event fails to attach to PEM policy 12.1.5.3, 13.1.3.2, 14.1.2.7
747065-3 3-Major BT747065 PEM iRule burst of session ADDs leads to missing sessions 13.1.3.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
804185-3 3-Major BT804185 Some WebSafe request signatures may not work as expected 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
803477-1 3-Major BT803477 BaDoS State file load failure when signature protection is off 13.1.3.2, 14.1.2.1, 15.0.1.1
767045 4-Minor BT767045 TMM cores while applying policy 13.1.3.2, 14.1.2.3
711708-1 4-Minor BT711708 Default disabled DoS profile cannot be attached to virtual server because of BADOS '2 virtual servers limitation' 13.1.3.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
674795-2 4-Minor BT674795 tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours. 12.1.5.3, 13.1.3.2



Cumulative fixes from BIG-IP v13.1.3.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
688627-1 3-Major BT688627 OPT-0043 40G optical transceiver cannot be unbundled into 4x10G 13.1.3.1



Cumulative fixes from BIG-IP v13.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
809377-4 CVE-2019-6649 K05123525 AFM ConfigSync Hardening 13.1.3, 14.0.1, 14.1.2, 15.0.1
771873-3 CVE-2019-6642 K40378764, BT771873 TMSH Hardening 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
767653-2 CVE-2019-6660 K23860356, BT767653 Malformed HTTP request can result in endless loop in an iRule script 13.1.3, 14.0.1.1, 14.1.2.1
758065-2 CVE-2019-6667 K82781208, BT758065 TMM may consume excessive resources while processing FIX traffic 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
757023-4 CVE-2018-5743 K74009656, BT757023 BIND vulnerability CVE-2018-5743 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
756538-1 CVE-2019-6645 K15759349, BT756538 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
754103-2 CVE-2019-6644 K75532331, BT754103 iRulesLX NodeJS daemon does not follow best security practices 12.1.4.1, 13.1.3, 14.0.0.5, 14.1.0.6
739971-2 CVE-2018-5391 K74374841, BT739971 Linux kernel vulnerability: CVE-2018-5391 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.5
726393-4 CVE-2019-6643 K36228121, BT726393 DHCPRELAY6 can lead to a tmm crash 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
715923-1 CVE-2018-15317 K43625118, BT715923 When processing TLS traffic TMM may terminate connections unexpectedly 11.6.3.3, 12.1.5, 13.1.3, 14.0.0.3
757455-1 CVE-2019-6647 K87920510, BT757455 Excessive resource consumption when processing REST requests 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
773649-4 CVE-2019-6656 K23876153, BT773649 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.2, 15.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
749704-3 4-Minor BT749704 GTPv2 Serving-Network field with mixed MNC digits 13.1.3, 14.0.1.1, 14.1.0.6


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
774445-3 1-Blocking K74921042, BT774445 BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 13.1.3, 14.0.0.5, 14.1.0.6
769809-2 2-Critical BT769809 The vCMP guests 'INOPERATIVE' after upgrade 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
760408-1 2-Critical BT760408 System Integrity Status: Invalid after BIOS update&start; 13.1.3, 14.0.0.5, 14.1.0.6
757722-1 2-Critical BT757722 Unknown notify message types unsupported in IKEv2 13.1.3, 14.0.1.1, 14.1.0.6
756402-1 2-Critical BT756402 Re-transmitted IPsec packets can have garbled contents 13.1.3, 14.0.1.1, 14.1.0.6
756071-1 2-Critical BT756071 MCPD crash 13.1.3, 14.0.1.1, 14.1.0.6
753650 2-Critical BT753650 The BIG-IP system reports frequent kernel page allocation failures. 13.1.3, 14.0.1.1, 14.1.0.6
748205-1 2-Critical BT748205 SSD bay identification incorrect for RAID drive replacement&start; 12.1.5, 13.1.3, 14.1.2.5
734539-3 2-Critical BT734539 The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads 12.1.5, 13.1.3, 14.0.1.1
708968-2 2-Critical BT708968 OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address 13.1.3, 14.0.1.1
671741-3 2-Critical BT671741 LCD on iSeries devices can lock at red 'loading' screen. 12.1.5, 13.1.3
648270-3 2-Critical BT648270 mcpd can crash if viewing a fast-growing log file through the GUI 11.6.5.2, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6
756153-2 3-Major BT756153 Add diskmonitor support for MySQL /var/lib/mysql 12.1.4.1, 13.1.3, 14.1.2.7
749785-1 3-Major BT749785 nsm can become unresponsive when processing recursive routes 12.1.5.3, 13.1.3, 14.1.2.5
746266-1 3-Major BT746266 A vCMP guest VLAN MAC mismatch across blades. 12.1.5, 13.1.3, 14.1.2.3
735565-1 3-Major BT735565 BGP neighbor peer-group config element not persisting 12.1.4.1, 13.1.3, 14.0.1.1
723553-1 3-Major BT723553 BIG-IP installations on RAID systems (old style) may not boot&start; 13.1.3
720610 3-Major BT720610 Automatic Update Check logs false 'Update Server unavailable' message on every run 13.1.3, 14.1.2.7
716166-4 3-Major BT716166 Dynamic routing not added when conflicting self IPs exist 11.6.5.1, 12.1.4.1, 13.1.3
709544-2 3-Major BT709544 VCMP guests in HA configuration become Active/Active during upgrade&start; 12.1.4.1, 13.1.3, 14.0.0
705037-2 3-Major K32332000, BT705037 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart 12.1.4, 13.1.3, 14.0.1.1, 14.1.2.3
702310-1 3-Major BT702310 The ':l' and ':h' options are not available on the tmm interface in tcpdump 13.1.3
693388-2 3-Major BT693388 Log additional HSB registers when device becomes unresponsive 12.1.4.1, 13.1.3
667618-1 3-Major BT667618 Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts 13.1.3
620954-5 3-Major BT620954 Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable 12.1.5.1, 13.1.3
721526-2 4-Minor BT721526 tcpdump fails to write verbose packet data to file 12.1.5.3, 13.1.3
691171-1 4-Minor BT691171 static and dynamically learned blackhole route from ZebOS cannot be deleted 13.1.3, 14.0.0


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759968 1-Blocking BT759968 Distinct vCMP guests are able to cluster with each other. 12.1.5, 13.1.3, 14.1.2.1, 15.0.1.1
757441-2 2-Critical BT757441 Specific sequence of packets causes Fast Open to be effectively disabled 13.1.3, 14.0.1.1, 14.1.2.1
757391-3 2-Critical BT757391 Datagroup iRule command class can lead to memory corruption 12.1.5, 13.1.3, 14.1.2.5
756450-2 2-Critical BT756450 Traffic using route entry that's more specific than existing blackhole route can cause core 11.6.5.1, 12.1.5, 13.1.3, 14.1.2.3
755585-3 2-Critical BT755585 mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction 13.1.3, 14.1.2.1
746710-2 2-Critical BT746710 Use of HTTP::cookie after HTTP:disable causes TMM core 13.1.3, 14.1.2.1
742184-1 2-Critical BT742184 TMM memory leak 13.1.3, 14.1.0.2
740228-1 2-Critical BT740228 TMM crash while sending a DHCP Lease Query to a DHCP server 12.1.5.3, 13.1.3, 14.0.0.5
724214-3 2-Critical BT724214 TMM core when using Multipath TCP 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5
667779-1 2-Critical BT667779 iRule commands may cause the TMM to crash in very rare situations. 11.6.5.2, 12.1.5, 13.1.3
794493 3-Major BT794493 Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true 13.1.3
790205-2 3-Major BT790205 Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.2.7, 15.0.1.1
760771-3 3-Major BT760771 FastL4-steered traffic might cause SSL resume handshake delay 13.1.3, 14.1.2.3
760550-3 3-Major BT760550 Retransmitted TCP packet has FIN bit set 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
757442-1 3-Major BT757442 A missed SYN cookie check causes crash at the standby TMM in HA mirroring system 13.1.3, 14.1.4
754349 3-Major BT754349 FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4 13.1.3, 14.0.1.1
753594-3 3-Major BT753594 In-TMM monitors may have duplicate instances or stop monitoring 13.1.3, 14.1.3.1
753514-1 3-Major BT753514 Large configurations containing LTM Policies load slowly 13.1.3, 14.0.1.1, 14.1.2.3
749414-2 3-Major BT749414 Invalid monitor rule instance identifier error 11.6.5.2, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
746922-4 3-Major BT746922 When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. 12.1.4.1, 13.1.3, 14.0.1.1, 14.1.2.7
726001-1 3-Major BT726001 Rapid datagroup updates can cause type corruption 13.1.3
720219 3-Major K13109068, BT720219 HSL::log command can fail to pick new pool member if last picked member is 'checking' 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.2
719304-2 3-Major BT719304 Inconsistent node ICMP monitor operation for IPv6 nodes 13.1.3, 14.1.4
712919-1 3-Major K54802336, BT712919 Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. 13.1.3, 14.0.1.1, 14.1.2.3
705112-2 3-Major BT705112 DHCP server flows are not re-established after expiration 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2
675367-2 3-Major K95393925, BT675367 The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication 13.1.3
604811-2 3-Major BT604811 Under certain conditions TMM may crash while processing OneConnect traffic 11.6.3.2, 12.1.5.3, 13.1.3
273104-1 3-Major   Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps 12.1.4.1, 13.1.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
759721-4 3-Major K03332436, BT759721 DNS GUI does not follow best practices 13.1.3, 14.0.0.5, 14.1.0.6
754901-3 3-Major BT754901 Frequent zone update notifications may cause TMM to restart 13.1.3, 14.1.2.5
750213-2 3-Major K25351434, BT750213 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. 12.1.5, 13.1.3, 14.1.2.5
726412-2 4-Minor BT726412 Virtual server drop down missing objects on pool creation 12.1.4.1, 13.1.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
781637-4 3-Major BT781637 ASM brute force counts unnecessary failed logins for NTLM 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
781605-1 3-Major BT781605 Fix RFC issue with the multipart parser 11.6.5.3, 12.1.6, 13.1.3, 14.1.2.1, 15.0.1.1
781069-4 3-Major BT781069 Bot Defense challenge blocks requests with long Referer headers 13.1.3, 14.1.2.1, 15.0.1.1
773553-4 3-Major BT773553 ASM JSON parser false positive. 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
769981-3 3-Major BT769981 bd crashes in a specific scenario 13.1.3, 14.1.2.1, 15.0.1.1
764373-1 3-Major BT764373 'Modified domain cookie' violation with multiple enforced domain cookies with different paths 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
763001-2 3-Major K70312000, BT763001 Web-socket enforcement might lead to a false negative 13.1.3, 14.0.1.1, 14.1.0.6
761941-3 3-Major BT761941 ASM does not remove CSRT token query parameter before forwarding a request to the backend server 13.1.3, 14.0.1.1, 14.1.0.6
761231-4 3-Major K79240502, BT761231 Bot Defense Search Engines getting blocked after configuring DNS correctly 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
739900-1 3-Major BT739900 All Policies are created with 3 new Signature Sets After Creation of a Policy using Application Ready Templates 13.1.3
713051 3-Major BT713051 PB generates a suggestion to add a disallowed filtetype with empty name. 13.1.3
686763-1 3-Major BT686763 asm_start is consuming too much memory 12.1.5.3, 13.1.3
686500-1 3-Major BT686500 Adding user defined signature on device with many policies is very slow 13.1.3, 14.0.0
675673-1 3-Major BT675673 Policy history files should be limited by settings in a configuration file. 13.1.3
768761-4 4-Minor BT768761 Improved accept action description for suggestions to disable signature/enable metacharacter in policy 13.1.3, 14.0.1.1, 14.1.0.6
761553-4 4-Minor BT761553 Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic 13.1.3, 14.0.1.1, 14.1.0.6
761549-4 4-Minor BT761549 Traffic Learning: Accept and Stage action is shown only in case entity is not in staging 13.1.3, 14.0.1.1, 14.1.0.6
750689-1 4-Minor BT750689 Request Log: Accept Request button available when not needed 13.1.3, 14.0.1.1, 14.1.0.6
749184-4 4-Minor BT749184 Added description of subviolation for the suggestions that enabled/disabled them 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.3
747560-3 4-Minor BT747560 ASM REST: Unable to download Whitehat vulnerabilities 12.1.5.1, 13.1.3, 14.1.0.6
695878-4 4-Minor BT695878 Signature enforcement issue on specific requests 11.5.6, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1
613728-2 4-Minor BT613728 Import/Activate Security policy with 'Replace policy associated with virtual server' option fails 12.1.4, 13.1.3
769061-4 5-Cosmetic BT769061 Improved details for learning suggestions to enable violation/sub-violation 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
753485-2 2-Critical K50285521, BT753485 AVR global settings are being overridden by high availability (HA) peers 13.1.3, 14.1.2, 15.0.1
771025-2 3-Major BT771025 AVR send domain names as an aggregate 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.3
688544-1 3-Major BT688544 SWG reports on BIG-IQ show same series as 'Allowed' and 'Blocked' at the same time 13.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
760130-1 2-Critical BT760130 [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK 13.1.3, 14.1.3.1
753370-1 2-Critical BT753370 RADIUS auth might not be working as configured when there is change in RADIUS auth config name. 13.1.3, 14.0.0.5, 14.1.0.6
745600-3 2-Critical BT745600 Tmm crash and core using iRule 13.1.3
741535-1 2-Critical BT741535 Memory leak when using SAML or Form-based Client-initiated SSO 13.1.3
723402-2 2-Critical BT723402 Apmd crashes running command: tmsh restart sys service all 13.1.3
686282-2 2-Critical BT686282 APMD intermittently crash when processing access policies 12.1.3.2, 13.1.3
783817-4 3-Major BT783817 UI becomes unresponsive when accessing Access active session information 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
775621-4 3-Major BT775621 urldb memory grows past the expected ~3.5GB 13.1.3, 14.1.2.1, 15.0.1.3
765621-1 3-Major BT765621 POST request being rejected when using OAuth Resource Server mode 13.1.3
760974-1 3-Major BT760974 TMM SIGABRT while evaluating access policy 13.1.3
759638-1 3-Major BT759638 APM current active and established session counts out of sync after failover 13.1.3
754542-4 3-Major BT754542 TMM may crash when using RADIUS Accounting agent 13.1.3, 14.1.0.6
750823-3 3-Major BT750823 Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD 13.1.3, 14.1.2.1
750631-1 3-Major BT750631 There may be a latency between session termination and deletion of its associated IP address mapping 13.1.3, 14.1.2.7
750170-1 3-Major BT750170 SP Connector config changes causes BIG-IP tmm core sometimes during handling of SAML SLO request 13.1.3
749161-1 3-Major   Problem sync policy contains non-ASCII characters 13.1.3, 14.1.2.1
747725-2 3-Major BT747725 Kerberos Auth agent may override settings that manually made to krb5.conf 12.1.4.1, 13.1.3, 14.1.2.5
744532-2 3-Major BT744532 Websso fails to decrypt secured session variables 13.1.3
600985-3 3-Major BT600985 Network access tunnel data stalls 13.1.3, 14.1.2.7
770621-1 4-Minor BT770621 [Portal Access] HTTP 308 redirect does not get rewritten 13.1.3
737603-1 4-Minor BT737603 Apmd leaks memory when executing per-session policy via iRule 13.1.3, 14.0.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
759077-4 3-Major BT759077 MRF SIP filter queue sizes not configurable 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.4
748253-3 3-Major BT748253 Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection 13.1.3, 14.1.2.1
745628-3 3-Major BT745628 MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message 13.1.3, 14.0.1.1, 14.1.0.2
745514-3 3-Major BT745514 MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message 13.1.3, 14.0.1.1, 14.1.0.2
745404-2 3-Major BT745404 MRF SIP ALG does not reparse SDP payload if replaced 12.1.5.2, 13.1.3, 14.0.1.1, 14.1.0.2
701680-2 3-Major BT701680 MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds 12.1.4.1, 13.1.3
747909-3 4-Minor BT747909 GTPv2 MEI and Serving-Network fields decoded incorrectly 11.6.5.1, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
763121-1 2-Critical BT763121 Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. 13.1.3, 14.1.2.8
757359-3 2-Critical BT757359 pccd crashes when deleting a nested Address List 13.1.3, 14.1.0.6
752363 2-Critical BT752363 Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled 13.1.3, 14.1.0.2
777733-1 3-Major BT777733 DoS profile default values cause config load failure on upgrade 13.1.3
771173-1 3-Major BT771173 FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.&start; 13.1.3, 14.1.2.5, 15.0.1.3
757306-2 3-Major BT757306 SNMP MIBS for AFM NAT do not yet exist 13.1.3, 14.1.2, 15.0.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726665-2 2-Critical BT726665 tmm core dump due to SEGFAULT 13.1.3, 14.0.1.1
760438-1 3-Major BT760438 PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions 13.1.3, 14.1.2.1
759192-1 3-Major BT759192 TMM core during display of PEM session under some specific conditions 13.1.3, 14.0.1.1, 14.1.2.1
756311-1 3-Major BT756311 High CPU during erroneous deletion 13.1.3, 14.0.1.1, 14.1.2.1
753163-2 3-Major BT753163 PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days 13.1.3, 14.1.2.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
775013-4 3-Major BT775013 TIME EXCEEDED alert has insufficient data for analysis 13.1.3, 14.1.2.1, 15.0.1.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
752803-2 2-Critical BT752803 CLASSIFICATION_DETECTED running reject can lead to a tmm core 13.1.3, 14.1.0.6



Cumulative fixes from BIG-IP v13.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
807477-9 CVE-2019-6650 K04280042, BT807477 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
797885-4 CVE-2019-6649 K05123525, BT797885 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
796469-2 CVE-2019-6649 K05123525, BT796469 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
810557-9 CVE-2019-6649 K05123525, BT810557 ASM ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
799617-4 CVE-2019-6649 K05123525, BT799617 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
799589-4 CVE-2019-6649 K05123525, BT799589 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
794389-9 CVE-2019-6651 K89509323, BT794389 iControl REST endpoint response inconsistency 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
794413-9 CVE-2019-6471 K10092301, BT794413 BIND vulnerability CVE-2019-6471 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
744937-9 3-Major K00724442, BT744937 BIG-IP DNS and GTM DNSSEC security exposure 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
760622-2 3-Major BT760622 Allow Device Certificate renewal from BIG-IP Configuration Utility 15.1.0.5
760363-2 3-Major BT760363 Update Alias Address field with default placeholder text 13.1.3.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
807445 3-Major BT807445 Replaced ISC_TRUE and ISC_FALSE with true and false  



Cumulative fixes from BIG-IP v13.1.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
757025-3 CVE-2018-5744 K00040234, BT757025 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
756774-4 CVE-2019-6612 K24401914, BT756774 Aborted DNS queries to a cache may cause a TMM crash 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
754944-3 CVE-2019-6626 K00432398, BT754944 AVR reporting UI does not follow best practices 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754345-3 CVE-2019-6625 K79902360, BT754345 WebUI does not follow best security practices 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
753975 CVE-2019-6666 K92411323, BT753975 TMM may crash while processing HTTP traffic with webacceleration profile 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1
753776-1 CVE-2019-6624 K07127032, BT753776 TMM may consume excessive resources when processing UDP traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
749879-4 CVE-2019-6611 K47527163, BT749879 Possible interruption while processing VPN traffic 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
748502-3 CVE-2019-6623 K72335002, BT748502 TMM may crash when processing iSession traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
737731-2 CVE-2019-6622 K44885536, BT737731 iControl REST input sanitization 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
737574-2 CVE-2019-6621 K20541896, BT737574 iControl REST input sanitization&start; 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
737565-2 CVE-2019-6620 K20445457, BT737565 iControl REST input sanitization 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
726327-2 CVE-2018-12120 K37111863, BT726327 NodeJS debugger accepts connections from any host 13.1.1.5, 14.1.0.6
791369-4 CVE-2019-6662 K01049383 The REST framework may reflect client data in error logs 13.1.1.5
757027-3 CVE-2019-6465 K01713115, BT757027 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
757026-3 CVE-2018-5745 K25244852, BT757026 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
753796-2 CVE-2019-6640 K40443301 SNMP does not follow best security practices 11.5.9, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750460-3 CVE-2019-6639 K61002104, BT750460 Subscriber management configuration GUI 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750187-3 CVE-2019-6637 K29149494, BT750187 ASM REST may consume excessive resources 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
745713-1 CVE-2019-6619 K94563344, BT745713 TMM may crash when processing HTTP/2 traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745387-3 CVE-2019-6618 K07702240, BT745387 Resource-admin user roles can no longer get bash access 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745371-2 CVE-2019-6636 K68151373, BT745371 AFM GUI does not follow best security practices 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
745257-3 CVE-2018-14634 K20934447, BT745257 Linux kernel vulnerability: CVE-2018-14634 11.6.4, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
745165-3 CVE-2019-6617 K38941195, BT745165 Users without Advanced Shell Access are not allowed SFTP access 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
742226-2 CVE-2019-6635 K11330536, BT742226 TMSH platform_check utility does not follow best security practices 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
710857-2 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
703835-2 CVE-2019-6616 K82814400, BT703835 When using SCP into BIG-IP systems, you must specify the target filename 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
702472-3 CVE-2019-6615 K87659521, BT702472 Appliance Mode Security Hardening 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
702469-3 CVE-2019-6633 K73522927, BT702469 Appliance mode hardening in scp 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
698376-3 CVE-2019-6614 K46524395, BT698376 Non-admin users have limited bash commands and can only write to certain directories 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
673842-4 CVE-2019-6632 K01413496, BT673842 VCMP does not follow best security practices 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
752835-3 2-Critical K46971044, BT752835 Mitigate mcpd out of memory error with auto-sync enabled. 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
750586-1 2-Critical BT750586 HSL may incorrectly handle pending TCP connections with elongated handshake time. 12.1.5, 13.1.1.5, 14.1.0.6
707013 2-Critical BT707013 vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest 13.1.1.5, 14.0.1.1, 14.1.0.2
699515-1 2-Critical   nsm cores during update of nexthop for ECMP recursive route 13.1.1.5, 14.1.2.5
621260-4 2-Critical BT621260 mcpd core on iControl REST reference to non-existing pool 11.6.5.1, 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.2
760222-5 3-Major BT760222 SCP fails unexpected when FIPS mode is enabled 13.1.1.5, 14.0.0.5, 14.1.0.3
757414 3-Major BT757414 GUI Network Map slow page load with large configuration 13.1.1.5
756088-1 3-Major BT756088 The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address 13.1.1.5
754567 3-Major BT754567 Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file 13.1.1.5
751011-1 3-Major BT751011 ihealth.sh script and qkview locking mechanism not working 13.1.1.5, 14.1.0.2
750447-1 3-Major BT750447 GUI VLAN list page loading slowly with 50 records per screen 13.1.1.5, 14.1.0.2
750318-1 3-Major BT750318 HTTPS monitor does not appear to be using cert from server-ssl profile 13.1.1.5, 14.1.2.3
748187-2 3-Major BT748187 'Transaction Not Found' Error on PATCH after Transaction has been Created 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.6
740345-1 3-Major BT740345 TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. 13.1.1.5, 14.0.0.5, 14.1.0.6
725791-4 3-Major K44895409, BT725791 Potential HW/HSB issue detected 11.6.5.2, 12.1.5.2, 13.1.1.5, 14.1.0.6
723794-3 3-Major BT723794 PTI (Meltdown) mitigation should be disabled on AMD-based platforms 11.6.5.1, 12.1.4.1, 13.1.1.5
722380-2 3-Major BT722380 The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. 12.1.5.2, 13.1.1.5
721805 3-Major BT721805 Traffic Policy edit to datagroup errors on adding ASM disable action 13.1.1.5
720819-2 3-Major BT720819 Certain platforms may take longer than expected to detect and recover from HSB lock-ups 12.1.4.1, 13.1.1.5
720269-2 3-Major BT720269 TACACS audit logging may append garbage characters to the end of log strings 12.1.4.1, 13.1.1.5, 14.0.1.1
714626-2 3-Major BT714626 When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect. 13.1.1.5, 14.0.0
701898-1 3-Major BT701898 Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups 13.1.1.5, 14.0.0
698619-2 3-Major BT698619 Disable port bridging on HSB ports for non-vCMP systems 12.1.4, 13.1.1.5
681009-1 3-Major BT681009 Large configurations can cause memory exhaustion during live-install&start; 13.1.1.5
581921-3 3-Major K22327083, BT581921 Required files under /etc/ssh are not moved during a UCS restore 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
697766-1 4-Minor BT697766 Cisco IOS XR ISIS routers may report 'Authentication TLV not found' 13.1.1.5
687368-1 4-Minor BT687368 The Configuration utility may calculate and display an incorrect HA Group Score 13.1.1.5
686111-1 4-Minor K89363245, BT686111 Searching and Reseting Audit Logs not working as expected 13.1.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753912 2-Critical K44385170, BT753912 UDP flows may not be swept 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
752930-1 2-Critical BT752930 Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
745533-4 2-Critical   NodeJS Vulnerability: CVE-2016-5325 13.1.1.5, 14.0.0.5, 14.1.0.6
680564-1 2-Critical BT680564 "MCP Message:" seen on boot up with Best License 13.1.1.5
756270-2 3-Major BT756270 SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.1.0.6
750843-1 3-Major BT750843 HTTP data re-ordering when receiving data while iRule parked 13.1.1.5, 14.0.0.5
750200-1 3-Major BT750200 DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode 13.1.1.5, 14.0.1.1, 14.1.0.2
749689-1 3-Major BT749689 HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart 13.1.1.5, 14.1.2.3
747968-2 3-Major BT747968 DNS64 stats not increasing when requests go through DNS cache resolver 11.6.5.3, 12.1.4.1, 13.1.1.5, 14.1.0.6
747617-1 3-Major BT747617 TMM core when processing invalid timer 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
742078-2 3-Major BT742078 Incoming SYNs are dropped and the connection does not time out. 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
738523-2 3-Major BT738523 SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages 12.1.4.1, 13.1.1.5, 14.0.1.1
727292-1 3-Major BT727292 SSL in proxy shutdown case does not deliver server TCP FIN 12.1.5, 13.1.1.5
712664-2 3-Major BT712664 IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address 12.1.3.7, 13.1.1.5, 14.0.0.3
710564 3-Major BT710564 DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 12.1.4.1, 13.1.1.5
709952-1 3-Major BT709952 Disallow DHCP relay traffic to traverse between route domains 13.1.1.5
699979-2 3-Major BT699979 Support for Safenet Client Software v7.x 13.1.1.5
698437-1 3-Major BT698437 Internal capacity increase 13.1.1.5
688553-3 3-Major BT688553 SASP GWM monitor may not mark member UP as expected 12.1.3.6, 13.1.1.5, 14.0.0.5
599567-3 3-Major BT599567 APM assumes SNAT automap, does not use SNAT pool 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.2.5
746077-1 4-Minor BT746077 If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified 12.1.5.3, 13.1.1.5, 14.1.2.5
664618-1 4-Minor BT664618 Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' 12.1.4.1, 13.1.1.5, 14.0.0.5
658382-2 5-Cosmetic BT658382 Large numbers of ERR_UNKNOWN appearing in the logs 12.1.4.1, 13.1.1.5


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
735832-1 2-Critical BT735832 RAM Cache traffic fails on B2150 12.1.5, 13.1.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
756094-3 2-Critical BT756094 DNS express in restart loop, 'Error writing scratch database' in ltm log 12.1.4.1, 13.1.1.5, 14.1.0.2
749508-3 3-Major BT749508 LDNS and DNSSEC: Various OOM conditions need to be handled properly 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
749222-3 3-Major BT749222 dname compression offset overflow causes bad compression pointer 13.1.1.5, 14.0.0.5, 14.1.0.6
748902-7 3-Major BT748902 Incorrect handling of memory allocations while processing DNSSEC queries 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
746877-3 3-Major BT746877 Omitted check for success of memory allocation for DNSSEC resource record 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
737332-3 3-Major BT737332 It is possible for DNSX to serve partial zone information for a short period of time 12.1.4, 13.1.1.5
748177-3 4-Minor BT748177 Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character 12.1.4.1, 13.1.1.5, 14.1.0.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759360 2-Critical BT759360 Apply Policy fails due to policy corruption from previously enforced signature 13.1.1.5, 14.1.0.6
758961 2-Critical K58243048 During brute force attack, the attempted passwords may be logged 13.1.1.5
723790-1 2-Critical BT723790 Idle asm_config_server handlers consumes a lot of memory 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
760878-2 3-Major BT760878 Incorrect enforcement of explicit global parameters 12.1.5, 13.1.1.5, 14.1.0.6
755005-3 3-Major BT755005 Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations 12.1.5.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754365-3 3-Major BT754365 Updated flags for countries that changed their flags since 2010 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
751710-2 3-Major BT751710 False positive cookie hijacking violation 13.1.1.5, 14.0.0.5, 14.1.2.1
749109-1 3-Major BT749109 CSRF situation on BIGIP-ASM GUI 13.1.1.5, 14.0.0.5, 14.1.0.2
746146-2 3-Major BT746146 AVRD can crash with core when disconnecting/reconnecting on HTTPS connection 13.1.1.5
739945-2 3-Major BT739945 JavaScript challenge on POST with 307 breaks application 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.2
738647-2 3-Major BT738647 Add the login detection criteria of 'status code is not X' 12.1.4, 13.1.1.5, 14.0.0.5
721399-2 3-Major BT721399 Signature Set cannot be modified to Accuracy = 'All' after another value 12.1.5, 13.1.1.5
717525-1 3-Major BT717525 Behavior for classification in manual learning mode 13.1.1.5, 14.0.0.5
691945-1 3-Major BT691945 Security Policy Configuration Changes When Disabling Learning 12.1.4.1, 13.1.1.5
761921-3 4-Minor BT761921 avrd high CPU utilization due to perpetual connection attempts 13.1.1.5, 14.0.0.5, 14.1.0.6
758336-1 4-Minor BT758336 Incorrect recommendation in Online Help of Proactive Bot Defense 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
763349-1 2-Critical BT763349 AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out 13.1.1.5, 14.0.0.5, 14.1.0.6
756205-3 2-Critical BT756205 TMSTAT offbox statistics are not continuous 13.1.1.5, 14.0.0.5, 14.1.0.6
764665-1 3-Major BT764665 AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change 13.1.1.5, 14.0.0.5, 14.1.0.6
763005-2 3-Major BT763005 Aggregated Domain Names in DNS statistics are shown as random domain name 13.1.1.5, 14.0.0.5, 14.1.0.6
760356-4 3-Major BT760356 Users with Application Security Administrator role cannot delete Scheduled Reports 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1
753446-1 3-Major BT753446 avrd process crash during shutdown if connected to BIG-IQ 13.1.1.5, 14.0.0.5, 14.1.0.2
738614-2 3-Major BT738614 'Internal error' appears on Goodput GUI page 13.1.1.5, 14.0.0.5
738197-2 3-Major BT738197 IP address from XFF header is not taken into account when there are trailing spaces after IP address 13.1.1.5
737863-1 3-Major BT737863 Advanced Filters for Captured Transactions not working on Multi-Blade Platforms 13.1.1.5, 14.0.0.5
718655 3-Major BT718655 DNS profile measurement unit name is incorrect. 13.1.1.5
700322-2 3-Major BT700322 Upgrade may fail on a multi blade system when there are scheduled reports in configuration&start; 13.1.1.5
754330-1 4-Minor BT754330 Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected 13.1.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
752592-2 2-Critical BT752592 VMware Horizon PCoIP clients may fail to connect shortly after logout 13.1.1.5, 14.1.0.2
704587-2 2-Critical BT704587 Authentication with UTF-8 chars in password or handling of IP addresses fail due to byte-array processing in iRules 13.1.1.5, 14.0.0.5
660826-3 2-Critical BT660826 BIG-IQ Deployment fails with customization-templates 13.1.1.5, 14.0.0
758764-4 3-Major BT758764 APMD Core when CRLDP Auth fails to download revoked certificate 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
757992-1 3-Major BT757992 RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup 13.1.1.5, 14.0.0.5, 14.1.0.6
757781-1 3-Major BT757781 Portal Access: cookie exchange may be broken sometimes 13.1.1.5, 14.0.0.5, 14.1.4.2, 15.0.1.1
755507-3 3-Major BT755507 [App Tunnel] 'URI sanitization' error 12.1.5, 13.1.1.5, 14.0.0.5
755475-3 3-Major BT755475 Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync 13.1.1.5, 14.0.0.5, 14.1.0.6
749057-3 3-Major BT749057 VMware Horizon idle timeout is ignored when connecting via APM 13.1.1.5, 14.0.0.5, 14.1.0.6
738430-1 3-Major BT738430 APM is not able to do compliance check on iOS devices running F5 Access VPN client 13.1.1.5, 14.0.0.5, 14.1.0.6
734291-2 3-Major BT734291 Logon page modification fails to sync to standby 13.1.1.5, 14.1.0.6
696835-1 3-Major BT696835 Secondary Authentication or SSO fail after changing AD or LDAP password 13.1.1.5
695985-2 3-Major BT695985 Access HUD filter has URL length limit (4096 bytes) 13.1.1.5, 14.0.0.5, 14.1.0.6
656784-1 3-Major K98510679, BT656784 Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM 12.1.4.1, 13.1.1.5, 14.0.0


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
704555-2 2-Critical BT704555 Core occurs if DIAMETER::persist reset is called if no persistence key is set. 13.1.1.5, 14.0.0.5
752822-3 3-Major BT752822 SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type 13.1.1.5, 14.0.1.1, 14.1.0.6
751179-3 3-Major BT751179 MRF: Race condition may create to many outgoing connections to a peer 11.6.5.2, 13.1.1.5, 14.1.0.6
749603-3 3-Major BT749603 MRF SIP ALG: Potential to end wrong call when BYE received 13.1.1.5, 14.0.1.1, 14.1.0.2
748043-3 3-Major BT748043 MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP 13.1.1.5, 14.0.1.1, 14.1.0.2
747187-3 3-Major BT747187 SIP falsely detects media flow collision when SDP is in both 183 and 200 response 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
744949-3 3-Major BT744949 MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix 13.1.1.5, 14.0.1.1, 14.1.0.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
751869 2-Critical BT751869 Possible tmm crash when using manual mode mitigation in DoS Profile 13.1.1.5, 14.1.0.5
757279 3-Major BT757279 LDAP authenticated Firewall Manager role cannot edit firewall policies 13.1.1.5, 14.1.2.8, 15.1.0.5
753893-1 3-Major BT753893 Inconsistent validation for firewall address-list's nested address-list causes load failure 13.1.1.5
748081-2 3-Major BT748081 Memory leak in Behavioral DoS module 13.1.1.5, 14.1.0.2
710262-1 3-Major BT710262 Firewall is not updated when adding new rules 13.1.1.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
739272-1 3-Major BT739272 Incorrect zombie counts in PBA stats with long PBA block-lifetimes 13.1.1.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
752782-3 3-Major BT752782 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' 13.1.1.5, 14.0.0.5, 14.1.0.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
760961 2-Critical BT760961 TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts 13.1.1.5, 14.1.4.4
757088-3 2-Critical BT757088 TMM clock advances and cluster failover happens during webroot db nightly updates 12.1.5, 13.1.1.5, 14.1.0.5
752047-2 2-Critical BT752047 iRule running reject in CLASSIFICATION_DETECTED event can cause core 13.1.1.5, 14.1.0.6
761273-1 3-Major BT761273 wr_urldbd creates sparse log files by writing from the previous position after logrotate. 13.1.1.5, 14.1.2.8


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
761300 3-Major K61105950, BT761300 Errors in REST token requests may log sensitive data 13.1.1.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
717654-2 2-Critical BT717654 TMM may crash when flooded to the Virtual Servers with SSL Forward Proxy 13.1.1.5, 14.0.0



Cumulative fixes from BIG-IP v13.1.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
744035-4 CVE-2018-15332 K12130880, BT744035 APM Client Vulnerability: CVE-2018-15332 11.6.5.1, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
739970-2 CVE-2018-5390 K95343321, BT739970 Linux kernel vulnerability: CVE-2018-5390 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1
738119-2 CVE-2019-6589 K23566124, BT738119 SIP routing UI does not follow best practices 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3
745358-3 CVE-2019-6607 K14812883, BT745358 ASM GUI does not follow best practices 11.5.9, 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3
737910-2 CVE-2019-6609 K18535734, BT737910 Security hardening on the following platforms 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
737442-2 CVE-2019-6591 K32840424, BT737442 Error in APM Hosted Content when set to public access 12.1.4, 13.1.1.4, 14.0.0.5
658557-3 CVE-2019-6606 K35209601, BT658557 The snmpd daemon may leak memory when processing requests. 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3
530775-3 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3
701785-2 CVE-2017-18017 K18352029, BT701785 Linux kernel vulnerability: CVE-2017-18017 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
744685-1 2-Critical BT744685 BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension 13.1.1.4, 14.0.1.1, 14.1.0.2
744188 2-Critical BT744188 First successful auth iControl REST requests will now be logged in audit and secure log files 13.1.1.4, 14.0.1.1, 14.1.0.2
748851-1 3-Major BT748851 Bot Detection injection include tags which may cause faulty display of application 13.1.1.4
725878-2 3-Major BT725878 AVR does not collect all of APM TMStats 13.1.1.4, 14.0.1.1
700827-4 3-Major BT700827 B2250 blades may lose efficiency when source ports form an arithmetic sequence. 12.1.4, 13.1.1.4, 14.0.0.5
667257-4 3-Major BT667257 CPU Usage Reaches 100% With High FastL4 Traffic 11.6.4, 12.1.4.1, 13.1.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
682837-2 1-Blocking BT682837 Compression watchdog period too brief. 12.1.3.1, 13.1.1.4
744331 2-Critical   OpenSSH hardening 12.1.5, 13.1.1.4, 14.0.0.5
743790-3 2-Critical BT743790 BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus 12.1.5, 13.1.1.4
741423-2 2-Critical BT741423 Secondary blade goes offline when provisioning ASM/FPS on already established config-sync 12.1.4, 13.1.1.4, 14.0.0.5
738887-3 2-Critical   BIG-IP SNMPD vulnerability CVE-2019-6608 11.6.4, 12.1.4, 13.1.1.4, 14.0.0.3
726487-2 2-Critical BT726487 MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
723298-2 2-Critical BT723298 BIND upgrade to version 9.11.4 12.1.4, 13.1.1.4, 14.0.0.3
713380 2-Critical K23331143, BT713380 Multiple B4450 blades in the same chassis run into inconsistent DAG state 13.1.1.4
712738-1 2-Critical BT712738 fpdd may core dump when the system is going down 13.1.1.4
710277-1 2-Critical BT710277 IKEv2 further child_sa validity checks 12.1.5, 13.1.1.4, 14.0.0.5
697424-1 2-Critical BT697424 iControl-REST crashes on /example for firewall address-lists 12.1.4, 13.1.1.4
688148-3 2-Critical BT688148 IKEv1 racoon daemon SEGV during phase-two SA list iteration 12.1.3.7, 13.1.1.4
680556-1 2-Critical BT680556 Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted 13.1.1.4
677937-3 2-Critical K41517253, BT677937 APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets 12.1.3.4, 13.1.1.4
668041-2 2-Critical K27535157, BT668041 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.&start; 13.1.1.4, 14.0.0.5, 14.1.0.2
751009-1 3-Major BT751009 Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out 13.1.1.4, 14.0.1.1, 14.1.0.2
748206 3-Major BT748206 Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position 13.1.1.4, 14.1.0.6
745809 3-Major BT745809 The /var partition may become 100% full, requiring manual intervention to clear space 13.1.1.4, 14.0.0.5, 14.1.0.6
743803-2 3-Major BT743803 IKEv2 potential double free of object when async request queueing fails 12.1.5, 13.1.1.4, 14.0.0.3, 14.1.0.6
737536-1 3-Major BT737536 Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. 13.1.1.4, 14.0.0.5, 14.1.0.2
737437-2 3-Major BT737437 IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages 12.1.5, 13.1.1.4, 14.0.1.1
737397-3 3-Major BT737397 User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP 13.1.1.4, 14.0.0.5
724143-1 3-Major BT724143 IKEv2 connflow expiration upon ike-peer change 13.1.1.4, 14.0.0.5
723579-4 3-Major BT723579 OSPF routes missing 13.1.1.4
722691 3-Major BT722691 Available datagroup list does not contain datagroups with the correct type. 13.1.1.4
721016 3-Major BT721016 vcmpd fails updating VLAN information on vcmp guest 13.1.1.4
720110-2 3-Major BT720110 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. 12.1.4.1, 13.1.1.4
718817-2 3-Major BT718817 Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail. 13.1.1.4, 14.0.0.3
718405-1 3-Major BT718405 RSA signature PAYLOAD_AUTH mismatch with certificates 13.1.1.4, 14.1.0.6
718397-1 3-Major BT718397 IKEv2: racoon2 appends spurious trailing null byte to ID payloads 13.1.1.4, 14.0.0.5
710666-1 3-Major BT710666 VE with interface(s) marked down may report high cpu usage 13.1.1.4
706104-3 3-Major BT706104 Dynamically advertised route may flap 12.1.4, 13.1.1.4
705442-1 3-Major BT705442 GUI Network Map objects search on Virtual Server IP Address and Port does not work 13.1.1.4
698947-2 3-Major BT698947 BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. 12.1.3.6, 13.1.1.4
693884-1 3-Major BT693884 ospfd core on secondary blade during network unstability 12.1.4, 13.1.1.4
693106-1 3-Major BT693106 IKEv1 newest established phase-one SAs should be found first in a search 12.1.3.6, 13.1.1.4
686926-2 3-Major BT686926 IPsec: responder N(cookie) in SA_INIT response handled incorrectly 12.1.3.6, 13.1.1.4
686124-1 3-Major K83576240, BT686124 IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs 12.1.3.7, 13.1.1.4
680838-2 3-Major BT680838 IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator 12.1.3.6, 13.1.1.4
678925-1 3-Major BT678925 Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. 12.1.3.6, 13.1.1.4
678380-2 3-Major K26023811, BT678380 Deleting an IKEv1 peer in current use could SEGV on race conditions. 12.1.3.7, 13.1.1.4
676897-3 3-Major K25082113, BT676897 IPsec keeps failing to reconnect 12.1.3.6, 13.1.1.4
676092-3 3-Major BT676092 IPsec keeps failing to reconnect 12.1.3.6, 13.1.1.4
674145-1 3-Major BT674145 chmand error log message missing data 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4
670197-1 3-Major BT670197 IPsec: ASSERT 'BIG-IP_conn tag' failed 13.1.1.4
652502-2 3-Major BT652502 SNMP queries return 'No Such Object available' error for LTM OIDs 13.1.1.4, 14.1.3.1
639619-5 3-Major BT639619 UCS may fail to load due to Master key decryption failure on EEPROM-less systems&start; 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
598085-1 3-Major BT598085 Expected telemetry is not transmitted by sFlow on the standby-mode unit. 12.1.4, 13.1.1.4
491560-2 3-Major BT491560 Using proxy for IP intelligence updates 12.1.4, 13.1.1.4
738985-2 4-Minor   BIND vulnerability: CVE-2018-5740 13.1.1.4, 14.0.0.3
689491 4-Minor BT689491 cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled 13.1.1.4
689211-3 4-Minor BT689211 IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } 12.1.3.7, 13.1.1.4
680856-2 4-Minor BT680856 IPsec config via REST scripts may require post-definition touch of both policy and traffic selector 12.1.3.6, 13.1.1.4
713491-2 5-Cosmetic BT713491 IKEv1 logging shows spi of deleted SA with opposite endianess 12.1.3.6, 13.1.1.4, 14.0.0.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
744269-2 2-Critical BT744269 dynconfd restarts if FQDN template node deleted while IP address change in progress 12.1.4.1, 13.1.1.4, 14.0.0.5
744117-5 2-Critical K18263026, BT744117 The HTTP URI is not always parsed correctly 12.1.4, 13.1.1.4, 14.0.0.5
743857 2-Critical K21942600, BT743857 Clientssl accepts non-SSL traffic when cipher-group is configured 13.1.1.4
742627-2 2-Critical BT742627 SSL session mirroring may cause memory leakage if HA channel is down 13.1.1.4, 14.0.0.5
741919 2-Critical BT741919 HTTP response may be dropped following a 100 continue message. 12.1.4.1, 13.1.1.4, 14.0.0.5
740963-2 2-Critical BT740963 VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart 12.1.5, 13.1.1.4, 14.0.0.5
740490-1 2-Critical BT740490 Configuration changes involving HTTP2 or SPDY may leak memory 12.1.4, 13.1.1.4, 14.0.0.5
739003-1 2-Critical BT739003 TMM may crash when FastL4 is used on ePVA-capable BIG-IP platforms 13.1.1.4
738945-2 2-Critical BT738945 SSL persistence does not work when there are multiple handshakes present in a single record 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
738046-2 2-Critical BT738046 SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby 12.1.5, 13.1.1.4
737758-2 2-Critical BT737758 MPTCP Passthrough and VIP-on-VIP can lead to TMM core 12.1.4, 13.1.1.4, 14.0.0.3
734276-2 2-Critical BT734276 TMM may leak memory when SSL certificates with VDI or EAM in use 13.1.1.4
727206 2-Critical BT727206 Memory corruption when using SSL Forward Proxy on certain platforms 12.1.4.1, 13.1.1.4, 14.0.0.5
720136-1 2-Critical BT720136 Upgrade may fail on mcpd when external netHSM is used 13.1.1.4
718210-2 2-Critical BT718210 Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused 12.1.4.1, 13.1.1.4, 14.0.0.5
716714-1 2-Critical BT716714 OCSP should be configured to avoid TMM crash. 13.1.1.4, 14.0.1.1, 14.1.0.2
702792-1 2-Critical K82327396, BT702792 Upgrade creates Server SSL profiles with invalid cipher strings&start; 13.1.1.4, 14.0.0
685254-2 2-Critical K14013100, BT685254 RAM Cache Exceeding Watchdog Timeout in Header Field Search 12.1.3.4, 13.1.1.4
513310-5 2-Critical BT513310 TMM might core when a profile is changed. 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.4, 14.0.0.5
849861 3-Major BT849861 TMM may crash with FastL4 and HTTP profile using fallback host and iRule command 13.1.1.4
752078 3-Major BT752078 Header Field Value String Corruption 13.1.1.4, 14.1.0.6
739963-2 3-Major BT739963 TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.2
739379-2 3-Major BT739379 Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error 13.1.1.4, 14.0.0.5
739349-1 3-Major BT739349 LRO segments might be erroneously VLAN-tagged. 13.1.1.4, 14.0.1.1, 14.1.0.2
738521-1 3-Major BT738521 i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. 12.1.4, 13.1.1.4, 14.0.0.5
726319-2 3-Major BT726319 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses 13.1.1.4, 14.0.0.3
724564-1 3-Major BT724564 A FastL4 connection can fail with loose-init and hash persistence enabled 13.1.1.4
724327-1 3-Major BT724327 Changes to a cipher rule do not immediately have an effect 13.1.1.4, 14.1.0.2
721621-1 3-Major BT721621 Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node 12.1.4.1, 13.1.1.4, 14.0.0.3
720799-2 3-Major BT720799 Virtual Server/VIP flaps with FQDN pool members when all IP addresses change 12.1.4.1, 13.1.1.4, 14.0.0.3
717896-2 3-Major BT717896 Monitor instances deleted in peer unit after sync 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
717100-3 3-Major BT717100 FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
716716-2 3-Major BT716716 Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core 12.1.4.1, 13.1.1.4, 14.0.0.3
714559-2 3-Major BT714559 Removal of HTTP hash persistence cookie when a pool member goes down. 12.1.4, 13.1.1.4
713690-3 3-Major BT713690 IPv6 cache route metrics are locked 12.1.3.7, 13.1.1.4, 14.0.0.5
711981-5 3-Major BT711981 BIG-IP system accepts larger-than-egress MTU, PMTU update 11.6.5.3, 12.1.3.7, 13.1.1.4, 14.0.0.5
710028-2 3-Major BT710028 LTM SQL monitors may stop monitoring if multiple monitors querying same database 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.4, 14.0.0.5
708068-2 3-Major BT708068 Tcl commands like "HTTP::path -normalize" do not return normalized path. 12.1.4, 13.1.1.4, 14.0.0.5
707691-4 3-Major BT707691 BIG-IP handles some pathmtu messages incorrectly 13.1.1.4, 14.0.0.5
706102-2 3-Major BT706102 SMTP monitor does not handle all multi-line banner use cases 12.1.4, 13.1.1.4, 14.0.0.5
701678-2 3-Major BT701678 Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded 12.1.4, 13.1.1.4, 14.0.0
685519-1 3-Major BT685519 Mirrored connections ignore the handshake timeout 11.6.4, 12.1.4.1, 13.1.1.4
683697-1 3-Major K00647240, BT683697 SASP monitor may use the same UID for multiple HA device group members 12.1.3.4, 13.1.1.4
674591-3 3-Major K37975308, BT674591 Packets with payload smaller than MSS are being marked to be TSOed 11.6.5.2, 12.1.4, 13.1.1.4
504522-1 3-Major BT504522 Trailing space present after 'tmsh ltm pool members monitor' attribute value 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
719247-2 4-Minor K10845686, BT719247 HTTP::path and HTTP::query iRule functions cannot be set to a blank string 13.1.1.4, 14.0.0.5
618884-6 4-Minor BT618884 Behavior when using VLAN-Group and STP 12.1.4, 13.1.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
739846-3 2-Critical BT739846 Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.0.3
749774-3 3-Major BT749774 EDNS0 client subnet behavior inconsistent when DNS Caching is enabled 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1
749675-3 3-Major BT749675 DNS cache resolver may return a malformed truncated response with multiple OPT records 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1
744707-4 3-Major BT744707 Crash related to DNSSEC key rollover 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
726255-2 3-Major BT726255 dns_path lingering in memory with last_access 0 causing high memory usage 11.5.9, 11.6.5.1, 12.1.3.7, 13.1.1.4, 14.0.0.3
723288-2 3-Major BT723288 DNS cache replication between TMMs does not always work for net dns-resolver 11.6.5.3, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
710246-2 3-Major BT710246 DNS-Express was not sending out NOTIFY messages on VE 12.1.3.7, 13.1.1.4, 14.0.0.3
702457-2 3-Major BT702457 DNS Cache connections remain open indefinitely 12.1.5.3, 13.1.1.4, 14.0.0.5
717113-2 4-Minor BT717113 It is possible to add the same GSLB Pool monitor multiple times 13.1.1.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
750922-3 2-Critical BT750922 BD crash when content profile used for login page has no parse parameters set 13.1.1.4, 14.0.0.5, 14.1.0.2
726537-1 2-Critical BT726537 Rare TMM crash when Single Page Application is enabled on DoSL7 13.1.1.4, 14.0.0
576123-4 2-Critical K23221623, BT576123 ASM policies are created as inactive policies on the peer device 11.5.9, 11.6.3.2, 12.1.3.2, 13.1.1.4
750356-3 3-Major BT750356 Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted 13.1.1.4, 14.0.0.5, 14.1.0.2
747777-1 3-Major BT747777 Extractions are learned in manual learning mode 13.1.1.4, 14.0.0.5, 14.1.0.2
747550-1 3-Major BT747550 Error 'This Logout URL already exists!' when updating logout page via GUI 13.1.1.4, 14.0.0.5, 14.1.0.2
745802-3 3-Major BT745802 Brute Force CAPTCHA response page truncates last digit in the support id 13.1.1.4, 14.0.0.5, 14.1.2.1
744347-2 3-Major BT744347 Protocol Security logging profiles cause slow ASM upgrade and apply policy 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.2
743961-3 3-Major BT743961 Signature Overrides for Content Profiles do not work after signature update 13.1.1.4, 14.0.0.5
738864-1 3-Major BT738864 javascript functions in href are learned from response as new URLs 13.1.1.4, 14.0.0.5
738211-3 3-Major BT738211 pabnagd core when centralized learning is turned on 13.1.1.4, 14.0.0.5
734228-1 3-Major BT734228 False-positive illegal-length violation can appear 13.1.1.4, 14.0.1.1, 14.1.2.3
726377-1 3-Major BT726377 False-positive cookie hijacking violation 13.1.1.4
721752-2 3-Major BT721752 Null char returned in REST for Suggestion with more than MAX_INT occurrences 12.1.3.7, 13.1.1.4, 14.0.0.5
705925-1 3-Major BT705925 Websocket Message Type not displayed in Request Log 13.1.1.4, 14.0.0
701792-2 3-Major BT701792 JS Injection into cached HTML response causes TCP RST on the fictive URLs 13.1.1.4
696333-1 3-Major BT696333 Threat campaign filter does not return campaign if filter contains quotation marks 13.1.1.4
690215-2 3-Major BT690215 Missing requests in request log 12.1.4.1, 13.1.1.4
676416-4 3-Major BT676416 BD restart when switching FTP profiles 11.6.3.2, 12.1.3.2, 13.1.1.4
676223-4 3-Major BT676223 Internal parameter in order not to sign allowed cookies 12.1.3.7, 13.1.1.4
663535-2 3-Major BT663535 Sending ASM cookies with "secure" attribute even without client-ssl profile 12.1.3.2, 13.1.1.4
605649-2 3-Major K28782793, BT605649 The cbrd daemon runs at 100% CPU utilization 12.1.5, 13.1.1.4
748999-1 4-Minor BT748999 invalid inactivity timeout suggestion for cookies 13.1.1.4, 14.0.0.5, 14.1.0.2
747905-1 4-Minor BT747905 'Illegal Query String Length' violation displays wrong length 13.1.1.4, 14.0.1.1
745531-1 4-Minor BT745531 Puffin Browser gets blocked by Bot Defense 13.1.1.4, 14.1.0.2
739345 4-Minor BT739345 Reporting invalid signature id after specific signature upgrade 13.1.1.4
685743-5 4-Minor BT685743 When changing internal parameter 'request_buffer_size' in large request violations might not be reported 12.1.3.2, 13.1.1.4
665470-3 4-Minor BT665470 Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised 12.1.3.6, 13.1.1.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
746941 2-Critical BT746941 Memory leak in avrd when BIG-IQ fails to receive stats information 13.1.1.4, 14.0.0.5, 14.1.0.2
739446-2 2-Critical BT739446 Resetting SSL-socket correctly for AVR connection 13.1.1.4
737813-1 2-Critical BT737813 BIG-IP is unable to send statistics to BIG-IQ DCD node using IPv6 address 13.1.1.4, 14.0.0.5
749464 3-Major BT749464 Race condition while BIG-IQ updates common file 13.1.1.4, 14.0.0.5, 14.1.0.2
749461 3-Major BT749461 Race condition while modifying analytics global-settings 13.1.1.4, 14.0.0.5, 14.1.0.2
746823 3-Major BT746823 AVRD crash when configured to send data externally, and there are large number of virtuals/pool-members 13.1.1.4, 14.0.0.5
745027 3-Major BT745027 AVR is doing extra activity of DNS data collection even when it should not 13.1.1.4, 14.0.0.5, 14.1.0.2
744595-1 3-Major BT744595 DoS-related reports might not contain some of the activity that took place 13.1.1.4, 14.0.0.5, 14.1.0.2
744589-1 3-Major BT744589 Missing data for Firewall Events Statistics 13.1.1.4, 14.0.0.5, 14.1.0.2
741767-2 3-Major BT741767 ASM Resource :: CPU Utilization statistics are in wrong scale 13.1.1.4, 14.0.1.1
740086 3-Major BT740086 AVR report ignore partitions for Admin users 13.1.1.4, 14.0.0.5
716782-2 3-Major BT716782 AVR should add new field to the events it sends: Microtimestamp 13.1.1.4, 14.0.0


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753368 1-Blocking BT753368 Unable to import access policy with pool 13.1.1.4
747621-2 2-Critical BT747621 Native VMware Horizon client fails to authenticate against APM if RADIUS challenge is used 13.1.1.4, 14.0.0.5
744556-1 2-Critical K01226413, BT744556 Upgrade PingAccess SDK used by BIG-IP APM to v1.1.3 13.1.1.4
714716-2 2-Critical K10248311, BT714716 Apmd logs password for acp messages when in debug mode 11.6.3.2, 12.1.4.1, 13.1.1.4, 14.0.0
754346-1 3-Major BT754346 Access policy was not found while creating configuration snapshot. 13.1.1.4, 14.0.0.5, 14.1.0.2
750496-1 3-Major BT750496 TMM crashes on traffic passthrough when SSO Config object is deleted while being used in SSO Configuration Select Agent in PRP 13.1.1.4, 14.0.0.5
746771-1 3-Major BT746771 APMD recreates config snapshots for all access profiles every minute 13.1.1.4, 14.1.0.2
746768-1 3-Major BT746768 APMD leaks memory if access policy policy contains variable/resource assign policy items 12.1.4.1, 13.1.1.4, 14.1.2.1
745654-2 3-Major BT745654 Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
745574-3 3-Major BT745574 URL is not removed from custom category when deleted 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.6
743437-1 3-Major BT743437 Portal Access: Issue with long 'data:' URL 13.1.1.4, 14.0.0.5, 14.1.0.2
743150-1 3-Major BT743150 Increase the limit of the maximum allowed timestamp for OAuth token processing for OAuth Client 13.1.1.4
739744-1 3-Major BT739744 Import of Policy using Pool with members is failing 12.1.4, 13.1.1.4
719079-1 3-Major BT719079 Portal Access: same-origin AJAX request may fail under some conditions. 13.1.1.4
718136-2 3-Major BT718136 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux 13.1.1.4, 14.0.0


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
742829-3 3-Major BT742829 SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 13.1.1.4, 14.0.1.1, 14.1.0.2
741951-2 3-Major BT741951 Multiple extensions in SIP NOTIFY request cause message to be dropped. 11.6.5.2, 12.1.5.2, 13.1.1.4, 14.0.0.5
699431-3 3-Major BT699431 Possible memory leak in MRF under low memory 12.1.3.2, 13.1.1.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
747104-3 1-Blocking K52868493, BT747104 LibSSH: CVE-2018-10933 12.1.4.1, 13.1.1.4, 14.1.0.2
753028-1 3-Major BT753028 AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule 13.1.1.4, 14.1.0.6
747926 3-Major BT747926 Rare TMM restart due to NULL pointer access during AFM ACL logging 13.1.1.4, 14.1.0.2


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
744516-1 2-Critical BT744516 TMM panics after a large number of LSN remote picks 12.1.4, 13.1.1.4, 14.1.0.6
744959-1 3-Major BT744959 SNMP OID for sysLsnPoolStatTotal not incremented in stats 12.1.4.1, 13.1.1.4
727212-1 3-Major BT727212 Subscriber-id query using full length IPv6 address fails. 13.1.1.4, 14.0.0.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748976 3-Major BT748976 DataSafe Logging Settings page is missing when DataSafe license is active 13.1.1.4
742037-3 3-Major BT742037 FPS live updates do not install when minor version is different 13.1.1.4, 14.0.0.5
741449-1 4-Minor BT741449 alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts 13.1.1.4, 14.0.0.5, 14.1.0.2
726039 5-Cosmetic BT726039 Information is not updated after installing FPS live update via GUI 13.1.1.4


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748813-1 2-Critical BT748813 tmm cores under stress test on virtual server with DoS profile with admd enabled 13.1.1.4, 14.0.0.5, 14.1.2.3
748121-1 2-Critical BT748121 admd livelock under CPU starvation 13.1.1.4, 14.0.0.5, 14.1.0.6
741761-1 2-Critical BT741761 admd might fail the heartbeat, resulting in a core 13.1.1.4, 14.0.0.5
704236-1 2-Critical BT704236 TMM crash when attaching FastL4 profile 13.1.1.4, 14.0.0
702936-1 2-Critical BT702936 TMM SIGSEGV under specific conditions. 13.1.1.4
653573-4 2-Critical BT653573 ADMd not cleaning up child rsync processes 13.1.1.4, 14.0.0.5, 14.1.0.6, 14.1.2.3
741993-1 3-Major BT741993 The BIG-IP system does not answer the request matching L7 policy that disabled DOSL7 when BADOS configured. 13.1.1.4, 14.0.0.5
741752-1 3-Major BT741752 [BADOS] state file is not saved when virtual server reuses a self IP of the device 13.1.1.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
724847 3-Major K95010813, BT724847 DNS traffic does not get classified for AFM port misuse case 13.1.1.4, 14.0.0


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
740969-1 1-Blocking K65151021, BT740969 Menu visibility issue with newly activated license.&start; 12.1.4.1, 13.1.1.4
706339-1 2-Critical K30392060, BT706339 TMM crashes due to memory leaking while processing SSL forward proxy traffic 13.1.1.4, 14.0.0



Cumulative fixes from BIG-IP v13.1.1.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
745783-3 3-Major BT745783 Anti-fraud: remote logging of login attempts 13.1.1.3, 14.1.0.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
684370-1 3-Major BT684370 APM now supports VMware Workspace ONE integration with VIDM as ID Provider 13.1.1.3, 14.0.0
683741-1 3-Major BT683741 APM now supports VMware Workspace ONE integration with vIDM as ID Provider 13.1.1.3, 14.0.0
635509-1 3-Major BT635509 APM does not support Vmware'e Blast UDP 13.1.1.3



Cumulative fixes from BIG-IP v13.1.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
739947-1 CVE-2019-6610 K42465020, BT739947 TMM may crash while processing APM traffic 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.5
737443-5 CVE-2018-5546 K54431371, BT737443 BIG-IP APM client for Linux and macOS vulnerability CVE-2018-5546 13.1.1.2, 14.0.0.5
737441-5 CVE-2018-5546 K54431371, BT737441 Disallow hard links to svpn log files 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.5
726089-2 CVE-2018-15312 K44462254, BT726089 Modifications to AVR metrics page 12.1.3.7, 13.1.1.2, 14.0.0
725815-1 CVE-2018-15320 K72442354, BT725815 vlangroup usage may cause a excessive resource consumption 13.1.1.2, 14.0.0.3
724339-1 CVE-2018-15314 K04524282, BT724339 Unexpected TMUI output in AFM 12.1.3.7, 13.1.1.2, 14.0.0
724335-1 CVE-2018-15313 K21042153, BT724335 Unexpected TMUI output in AFM 12.1.3.7, 13.1.1.2, 14.0.0
722677-4 CVE-2019-6604 K26455071, BT722677 BIG-IP HSB vulnerability CVE-2019-6604 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.2, 14.0.0.3
722387-3 CVE-2019-6596 K97241515, BT722387 TMM may crash when processing APM DTLS traffic 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
722091-3 CVE-2018-15319 K64208870, BT722091 TMM may crash while processing HTTP traffic 12.1.3.7, 13.1.1.2, 14.0.0.3
717888 CVE-2018-15323 K26583415, BT717888 TMM may leak memory when a virtual server uses the MQTT profile. 13.1.1.2, 14.0.0.3
717742-5 CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 K44923228, BT717742 Oracle Java SE vulnerability CVE-2018-2783 12.1.3.7, 13.1.1.2, 14.0.0.3
707990-2 CVE-2018-15315 K41704442, BT707990 Unexpected TMUI output in SSL Certificate Instance page 12.1.3.7, 13.1.1.2, 14.0.0
704184-6 CVE-2018-5529 K52171282, BT704184 APM MAC Client create files with owner only read write permissions 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.5
701253-5 CVE-2018-15318 K16248201, BT701253 TMM core when using MPTCP 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
693810-6 CVE-2018-5529 K52171282, BT693810 CVE-2018-5529: APM Linux Client Vulnerability 11.5.9, 11.6.3.3, 13.1.1.2, 14.0.0.5
741858-1 CVE-2018-15324 K52206731, BT741858 TMM may crash while processing Portal Access requests 13.1.1.2, 14.0.0.5
734822-3 CVE-2018-15325 K77313277, BT734822 TMSH improvements 13.1.1.2, 14.0.0.3
725801-4 CVE-2017-7889 K80440915, BT725801 CVE-2017-7889: Kernel Vulnerability 13.1.1.2, 14.0.0.3
725635-2 CVE-2018-3665 K21344224, BT725635 CVE-2018-3665: Intel Lazy FPU Vulnerability 13.1.1.2, 14.0.0.3
724680-4 CVE-2018-0732 K21665601, BT724680 OpenSSL Vulnerability: CVE-2018-0732 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.1.1, 14.1.0.2
721924-2 CVE-2018-17539 K17264695, BT721924 BIG-IP ARM BGP vulnerability CVE-2018-17539 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
719554-2 CVE-2018-8897 K17403481, BT719554 Linux Kernel Vulnerability: CVE-2018-8897 11.5.9, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
716900-2 CVE-2019-6594 K91026261, BT716900 TMM core when using MPTCP 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.0.3
710705-2 CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 K34035645, BT710705 Multiple Wireshark vulnerabilities 12.1.3.6, 13.1.1.2, 14.0.0.3
705799-2 CVE-2018-15325 K77313277, BT705799 TMSH improvements 13.1.1.2, 14.0.0
699453-4 CVE-2018-15327 K20222812, BT699453 Web UI does not follow current best coding practices 13.1.1.2, 14.0.0.3
699452-4 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2
712876-2 CVE-2017-8824 K15526101, BT712876 CVE-2017-8824: Kernel Vulnerability 11.6.5.1, 12.1.5.1, 13.1.1.2, 14.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
734527-1 3-Major BT734527 BGP 'capability graceful-restart' for peer-group not properly advertised when configured 11.6.5.1, 12.1.4, 13.1.1.2, 14.0.0.3
715750-2 3-Major K41515225, BT715750 The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. 11.6.5.1, 12.1.3.7, 13.1.1.2, 14.0.0.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
693611-3 1-Blocking K76313256, BT693611 IKEv2 ike-peer might crash on stats object during peer modification update 13.1.1.2
743810-1 2-Critical BT743810 AWS: Disk resizing in m5/c5 instances fails silently. 13.1.1.2
743082-1 2-Critical BT743082 Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members&start; 12.1.5.2, 13.1.1.2, 14.0.0.3
739507 2-Critical BT739507 Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check 13.1.1.2, 14.1.4, 15.1.0.5
739505 2-Critical BT739505 Automatic ISO digital signature checking not required when FIPS license active&start; 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1
739285-1 2-Critical BT739285 GUI partially missing when VCMP is provisioned 13.1.1.2
725696-1 2-Critical BT725696 A timer loop might occur when OCSP Stapling is enabled resulting in tmm getting aborted 13.1.1.2, 14.0.0.3
723722-2 2-Critical BT723722 MCPD crashes if several thousand files are created between config syncs. 12.1.4, 13.1.1.2, 14.0.0.3
721350-2 2-Critical BT721350 The size of the icrd_child process is steadily growing 13.1.1.2
717785-1 2-Critical BT717785 Interface-cos shows no egress stats for CoS configurations 13.1.1.2
716391-2 2-Critical K76031538, BT716391 High priority for MySQL on 2 core vCMP may lead to control plane process starvation 11.5.9, 11.6.4, 12.1.3.7, 13.1.1.2, 14.0.0.5
711683-2 2-Critical BT711683 bcm56xxd crash with empty trunk in QinQ VLAN 13.1.1.2
707003-3 2-Critical BT707003 Unexpected syntax error in TMSH AVR 12.1.3.6, 13.1.1.2, 14.0.0
706423-1 2-Critical BT706423 tmm may restart if an IKEv2 child SA expires during an async encryption or decryption 12.1.3.6, 13.1.1.2, 14.0.0.3
703669-2 2-Critical BT703669 Eventd restarts on NULL pointer access 13.1.1.2, 14.0.0.3
703045-1 2-Critical BT703045 If using TMSH commands with deprecated attributes in iApp, the upgrade will fail. 13.1.1.2, 14.0.0.3
700386-2 2-Critical BT700386 mcpd may dump core on startup 12.1.4, 13.1.1.2
693996-5 2-Critical K42285625, BT693996 MCPD sync errors and restart after multiple modifications to file object in chassis 11.5.9, 11.6.5.1, 12.1.5, 13.1.1.2
692158-1 2-Critical BT692158 iCall and CLI script memory leak when saving configuration 12.1.3.6, 13.1.1.2, 14.0.0
691589-4 2-Critical BT691589 When using LDAP client auth, tamd may become stuck 12.1.4, 13.1.1.2
690819-1 2-Critical BT690819 Using an iRule module after a 'session lookup' may result in crash 11.6.3.3, 12.1.3.6, 13.1.1.2
689437-1 2-Critical K49554067, BT689437 icrd_child cores due to infinite recursion caused by incorrect group name handling 11.5.9, 11.6.4, 12.1.4, 13.1.1.2
689002-3 2-Critical BT689002 Stackoverflow when JSON is deeply nested 12.1.4, 13.1.1.2
658410-2 2-Critical BT658410 icrd_child generates a core when calling PUT on ltm/data-group/internal/ 13.1.1.2
652877-5 2-Critical BT652877 Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades 11.5.9, 11.6.4, 12.1.4, 13.1.1.2
638091-6 2-Critical BT638091 Config sync after changing named pool members can cause mcpd on secondary blades to restart 12.1.4, 13.1.1.2
739126 3-Major BT739126 Multiple VE installations may have different sized volumes 13.1.1.2
733585-3 3-Major BT733585 Merged can use %100 of CPU if all stats snapshot files are in the future 13.1.1.2
727467-1 3-Major BT727467 Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. 13.1.1.2, 14.0.0.5
726409-4 3-Major   Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.3
722682-2 3-Major BT722682 Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load&start; 12.1.4.1, 13.1.1.2, 14.0.0.3
721740-2 3-Major BT721740 CPU stats are not correctly recorded when snapshot files have timestamps in the future 13.1.1.2
720713-2 3-Major BT720713 TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail 12.1.4, 13.1.1.2, 14.0.0.3
720461-2 3-Major BT720461 qkview prompts for password on chassis 12.1.4, 13.1.1.2
718525-1 3-Major BT718525 PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting 13.1.1.2, 14.0.0.3
714974-2 3-Major BT714974 Platform-migrate of UCS containing QinQ fails on VE&start; 13.1.1.2
714903-2 3-Major BT714903 Errors in chmand 12.1.4.1, 13.1.1.2, 14.0.0.5
714654-2 3-Major BT714654 Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM 12.1.4.1, 13.1.1.2
713813-2 3-Major BT713813 Node monitor instances not showing up in GUI 13.1.1.2
712102-2 3-Major K11430165, BT712102 customizing or changing the HTTP Profile's IPv6 field hides the field or the row 13.1.1.2
710232-2 3-Major BT710232 platform-migrate fails when LACP trunks are in use 13.1.1.2, 14.0.0.3
709444-2 3-Major BT709444 "NTP not configured on device" warning seen when NTP symmetric key authentication is configured 13.1.1.2
709192-1 3-Major BT709192 GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart 13.1.1.2, 14.0.0.3
707740-4 3-Major BT707740 Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.2, 14.0.0.5
707509-1 3-Major BT707509 Initial vCMP guest creations can fail if certain hotfixes are used 12.1.5, 13.1.1.2
707391-2 3-Major BT707391 BGP may keep announcing routes after disabling route health injection 12.1.4, 13.1.1.2, 14.0.0.3
706804-1 3-Major BT706804 SNMP trap destination configuration of network option is missing "default" keyword 13.1.1.2
706354-2 3-Major BT706354 OPT-0045 optic unable to link 12.1.4, 13.1.1.2, 14.0.0
706169-3 3-Major BT706169 tmsh memory leak 13.1.1.2, 14.0.0.3
705456-1 3-Major BT705456 Enabling HTTP-to-HTTPS redirection in a vCMP guest can prevent some Host-Guest Management features from working 13.1.1.2, 14.0.0
704755-1 3-Major BT704755 EUD_M package could not be installed on 800 platforms 13.1.1.2, 14.0.0.3
704512-1 3-Major BT704512 Automated upload of qkview to iHealth can time out resulting in error 13.1.1.2, 14.0.0
704336-1 3-Major BT704336 Updating 3rd party device cert not copied correctly to trusted certificate store 12.1.3.6, 13.1.1.2
702227-3 3-Major BT702227 Memory leak in TMSH load sys config 13.1.1.2, 14.0.0.3
700757-1 3-Major BT700757 vcmpd may crash when it is exiting 11.6.4, 12.1.4, 13.1.1.2
700576-1 3-Major BT700576 GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore" 13.1.1.2, 14.0.0
700426 3-Major K58033284, BT700426 Switching partitions while viewing objects in GUI can result in empty list 13.1.1.2
700250-3 3-Major K59327012, BT700250 qkviews for secondary blade appear to be corrupt 13.1.1.2
698875-1 3-Major   Qkview Security Hardening 13.1.1.2
698084-3 3-Major K03776801, BT698084 IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs 13.1.1.2
696731-3 3-Major K94062594, BT696731 The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled 13.1.1.2
693578-2 3-Major BT693578 switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0 13.1.1.2
692189-1 3-Major BT692189 errdefsd fails to generate a core file on request. 12.1.4, 13.1.1.2
692179-1 3-Major BT692179 Potential high memory usage from errdefsd. 12.1.3.6, 13.1.1.2
691609-1 3-Major BT691609 1NIC: Configuration error: Clearing IP on interface mgmt failed - Cannot assign requested address&start; 13.1.1.2
690890-1 3-Major BT690890 Running sod manually can cause issues/failover 13.1.1.2
689375-1 3-Major K01512833, BT689375 Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled 13.1.1.2
688406-1 3-Major K14513346, BT688406 HA-Group Score showing 0 13.1.1.2
687905-2 3-Major K72040312, BT687905 OneConnect profile causes CMP redirected connections on the HA standby 12.1.3.6, 13.1.1.2
687534-1 3-Major BT687534 If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page 12.1.3.6, 13.1.1.2
684391-3 3-Major BT684391 Existing IPsec tunnels reload. tmipsecd creates a core file. 12.1.3.6, 13.1.1.2
684218-1 3-Major BT684218 vADC 'live-install' Downgrade from v13.1.0 is not possible 13.1.1.2
681782-6 3-Major BT681782 Unicast IP address can be configured in a failover multicast configuration 13.1.1.2
679347-2 3-Major K44117473, BT679347 ECP does not work for PFS in IKEv2 child SAs 12.1.3.6, 13.1.1.2, 14.0.0
678488-1 3-Major K59332320, BT678488 BGP default-originate not announced to peers if several are peering over different VLANs 12.1.4.1, 13.1.1.2
677485-1 3-Major BT677485 Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error 13.1.1.2
671712-2 3-Major BT671712 The values returned for the ltmUserStatProfileStat table are incorrect. 12.1.3.7, 13.1.1.2, 14.0.0.3
670528-4 3-Major K20251354, BT670528 Warnings during vCMP host upgrade. 11.6.5.2, 12.1.3.7, 13.1.1.2
651413-4 3-Major K34042229, BT651413 tmsh list ltm node does not return an error when node does not exist 12.1.3.4, 13.1.1.2
642923-6 3-Major BT642923 MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system 12.1.4, 13.1.1.2
617643-2 3-Major BT617643 iControl.ForceSessions enabled results in GUI error on certain pages 13.1.1.2
551925-4 3-Major BT551925 Misdirected UDP traffic with hardware acceleration 11.6.4, 12.1.3.7, 13.1.1.2
464650-6 3-Major BT464650 Failure of mcpd with invalid authentication context. 11.5.7, 11.6.3.3, 12.1.3.7, 13.1.1.2
727297-3 4-Minor BT727297 GUI TACACS+ remote server list should accept hostname 13.1.1.2
725612-1 4-Minor BT725612 syslog-ng does not send any messages to the remote servers after reconfiguration 13.1.1.2, 14.0.0.3
719770-2 4-Minor BT719770 tmctl -H -V and -l options without values crashed 13.1.1.2, 14.0.0.5
714749-2 4-Minor   cURL Vulnerability: CVE-2018-1000120 13.1.1.2, 14.0.0.3
713947-1 4-Minor BT713947 stpd repeatedly logs "hal sendMessage failed" 13.1.1.2
713932-1 4-Minor BT713932 Commands are replicated to PostgreSQL even when not in use. 13.1.1.2, 14.0.0.3
707631-2 4-Minor BT707631 The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI 13.1.1.2
707267 4-Minor BT707267 REST Framework HTTP header limit size increased to 8 KB 13.1.1.2, 14.0.0.3
701826 4-Minor BT701826 qkview upload to ihealth fails or unable to untar qkview file 13.1.1.2
691491-5 4-Minor K13841403, BT691491 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces 13.1.1.2
685582-7 4-Minor BT685582 Incorrect output of b64 unit key hash by command f5mku -f 12.1.5.3, 13.1.1.2
683029-1 4-Minor BT683029 Sync of virtual address and self IP traffic groups only happens in one direction 13.1.1.2
679135-2 4-Minor BT679135 IKEv1 and IKEv2 cannot share common local address in tunnels 12.1.3.6, 13.1.1.2
678388-1 4-Minor K00050055, BT678388 IKEv1 racoon daemon is not restarted when killed multiple times 12.1.3.6, 13.1.1.2
550526-2 4-Minor K84370515, BT550526 Some time zones prevent configuring trust with a peer device using the GUI. 12.1.3.7, 13.1.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
722594-2 1-Blocking BT722594 TCP flow may not work as expected if double tagging is used 13.1.1.2, 14.0.0
737445-2 2-Critical BT737445 Use of TCP Verified Accept can disable server-side flow control 13.1.1.2, 14.0.0.3
727044-2 2-Critical   TMM may crash while processing compressed data 12.1.4, 13.1.1.2, 14.0.0.3
726239-4 2-Critical BT726239 interruption of traffic handling as sod daemon restarts TMM 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.0.3
725545-1 2-Critical BT725545 Ephemeral listener might not be set up correctly 13.1.1.2, 14.0.0
724906-1 2-Critical BT724906 sasp_gwm monitor leaks memory over time 13.1.1.2, 14.0.0.3
724868-1 2-Critical BT724868 dynconfd memory usage increases over time 12.1.4, 13.1.1.2, 14.0.0.3
724213-1 2-Critical K74431483, BT724213 Modified ssl_profile monitor param not synced correctly 13.1.1.2, 14.0.0.3
722893-1 2-Critical K30764018, BT722893 TMM can restart without a stack trace or core file after becoming disconnected from MCPD. 13.1.1.2, 14.0.0
716213-1 2-Critical BT716213 BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic 12.1.3.7, 13.1.1.2, 14.0.0.5
713612-1 2-Critical BT713612 tmm might restart if the HTTP passthrough on pipeline option is used 13.1.1.2
710221-2 2-Critical K67352313, BT710221 Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled 13.1.1.2, 14.0.0.3
673664-1 2-Critical BT673664 TMM crashes when sys db Crypto.HwAcceleration is disabled.&start; 13.1.1.2
635191-2 2-Critical BT635191 Under rare circumstances TMM may crash 12.1.3.7, 13.1.1.2, 14.0.0
727222-1 3-Major BT727222 206 Partial Content responses from ramcache have malformed Content-Range header 13.1.1.2
723300-2 3-Major BT723300 TMM may crash when tracing iRules containing nameless listeners on internal virtual servers 13.1.1.2, 14.0.0
722363-2 3-Major BT722363 Client fails to connect to server when using PVA offload at Established 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
721261-1 3-Major BT721261 v12.x Policy rule names containing slashes are not migrated properly 13.1.1.2, 14.0.0.5
720293-3 3-Major BT720293 HTTP2 IPv4 to IPv6 fails 12.1.3.7, 13.1.1.2, 14.0.0.3
719600-2 3-Major BT719600 TCP::collect iRule with L7 policy present may result in connection reset 13.1.1.2, 14.0.0.3
717346-2 3-Major K13040347, BT717346 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total 13.1.1.2, 14.0.0.3, 16.0.1.1
715883 3-Major BT715883 Tmm crash due to invalid cookie attribute 13.1.1.2, 14.0.0.3
715785-2 3-Major BT715785 Incorrect encryption error for monitors during sync or upgrade 13.1.1.2, 14.0.0.5
715756-2 3-Major BT715756 Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only 13.1.1.2
715467-2 3-Major BT715467 Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY 12.1.5, 13.1.1.2, 14.0.0.3
714384-3 3-Major BT714384 DHCP traffic may not be forwarded when BWC is configured 13.1.1.2, 14.0.0.3
707951-2 3-Major BT707951 Stalled mirrored flows on HA next-active when OneConnect is used. 12.1.3.6, 13.1.1.2, 14.0.0.3
704764-3 3-Major BT704764 SASP monitor marks members down with non-default route domains 13.1.1.2, 14.0.0.3
703580-1 3-Major BT703580 TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. 12.1.3.6, 13.1.1.2
703266-2 3-Major BT703266 Potential MCP memory leak in LTM policy compile code 13.1.1.2
702450-1 3-Major BT702450 The validation error message generated by deleting certain object types referenced by a policy action is incorrect 11.6.4, 12.1.5, 13.1.1.2, 14.0.0.5
701690-1 3-Major K53819652, BT701690 Fragmented ICMP forwarded with incorrect icmp checksum 13.1.1.2
700696-1 3-Major BT700696 SSID does not cache fragmented Client Certificates correctly via iRule 12.1.3.7, 13.1.1.2
699273-1 3-Major BT699273 TMM Core During FTP Monitor Use 13.1.1.2
695925-1 3-Major BT695925 Tmm crash when showing connections for a CMP disabled virtual server 11.6.4, 12.1.4, 13.1.1.2
691785-1 3-Major BT691785 The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes 13.1.1.2
691224-3 3-Major K59327001, BT691224 Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled 12.1.3.7, 13.1.1.2
690778-1 3-Major K53531153, BT690778 Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule 13.1.1.2
688629-1 3-Major K52334096, BT688629 Deleting data-group in use by iRule does not trigger validation error 12.1.5, 13.1.1.2
685110-1 3-Major K05430133, BT685110 With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. 12.1.3.2, 13.1.1.2
681757-3 3-Major K32521651, BT681757 Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' 12.1.3.6, 13.1.1.2
681673-4 3-Major BT681673 tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results 13.1.1.2
679613-1 3-Major K23531420, BT679613 i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' 13.1.1.2
672312-3 3-Major BT672312 IP ToS may not be forwarded to serverside with syncookie activated 12.1.4, 13.1.1.2, 14.0.0.5
602708-4 3-Major K84837413, BT602708 Traffic may not passthrough CoS by default 12.1.3.7, 13.1.1.2, 14.0.0.3
716922-2 4-Minor BT716922 Reduction in PUSH flags when Nagle Enabled 11.5.7, 11.6.3.3, 12.1.3.7, 13.1.1.2, 14.0.0.3
712637-2 4-Minor BT712637 Host header persistence not implemented 13.1.1.2, 14.0.0.3
700433-1 4-Minor K10870739, BT700433 Memory leak when attaching an LTM policy to a virtual server 11.6.4, 12.1.3.6, 13.1.1.2
697988-3 4-Minor K34554754, BT697988 During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100% 13.1.1.2
693966-1 4-Minor BT693966 TCP sndpack not reset along with other tcp profile stats 13.1.1.2
688557-1 4-Minor K50462482, BT688557 Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' 13.1.1.2
495242-4 4-Minor BT495242 mcpd log messages: Failed to unpublish LOIPC object 11.5.6, 11.6.4, 12.1.3.6, 13.1.1.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
718885-3 2-Critical K25348242, BT718885 Under certain conditions, monitor probes may not be sent at the configured interval 12.1.3.7, 13.1.1.2, 14.0.0
723792-2 3-Major BT723792 GTM regex handling of some escape characters renders it invalid 12.1.4, 13.1.1.2, 14.0.0.3
719644-2 3-Major BT719644 If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions&start; 12.1.3.7, 13.1.1.2, 14.0.0.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
737500-2 2-Critical BT737500 Apply Policy and Upgrade time degradation when there are previous enforced rules 13.1.1.2, 14.0.0.5
726090-1 2-Critical BT726090 No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense 13.1.1.2, 14.0.0.5
724414-2 2-Critical BT724414 ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled 13.1.1.2, 14.0.0.5
724032-1 2-Critical BT724032 Searching Request Log for value containing backslash does not return expected result 13.1.1.2, 14.0.0.5
721741-3 2-Critical BT721741 BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative 12.1.3.7, 13.1.1.2, 14.1.0.2
704143-1 2-Critical BT704143 BD memory leak 12.1.3.6, 13.1.1.2, 14.0.0
701856-1 2-Critical BT701856 Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart 12.1.3.7, 13.1.1.2
740719-2 3-Major BT740719 ASM CSP header parser does not honor unsafe-inline attribute within script-src directive 13.1.1.2, 14.0.0.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
737867-1 3-Major BT737867 Scheduled reports are being incorrectly displayed in different partitions 13.1.1.2, 14.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
739716-2 1-Blocking BT739716 APM Subroutine loops without finishing 13.1.1.2, 14.0.0.5
740777-1 2-Critical BT740777 Secondary blades mcp daemon restart when subroutine properties are configured 12.1.4, 13.1.1.2
739674-1 2-Critical BT739674 TMM might core in SWG scenario with per-request policy. 13.1.1.2
722013 2-Critical BT722013 MCPD restarts on all secondary blades post config-sync involving APM customization group 12.1.3.7, 13.1.1.2, 14.0.0.5
713820-1 2-Critical BT713820 Pass in IP address to urldb categorization engine 13.1.1.2
739939-1 3-Major BT739939 Ping Access Agent Module leaks memory in TMM. 13.1.1.2, 14.0.0.5
739190 3-Major BT739190 Policies could be exported with not patched /Common partition 13.1.1.2
738582-1 3-Major BT738582 Ping Access Agent Module leaks memory in TMM. 13.1.1.2, 14.0.0.5
738397-1 3-Major BT738397 SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. 12.1.3.7, 13.1.1.2, 14.0.0.5
737355-1 3-Major BT737355 HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files 13.1.1.2
737064-2 3-Major BT737064 ACCESS::session iRule commands may not work in serverside events 13.1.1.2
726895 3-Major K02205915, BT726895 VPE cannot modify subroutine settings 12.1.3.7, 13.1.1.2
726616-1 3-Major BT726616 TMM crashes when a session is terminated 13.1.1.2, 14.0.0.5
726592-1 3-Major BT726592 Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop 12.1.4, 13.1.1.2
725867-2 3-Major BT725867 ADFS proxy does not fetch configuration for non-floating virtual servers 13.1.1.2, 14.0.0.5
725412-1 3-Major   APM does not follow current best practices for HTTP headers 13.1.1.2, 14.0.0
724571-1 3-Major BT724571 Importing access profile takes a long time 13.1.1.2
722969-2 3-Major BT722969 Access Policy import with 'reuse' enabled instead rewrites shared objects 12.1.4.1, 13.1.1.2, 14.0.0
722423-1 3-Major BT722423 Analytics agent always resets when Category Lookup is of type custom only 13.1.1.2, 14.0.0.5
720757-1 3-Major BT720757 Without proper licenses Category Lookup always fails with license error in Allow Ending 13.1.1.2, 14.0.0.5
713655-2 3-Major BT713655 RouteDomainSelectionAgent might fail under heavy control plane traffic/activities 12.1.3.7, 13.1.1.2, 14.0.0.5
711427-2 3-Major BT711427 Edge Browser does not launch F5 VPN App 13.1.1.2, 14.0.0
710884-1 3-Major BT710884 Portal Access might omit some valid cookies when rewriting HTTP request. 13.1.1.2, 14.0.0.5
701800-2 3-Major K29064506, BT701800 SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x 13.1.1.2, 14.0.0.5
701056-1 3-Major BT701056 User is not able to reset their Active Directory password 13.1.1.2
698984-1 3-Major BT698984 Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned 13.1.1.2
696669-1 3-Major BT696669 Users cannot change or reset RSA PIN 13.1.1.2
696544-1 3-Major BT696544 APM end users can not change/reset password when auth agents are included in per-req policy 13.1.1.2
671323-1 3-Major BT671323 Reset PIN Fail if Token input field is not 'password' field 13.1.1.2
734595-2 4-Minor BT734595 sp-connector is not being deleted together with profile 13.1.1.2
721375-1 4-Minor BT721375 Export then import of config with RSA server in it might fail 12.1.3.7, 13.1.1.2


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
706642-2 2-Critical BT706642 wamd may leak memory during configuration changes and cluster events 11.5.9, 11.6.4, 12.1.4, 13.1.1.2, 14.0.0.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
709383-2 3-Major BT709383 DIAMETER::persist reset non-functional 13.1.1.2
706750-1 3-Major BT706750 Changing CGNAT SIP ALG profile log settings while handling traffic may cause tmm crash. 13.1.1.2, 14.0.0
691048-1 3-Major K34553736, BT691048 Support DIAMETER Experimental-Result AVP response 13.1.1.2
688942-5 3-Major BT688942 ICAP: Chunk parser performs poorly with very large chunk 12.1.3.6, 13.1.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
724532-2 2-Critical BT724532 SIG SEGV during IP intelligence category match in TMM 12.1.4, 13.1.1.2
720045-1 2-Critical BT720045 IP fragmented UDP DNS request and response packets dropped as DNS Malformed 13.1.1.2, 14.0.0
710755-1 2-Critical BT710755 TMM crash when route information becomes stale and the system accesses stale information. 12.1.4, 13.1.1.2, 14.0.0
698333-1 2-Critical K43392052, BT698333 TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families) 13.1.1.2, 14.0.0
694849-1 2-Critical BT694849 TMM crash when packet sampling is turned for DNS BDOS signatures. 13.1.1.2
672514-1 2-Critical BT672514 Local Traffic/Virtual Server/Security page crashed 13.1.1.2
630137-2 2-Critical BT630137 Dynamic Signatures feature can fill up /config partition impacting system stability 13.1.1.2, 14.0.0
726154-2 3-Major BT726154 TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies 12.1.5.3, 13.1.1.2
704528-2 3-Major BT704528 tmm may run out of memory during IP shunning 13.1.1.2, 14.0.0
704369-2 3-Major BT704369 TMM on BIG-IP restarts if a dos profile is attached to a virtual with sip-routing enabled 13.1.1.2, 14.0.0
696201-1 3-Major BT696201 Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation 13.1.1.2
686376-2 3-Major BT686376 Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon 12.1.4.1, 13.1.1.2
707054-1 4-Minor BT707054 SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162 13.1.1.2
699454-4 4-Minor   Web UI does not follow current best coding practices 12.1.4, 13.1.1.2, 14.0.0.3


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726647-3 3-Major BT726647 PEM content insertion in a compressed response may truncate some data 12.1.4.1, 13.1.1.2, 14.0.0.3, 14.1.0.2
721704-1 3-Major BT721704 UDP flows are not deleted after subscriber deletion 13.1.1.2
709670-2 3-Major BT709670 iRule triggered from RADIUS occasionally fails to create subscribers. 12.1.5, 13.1.1.2, 14.0.0.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
721570-1 1-Blocking K20285019, BT721570 TMM core when trying to log an unknown subscriber 13.1.1.2, 14.0.0
734446-2 2-Critical BT734446 TMM crash after changing LSN pool mode from PBA to NAPT 11.6.4, 12.1.4, 13.1.1.2, 14.0.0.3
688246-1 2-Critical BT688246 An invalid mode in the LSN::persistence command causes TMM crash 13.1.1.2
708830-2 3-Major BT708830 Inbound or hairpin connections may get stuck consuming memory. 12.1.4.1, 13.1.1.2, 14.0.0


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
738669-2 3-Major BT738669 Login validation may fail for a large request with early server response 12.1.3.7, 13.1.1.2
737368-1 3-Major BT737368 Fingerprint cookie large value may result in tmm core. 13.1.1.2, 14.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
739277 2-Critical BT739277 TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode 13.1.1.2, 14.0.0.5
720585-1 3-Major BT720585 Signatures generated by Behavioral DOS algorithm can create false-positive signatures 13.1.1.2, 14.0.0.5
689540-1 3-Major BT689540 The same DOS attack generates new signatures even if there are signatures generated during previous attacks. 13.1.1.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
726303-1 3-Major BT726303 Unlock 10 million custom db entry limit 12.1.3.7, 13.1.1.2


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
726872-2 3-Major BT726872 iApp LX directory disappears after upgrade or restoring from UCS&start; 13.1.1.2, 14.0.1.1



Cumulative fixes from BIG-IP v13.1.1.1 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v13.1.1 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
693359-1 1-Blocking BT693359 AWS M5 and C5 instance families are supported 13.1.1, 14.0.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
721364 1-Blocking BT721364 BIG-IP per-application VE BYOL license does not support three wildcard virtual servers 13.1.1, 14.0.0.1
716469 1-Blocking BT716469 OpenSSL 1.0.1l fails with 512 bit DSA keys 13.1.1
697615-1 1-Blocking K65013424, BT697615 Neurond may restart indefinitely after boot, with neurond_i2c_config message 13.1.1
675921-2 1-Blocking BT675921 Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running 12.1.3.1, 13.1.1
723130-1 2-Critical K13996, BT723130 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file 11.5.8, 11.6.3.3, 12.1.3.6, 13.1.1, 14.0.0
700086-1 2-Critical BT700086 AWS C5/M5 Instances do not support BIG-IP VE 13.1.1, 14.0.0.1
696732-3 2-Critical K54431534, BT696732 tmm may crash in a compression provider 12.1.3.5, 13.1.1
721985 3-Major BT721985 PAYG License remains inactive as dossier verification fails. 13.1.1, 14.0.0.1
721512 3-Major BT721512 Config tool fails to configure management-ip when default routes exist for both IPv4 and IPv6. 13.1.1
721342 3-Major BT721342 No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments. 13.1.1, 14.0.0.1
720961-1 3-Major BT720961 Upgrading in Intelligence Community AWS environment may fail 13.1.1, 14.0.0.1
720756-1 3-Major BT720756 SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS 12.1.3.6, 13.1.1
720651-2 3-Major BT720651 Running Guest Changed to Provisioned Never Stops 12.1.4, 13.1.1, 14.0.0.3
720104-1 3-Major BT720104 BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' 12.1.3.6, 13.1.1, 14.0.0.3
719396-1 3-Major K34339214, BT719396 DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot. 13.1.1, 14.0.0.1
717832 3-Major BT717832 Remove unneeded files from UCS backup directories 13.1.1
714303-1 3-Major K25057050, BT714303 X520 virtual functions do not support MAC masquerading 13.1.1, 14.0.0.1
712266-1 3-Major BT712266 Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware 13.1.1
697616-2 3-Major BT697616 Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests 12.1.3.5, 13.1.1
680086 3-Major BT680086 BMC firmware fails md5sum check 13.1.1
673996-2 3-Major BT673996 Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms 13.1.1, 14.0.0
680388-1 4-Minor BT680388 f5optics should not show function name in non-debug log messages 12.1.3.5, 13.1.1
653759-1 4-Minor BT653759 Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update&start; 12.1.3.5, 13.1.1
720391-2 5-Cosmetic BT720391 BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' 12.1.3.6, 13.1.1, 14.0.0.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
737550 2-Critical BT737550 State Mirroring between BIG-IP 13.0.x and 13.1.x systems may cause TMM core on standby system during upgrade&start; 13.1.1
701538-2 2-Critical BT701538 SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured 12.1.3.5, 13.1.1
720460-1 3-Major BT720460 Compression traffic still goes to hardware accelerator when compression.strategy is set to softwareonly 13.1.1
694778-1 3-Major BT694778 Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size 12.1.3.5, 13.1.1
686631-2 3-Major BT686631 Deselect a compression provider at the end of a job and reselect a provider for a new job 12.1.3.5, 13.1.1
679494-1 3-Major BT679494 Change the default compression strategy to speed 12.1.3.5, 13.1.1
495443-9 3-Major K16621, BT495443 ECDH negotiation failures logged as critical errors. 11.5.3, 12.1.3.5, 13.1.1
679496-2 4-Minor BT679496 Add 'comp_req' to the output of 'tmctl compress' 12.1.3.5, 13.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
717909 2-Critical BT717909 tmm can abort on sPVA flush if the HSB flush does not succeed 13.1.1, 14.0.0
701637 2-Critical BT701637 Crash in bcm56xxd during TMM failover 13.1.1
702738-1 3-Major K32181540, BT702738 Tmm might crash activating new blob when changing firewall rules 12.1.3.4, 13.1.1
698182 3-Major BT698182 Upgrading from 13.1.1 to newer release might cause config to not be copied over&start; 13.1.1
697516 3-Major BT697516 Upgrading using a ucs or scf file does not autogenerate uuids when current config has the uuid-default-autogenerate flag enabled 13.1.1



Cumulative fixes from BIG-IP v13.1.0.8 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
716992-2 CVE-2018-5539 K75432956, BT716992 The ASM bd process may crash 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0
710244-3 CVE-2018-5536 K27391542, BT710244 Memory Leak of access policy execution objects 12.1.3.6, 13.1.0.8, 14.0.0.5
710140-1 CVE-2018-5527 K20134942, BT710140 TMM may consume excessive resources when processing SSL Intercept traffic 13.1.0.8, 14.0.0
709688-3 CVE-2017-3144
CVE-2018-5732
CVE-2018-5733
K08306700, BT709688 dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 12.1.3.6, 13.1.0.8, 14.0.0.3
695072-2 CVE-2016-8399
CVE-2017-1000111
CVE-2017-1000112
CVE-2017-11176
CVE-2017-14106
CVE-2017-7184
CVE-2017-7541
CVE-2017-7542
CVE-2017-7558
K23030550, BT695072 CVE-2016-8399 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-11176 CVE-2017-14106 CVE-2017-7184 CVE-2017-7541 CVE-2017-7542 CVE-2017-7558 13.1.0.8, 14.0.0.3
693744-4 CVE-2018-5531 K64721111, BT693744 CVE-2018-5531: vCMP vulnerability 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8
651741-2 CVE-2017-5970, K60104355, BT651741 CVE-2017-5970 kernel.el7: ipv4: Invalid IP options could cause skb->dst drop 13.1.0.8, 14.0.0.3
717900-2 CVE-2018-5528 K27044729, BT717900 TMM crash while processing APM data 13.1.0.8, 14.0.0
710827-2 CVE-2019-6598 K44603900, BT710827 TMUI dashboard daemon stability issue 11.5.9, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3
710148-2 CVE-2017-1000111
CVE-2017-1000112
K60250153, BT710148 CVE-2017-1000111 & CVE-2017-1000112 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3
709256-2 CVE-2017-9074
CVE-2017-7542
K61223103, BT709256 CVE-2017-9074: Local Linux Kernel Vulnerability 11.5.6, 11.6.3.1, 12.1.3.3, 13.1.0.8, 14.0.0.3
705476-2 CVE-2018-15322 K28003839, BT705476 Appliance Mode does not follow design best practices 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.3
698813-2 CVE-2018-5538 K45435121, BT698813 When processing DNSX transfers ZoneRunner does not enforce best practices 12.1.3.6, 13.1.0.8, 14.0.0
688625-5 CVE-2017-11628 K75543432, BT688625 PHP Vulnerability CVE-2017-11628 11.5.7, 11.6.3.2, 12.1.3.2, 13.1.0.8
662850-6 CVE-2015-2716 K50459349, BT662850 Expat XML library vulnerability CVE-2015-2716 11.5.7, 11.6.3.2, 12.1.3.2, 13.1.0.8
714879-3 CVE-2018-15326 K34652116, BT714879 APM CRLDP Auth passes all certs 11.6.3.3, 12.1.3.6, 13.1.0.8, 14.0.0.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
685020-3 3-Major BT685020 Enhancement to SessionDB provides timeout 12.1.3.2, 13.1.0.8


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
708956-1 1-Blocking K51206433, BT708956 During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' 12.1.3.5, 13.1.0.8, 14.0.1.1
719597 2-Critical BT719597 HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0 13.1.0.8, 14.0.0.3
715820-1 2-Critical BT715820 vCMP in HA configuration with VIPRION chassis might cause unstable data plane 13.1.0.8
712401-1 2-Critical BT712401 Enhanced administrator lock/unlock for Common Criteria compliance 13.1.0.8
676203-3 2-Critical BT676203 Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. 12.1.3.2, 13.1.0.8
665362-2 2-Critical BT665362 MCPD might crash if the AOM restarts 12.1.3.6, 13.1.0.8, 14.0.0
581851-6 2-Critical K16234725, BT581851 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands 11.5.9, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0
711249-1 3-Major BT711249 NAS-IP-Address added to RADIUS packet unexpectedly 12.1.4, 13.1.0.8, 14.0.0.3
710976-1 3-Major BT710976 Network Map can take a long time to load. 13.1.0.8, 14.0.0.3
708484-2 3-Major BT708484 Network Map might take a long time to load 13.1.0.8, 14.0.0.3
707445-3 3-Major K47025244 Nitrox 3 compression hangs/unable to recover 11.5.9, 11.6.3.3, 12.1.3.6, 13.1.0.8
705818-1 3-Major BT705818 GUI Network Map Policy with forward Rule to Pool, Pool does not show up 13.1.0.8, 14.0.0
704804-1 3-Major BT704804 The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address 12.1.3.3, 13.1.0.8, 14.0.0.3
704733-1 3-Major BT704733 NAS-IP-Address is sent with the bytes in reverse order 12.1.3.3, 13.1.0.8, 14.0.0.3
704247-2 3-Major BT704247 BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted 12.1.3.7, 13.1.0.8, 14.0.0.3
701249-1 3-Major BT701249 RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 12.1.3.3, 13.1.0.8, 14.0.0.3
700895-1 3-Major K34944451, BT700895 GUI Network Map objects in subfolders are not being shown 13.1.0.8
696260-1 3-Major K53103420, BT696260 GUI Network Map as Start Screen presents database error 13.1.0.8
694696-5 3-Major BT694696 On multiblade Viprion, creating a new traffic-group causes the device to go Offline 12.1.3.2, 13.1.0.8
694547-2 3-Major K74203532, BT694547 TMSH save sys config creates unneeded generate_config processes. 13.1.0.8
689730-3 3-Major BT689730 Software installations from v13.1.0 might fail&start; 12.1.3.5, 13.1.0.8
687658 3-Major BT687658 Monitor operations in transaction will cause it to stay unchecked 11.6.3.3, 12.1.3.2, 13.1.0.8
686906-2 3-Major BT686906 Fragmented IPv6 packets not handled correctly on Virtual Edition 13.1.0.8
674455-5 3-Major BT674455 Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS 12.1.3.5, 13.1.0.8
678254-1 4-Minor BT678254 Error logged when restarting Tomcat 12.1.3.7, 13.1.0.8


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
721571-1 2-Critical BT721571 State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade&start; 13.1.0.8
718071-1 2-Critical BT718071 HTTP2 with ASM policy not passing traffic 12.1.3.6, 13.1.0.8, 14.0.0
715747 2-Critical BT715747 TMM may restart when running traffic through custom SSLO deployments. 13.1.0.8, 14.0.0
709828-2 2-Critical BT709828 fasthttp can crash with Large Receive Offload enabled 13.1.0.8, 14.0.0.3
707244-3 2-Critical BT707244 iRule command clientside and serverside may crash tmm 13.1.0.8, 14.0.0
707207-1 2-Critical BT707207 iRuleLx returning undefined value may cause TMM restart 12.1.3.6, 13.1.0.8, 14.0.0.5
700597-1 2-Critical BT700597 Local Traffic Policy on HTTP/2 virtual server no longer matches 13.1.0.8
700056-1 2-Critical BT700056 MCPD process may lock up and restart when applying Local Traffic Policy to virtual server 13.1.0.8, 14.0.0.3
690756-1 2-Critical BT690756 APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated 13.1.0.8
571651-4 2-Critical BT571651 Reset Nitrox3 crypto accelerator queue if it becomes stuck. 11.5.9, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.5
713951-5 3-Major BT713951 tmm core files produced by nitrox_diag may be missing data 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3
713934-2 3-Major BT713934 Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response 12.1.3.6, 13.1.0.8, 14.0.0.3
712819-2 3-Major BT712819 'HTTP::hsts preload' iRule command cannot be used 13.1.0.8, 14.0.0.3
712475-3 3-Major K56479945, BT712475 DNS zones without servers will prevent DNS Express reading zone data 12.1.3.6, 13.1.0.8, 14.0.0
712437-3 3-Major K20355559, BT712437 Records containing hyphens (-) will prevent child zone from loading correctly 12.1.3.6, 13.1.0.8, 14.0.0
711281-5 3-Major BT711281 nitrox_diag may run out of space on /shared 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3
710996-2 3-Major BT710996 VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP 13.1.0.8
709133-2 3-Major BT709133 When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur 13.1.0.8, 14.0.0.3
709132-1 3-Major BT709132 When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur 13.1.0.8, 14.0.0.3
707961-2 3-Major K50013510, BT707961 Unable to add policy to virtual server; error = Failed to compile the combined policies 13.1.0.8, 14.0.0.3
707109-1 3-Major BT707109 Memory leak when using C3D 13.1.0.8, 14.0.0
704381-5 3-Major BT704381 SSL/TLS handshake failures and terminations are logged at too low a level 11.6.5.1, 12.1.3.6, 13.1.0.8, 14.0.0.3
702151-1 3-Major BT702151 HTTP/2 can garble large headers 11.6.3.3, 12.1.3.6, 13.1.0.8
700889-3 3-Major K07330445, BT700889 Software syncookies without TCP TS improperly include TCP options that are not encoded 11.6.3.3, 12.1.3.6, 13.1.0.8
700061-4 3-Major BT700061 Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file 12.1.3.6, 13.1.0.8
699598-2 3-Major BT699598 HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR or TCP RST 12.1.5, 13.1.0.8, 14.0.0.3
696755 3-Major BT696755 HTTP/2 may truncate a response body when served from cache 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2
693308-1 3-Major BT693308 SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain 12.1.3.7, 13.1.0.8
689089-1 3-Major BT689089 VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot 12.1.3.2, 13.1.0.8
688744-1 3-Major K11793920, BT688744 LTM Policy does not correctly handle multiple datagroups 13.1.0.8
686890-1 3-Major BT686890 X509_EXTENSION memory blocks leak when C3D forges the certificate. 13.1.0.8
682944-1 3-Major BT682944 key-id missing for installed netHSM key for standby BIG-IP system in high availability (HA) setup 13.1.0.8
682283-2 3-Major BT682283 Malformed HTTP/2 request with invalid Content-Length value is served against RFC 13.1.0.8, 14.0.0.3
678872-3 3-Major BT678872 Inconsistent behavior for virtual-address and selfip on the same ip-address 12.1.3.6, 13.1.0.8
673399-3 3-Major BT673399 HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. 12.1.3.4, 13.1.0.8
653201-2 3-Major BT653201 Update the default CA certificate bundle file to the latest version and remove expiring certificates from it 13.1.0.8
713533-2 4-Minor BT713533 list self-ip with queries does not work 12.1.3.6, 13.1.0.8, 14.0.0.3
708249-2 4-Minor BT708249 nitrox_diag utility generates QKView files with 5 MB maximum file size limit 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.8, 14.0.0.3
692095-1 4-Minor K65311501, BT692095 bigd logs monitor status unknown for FQDN Node/Pool Member 11.6.3.3, 12.1.3.2, 13.1.0.8
678801-4 4-Minor BT678801 WS::enabled returned empty string 12.1.3.6, 13.1.0.8
677958-4 4-Minor BT677958 WS::frame prepend and WS::frame append do not insert string in the right place. 12.1.3.6, 13.1.0.8


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
698992-1 3-Major BT698992 Performance degraded 13.1.0.8


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
713066-1 2-Critical K10620131, BT713066 Connection failure during DNS lookup to disabled nameserver can crash TMM 12.1.3.6, 13.1.0.8, 14.0.0
707310-2 2-Critical BT707310 DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) 12.1.3.6, 13.1.0.8, 14.0.0
721895 3-Major   Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) 11.5.7, 11.6.4, 12.1.4.1, 13.1.0.8, 14.0.0.5
715448-2 3-Major BT715448 Providing LB::status with a GTM Pool name in a variable caused validation issues 12.1.3.7, 13.1.0.8, 14.0.0.3
710032-1 3-Major BT710032 'No Access' error when viewing GSLB Server's virtual server that has a name indicating a partition that does not exist on that BIG-IP system. 13.1.0.8, 14.0.0.3
706128-2 3-Major BT706128 DNSSEC Signed Zone Transfers Can Leak Memory 12.1.3.6, 13.1.0.8, 14.0.0
703545-1 3-Major BT703545 DNS::return iRule "loop" checking disabled 13.1.0.8, 14.0.0


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
718152 2-Critical K14591455, BT718152 ASM GUI request log does not load on cluster 13.1.0.8
716788-2 2-Critical BT716788 TMM may crash while response modifications are being performed within DoSL7 filter 12.1.3.7, 13.1.0.8, 14.0.0.5
713390-1 2-Critical   ASM Signature Update cannot be performed on hourly billing cloud instance 13.1.0.8
685230-3 2-Critical BT685230 memory leak on a specific server scenario 12.1.3.7, 13.1.0.8
606983-2 2-Critical BT606983 ASM errors during policy import 12.1.3.6, 13.1.0.8, 14.0.0.5
719459-2 3-Major BT719459 Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled 13.1.0.8, 14.0.0.5
719005-1 3-Major BT719005 Login request may arrive corrupted to the backend server after CAPTCHA or CSID mitigation 13.1.0.8, 14.0.0.5
717756-2 3-Major BT717756 High CPU usage from asm_config_server 13.1.0.8, 14.0.0
716940-2 3-Major BT716940 Traffic Learning screen graphs shows data for the last day only 13.1.0.8, 14.0.0.5
715128-1 3-Major BT715128 Simple mode Signature edit does not escape semicolon 13.1.0.8, 14.0.0.5
713282-1 3-Major BT713282 Remote logger violation_details field does not appear when virtual server has more than one remote logger 12.1.3.7, 13.1.0.8, 14.0.0.5
712362-3 3-Major BT712362 ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase 12.1.3.6, 13.1.0.8, 14.0.0.5
711405-1 3-Major K14770331, BT711405 ASM GUI Fails to Display Policy List After Upgrade 13.1.0.8, 14.0.0.5
710327-1 3-Major BT710327 Remote logger message is truncated at NULL character. 12.1.3.6, 13.1.0.8, 14.0.0
707147-1 3-Major BT707147 High CPU consumed by asm_config_server_rpc_handler_async.pl 12.1.3.6, 13.1.0.8, 14.0.0
706845-2 3-Major BT706845 False positive illegal multipart violation 12.1.3.6, 13.1.0.8
706665-2 3-Major BT706665 ASM policy is modified after pabnagd restart 13.1.0.8, 14.0.0
704643-1 3-Major BT704643 Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule 13.1.0.8, 14.0.1.1
702008-1 3-Major BT702008 ASM REST: Missing DB Cleanup for some tables 13.1.0.8
700143-2 3-Major BT700143 ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages 12.1.3.2, 13.1.0.8
691897-3 3-Major BT691897 Names of the modified cookies do not appear in the event log 12.1.3.6, 13.1.0.8
687759-1 3-Major BT687759 bd crash 12.1.3.6, 13.1.0.8, 14.0.0.5, 14.1.0.6
686765-2 3-Major BT686765 Database cleaning failure may allow MySQL space to fill the disk entirely 12.1.3.6, 13.1.0.8
674256-2 3-Major K60745057, BT674256 False positive cookie hijacking violation 13.1.0.8, 13.1.1.4, 14.0.0
675232-6 4-Minor BT675232 Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction 11.6.3.2, 12.1.3.2, 13.1.0.8


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
710315-1 2-Critical BT710315 AVR-profile might cause issues when loading a configuration or when using config sync 13.1.0.8, 14.0.0
698226-1 2-Critical BT698226 Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly 13.1.0.8
696642-1 2-Critical BT696642 monpd core is sometimes created when the system is under heavy load. 13.1.0.8
721474-1 3-Major BT721474 AVR does not send all SSLO statistics to offbox machine. 13.1.0.8, 14.0.0
715110 3-Major BT715110 AVR should report 'resolutions' in module GtmWideip 13.1.0.8, 14.1.0.2
712118 3-Major BT712118 AVR should report on all 'global tags' in external logs 13.1.0.8, 14.0.0
706361 3-Major BT706361 IPS stats tables are empty after upgrade from 13.1.0 to 14.0.0&start; 13.1.0.8
696212-1 3-Major BT696212 monpd does not return data for multi-dimension query 13.1.0.8
648242-2 3-Major K73521040, BT648242 Administrator users unable to access all partition via TMSH for AVR reports 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1
649161-2 4-Minor K42340304, BT649161 AVR caching mechanism not working properly 12.1.3.2, 13.1.0.8


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
720214-1 2-Critical BT720214 NTLM Authentication might fail if Strict Update in iApp is modified 13.1.0.8, 14.0.0
720189-1 2-Critical BT720189 VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download 13.1.0.8, 14.0.0
719149-2 2-Critical BT719149 VDI plugin might hang while processing native RDP connections 13.1.0.8, 14.0.0
716747-2 2-Critical   TMM my crash while processing APM or SWG traffic 12.1.3.6, 13.1.0.8, 14.0.0
715250-1 2-Critical BT715250 TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED 12.1.3.6, 13.1.0.8
713156-1 2-Critical BT713156 AGC cannot do redeploy in Exchange and ADFS use cases 13.1.0.8, 14.0.0
710116-1 2-Critical BT710116 VPN clients experience packet loss/disconnection 13.1.0.8, 14.0.0
694078-1 2-Critical BT694078 In rare cases, TMM may crash with high APM traffic 13.1.0.8
720695-1 3-Major BT720695 Export then import of APM access Profile/Policy with advanced customization is failing 12.1.3.6, 13.1.0.8, 14.0.0
719192 3-Major BT719192 In VPE Agent VMware View Policy shows no properties 13.1.0.8
715207-3 3-Major BT715207 coapi errors while modifying per-request policy in VPE 12.1.3.6, 13.1.0.8, 14.0.0
714961-1 3-Major BT714961 antserver creates large temporary file in /tmp directory 13.1.0.8, 14.0.0
714700-2 3-Major BT714700 SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy 13.1.0.8, 14.0.0
713111-1 3-Major BT713111 When ASM and APM are configured on the same virtual server, ASM might report some errors in its logging. 13.1.0.8
710305-1 3-Major BT710305 When ASM and APM are configured on the same virtual server, ASM could throw some errors in its logging. 13.1.0.8
709274-1 3-Major BT709274 RADIUS Accounting requests egress on different Self IP addresses than they did pre-v13.1.0 13.1.0.8, 14.0.0
699267-2 3-Major BT699267 LDAP Query may fail to resolve nested groups 11.6.3.3, 12.1.3.4, 13.1.0.8
658278-1 3-Major BT658278 Network Access configuration with Layered-VS does not work with Edge Client 11.6.4, 13.1.0.8, 14.0.0


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
703515-3 2-Critical K44933323, BT703515 MRF SIP LB - Message corruption when using custom persistence key 11.6.3.2, 12.1.3.6, 13.1.0.8
692310-2 3-Major K69250459, BT692310 ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body 13.1.0.8


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
677473-3 2-Critical BT677473 MCPD core is generated on multiple add/remove of Mgmt-Rules 12.1.3.6, 13.1.0.8


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
711570-3 3-Major BT711570 PEM iRule subscriber policy name query using subscriber ID, may not return applied policies 12.1.3.6, 13.1.0.8
663874-2 3-Major K77173309, BT663874 Off-box HSL logging does not work with PEM in SPAN mode. 13.1.0.8


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
719186-2 3-Major BT719186 Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts 13.1.0.8, 14.0.1.1
716318-2 3-Major BT716318 Engine/Signatures automatic update check may fail to find/download the latest update 12.1.3.7, 13.1.0.8, 14.0.0.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
714334-1 2-Critical BT714334 admd stops responding and generates a core while under stress. 13.1.0.8, 14.0.0.5
718772-2 3-Major BT718772 The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists) 13.1.0.8, 14.0.0.5
718685-1 3-Major BT718685 The measured number of pending requests is two times higher than actual one 13.1.0.8
701288-1 3-Major BT701288 Server health significantly increases during DoSL7 TPS prevention 13.1.0.8, 14.0.0


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
693694-1 3-Major BT693694 tmsh::load within IApp template results in unpredicted behavior 13.1.0.8



Cumulative fixes from BIG-IP v13.1.0.7 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
716392-1 1-Blocking BT716392 Support for 24 vCMP guests on a single 4450 blade 13.1.0.7, 14.0.0.2
712429 1-Blocking BT712429 Serverside packets excluded from DoS stats 13.1.0.7
704552 3-Major BT704552 Support for ONAP site licensing 13.1.0.7, 14.0.0.2, 14.1.4.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
707100 2-Critical BT707100 Potentially fail to create user in AzureStack 13.1.0.7, 14.0.0.1
706688 2-Critical BT706688 Automatically add additional certificates to BIG-IP system in C2S and IC environments 13.1.0.7, 14.0.0.1
709936 3-Major BT709936 Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration. 13.1.0.7, 14.0.0.1
707585-1 3-Major BT707585 Use native driver for 82599 NICs instead of UNIC 13.1.0.7, 14.0.0.1
703869 3-Major BT703869 Waagent updated to 2.2.21 12.1.3.3, 13.1.0.7, 14.0.0.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
713273 2-Critical BT713273 BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart 13.1.0.7, 14.0.0
715153-1 3-Major BT715153 AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem 13.1.0.7, 14.0.0


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
716746 3-Major BT716746 Possible tmm restart when disabling single endpoint vector while attack is ongoing 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2
712710 3-Major BT712710 TMM may halt and restart when threshold mode is set to stress-based mitigation 13.1.0.7, 14.0.0


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
699103-1 3-Major BT699103 tmm continuously restarts after provisioning AFM 13.1.0.7, 14.0.0



Cumulative fixes from BIG-IP v13.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
709972-6 CVE-2017-12613 K52319810, BT709972 CVE-2017-12613: APR Vulnerability 12.1.3.6, 13.1.0.6, 14.0.0.3
707186-1 CVE-2018-5514 K45320419, BT707186 TMM may crash while processing HTTP/2 traffic 13.1.0.6, 14.0.0
702232-1 CVE-2018-5517 K25573437, BT702232 TMM may crash while processing FastL4 TCP traffic 13.1.0.6, 14.0.0
693312-1 CVE-2018-5518 K03165684, BT693312 vCMPd may crash when processing bridged network traffic 12.1.3.4, 13.1.0.6
688516-1 CVE-2018-5518 K03165684, BT688516 vCMPd may crash when processing bridged network traffic 12.1.3.4, 13.1.0.6
686305-1 CVE-2018-5534 K64552448, BT686305 TMM may crash while processing SSL forward proxy traffic 11.5.7, 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.6
589233-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic 13.1.0.6
714369 CVE-2018-5526 K62201098, BT714369 ADM may fail when processing HTTP traffic 13.1.0.6, 14.0.0
714350 CVE-2018-5526 K62201098, BT714350 BADOS mitigation may fail 13.1.0.6, 14.0.0
710314-1 CVE-2018-5537 K94105051, BT710314 TMM may crash while processing HTML traffic 11.5.7, 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0
706176-1 CVE-2018-5512 K51754851, BT706176 TMM crash can occur when using LRO 13.1.0.6, 14.0.0
706086-3 CVE-2018-5515 K62750376, BT706086 PAM RADIUS authentication subsystem hardening 12.1.3.3, 13.1.0.6, 14.0.0
703940-2 CVE-2018-5530 K45611803, BT703940 Malformed HTTP/2 frame consumes excessive system resources 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0
699346-3 CVE-2018-5524 K53931245, BT699346 NetHSM capacity reduces when handling errors 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.6
688011-7 CVE-2018-5520 K02043709, BT688011 Dig utility does not apply best practices 12.1.3.2, 13.0.1, 13.1.0.6, 14.0.0
688009-7 CVE-2018-5519 K46121888, BT688009 Appliance Mode TMSH hardening 12.1.3.4, 13.0.1, 13.1.0.6, 14.0.0
677088-2 CVE-2018-15321 K01067037, BT677088 BIG-IP tmsh vulnerability CVE-2018-15321 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.6, 14.0.0.3
708653-1 CVE-2018-15311 K07550539, BT708653 TMM may crash while processing TCP traffic 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.6, 14.0.0
632875-5 CVE-2018-5516 K37442533, BT632875 Non-Administrator TMSH users no longer allowed to run dig 12.1.3, 13.0.1, 13.1.0.6, 14.0.0


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
708389 3-Major BT708389 BADOS monitoring with Grafana requires admin privilege 13.1.0.6, 14.0.0.5
680850-2 3-Major K48342409, BT680850 Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. 12.1.3.4, 13.1.0.6


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
694897-2 1-Blocking BT694897 Unsupported Copper SFP can trigger a crash on i4x00 platforms. 13.1.0.6
708054-1 2-Critical BT708054 Web Acceleration: TMM may crash on very large HTML files with conditional comments 12.1.3.4, 13.1.0.6, 14.0.0
706305-1 2-Critical BT706305 bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled 12.1.3.4, 13.1.0.6, 14.0.0
706087 2-Critical BT706087 Entry for SSL key replaced by config-sync causes tmsh load config to fail 13.1.0.6, 14.0.0
703761-2 2-Critical   Disable DSA keys for public-key and host-based authentication in Common Criteria mode 12.1.3.4, 13.1.0.6
696113-3 2-Critical BT696113 Extra IPsec reference added per crypto operation overflows connflow refcount 12.1.3.6, 13.1.0.6
692683-1 2-Critical BT692683 Core with /usr/bin/tmm.debug at qa_device_mgr_uninit 13.1.0.6
690793-1 2-Critical K25263287, BT690793 TMM may crash and dump core due to improper connflow tracking 12.1.3.7, 13.1.0.6
689577-3 2-Critical K45800333, BT689577 ospf6d may crash when processing specific LSAs 12.1.3.2, 13.1.0.6
688911-1 2-Critical K94296004, BT688911 LTM Policy GUI incorrectly shows conditions with datagroups 13.1.0.6
563661-1 2-Critical BT563661 Datastor may crash 11.6.3.3, 12.1.3.2, 13.1.0.6
704282-2 3-Major BT704282 TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy 12.1.3.6, 13.1.0.6
703298-2 3-Major BT703298 Licensing and phonehome_upload are not using the sync'd key/certificate 13.1.0.6, 14.0.0
701626-2 3-Major K16465222, BT701626 GUI resets custom Certificate Key Chain in child client SSL profile 11.6.3.3, 12.1.3.4, 13.1.0.6
698429-1 3-Major BT698429 Misleading log error message: Store Read invalid store addr 0x3800, len 10 12.1.5.3, 13.1.0.6
693964-1 3-Major BT693964 Qkview utility may generate invalid XML in files contained in Qkview 13.1.0.6
691497-2 3-Major BT691497 tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions 13.1.0.6
691210-1 3-Major BT691210 Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE. 13.1.0.6
687353-1 3-Major K35595105, BT687353 Qkview truncates tmstat snapshot files 12.1.3.2, 13.0.1, 13.1.0.6
631316-2 3-Major K62532020, BT631316 Unable to load config with client-SSL profile error&start; 11.6.3.2, 12.1.3.2, 13.1.0.6
514703-3 4-Minor BT514703 gtm listener cannot be listed across partitions 13.0.1, 13.1.0.6


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
709334-1 2-Critical BT709334 Memory leak when SSL Forward proxy is used and ssl re-negotiates 12.1.3.6, 13.1.0.6, 14.0.0
708114-1 2-Critical K33319853, BT708114 TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed 11.6.3.2, 12.1.3.6, 13.1.0.6, 14.0.0
707447-1 2-Critical BT707447 Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. 12.1.3.6, 13.1.0.6, 14.0.0
707246-1 2-Critical BT707246 TMM would crash if SSL Client profile could not load cert-key-chain successfully 13.1.0.6, 14.0.0
706631-2 2-Critical BT706631 A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. 12.1.3.4, 13.1.0.6, 14.0.0
705611-2 2-Critical BT705611 The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used 12.1.3.4, 13.1.0.6, 14.0.0
704666-1 2-Critical BT704666 memory corruption can occur when using certain certificates 12.1.3.4, 13.1.0.6, 14.0.0
704435-1 2-Critical BT704435 Client connection may hang when NTLM and OneConnect profiles used together 13.1.0.6
703914-2 2-Critical BT703914 TMM SIGSEGV crash in poolmbr_conn_dec. 12.1.3.6, 13.1.0.6, 14.0.0
703191-2 2-Critical BT703191 HTTP2 requests may contain invalid headers when sent to servers 13.1.0.6
701244-1 2-Critical K81742541, BT701244 An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT 13.1.0.6
701202-3 2-Critical K35023432, BT701202 SSL memory corruption 12.1.3.4, 13.1.0.6
700393-3 2-Critical K53464344, BT700393 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash 11.6.3.3, 12.1.3.4, 13.1.0.6, 14.0.0
697259-2 2-Critical K14023450, BT697259 Different versioned vCMP guests on the same chassis may crash. 12.1.3.7, 13.1.0.6
694656-1 2-Critical K05186205, BT694656 Routing changes may cause TMM to restart 12.1.3.7, 13.1.0.6
686228-1 2-Critical K23243525, BT686228 TMM may crash in some circumstances with VLAN failsafe 11.5.9, 11.6.4, 12.1.3.2, 13.1.0.6
680074-2 2-Critical BT680074 TMM crashes when serverssl cannot provide certificate to backend server. 13.1.0.6
667770-1 2-Critical K12472293, BT667770 SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore 13.1.0.6
648320-5 2-Critical K38159538, BT648320 Downloading via APM tunnels could experience performance downgrade. 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.6
705794-2 3-Major BT705794 Under certain circumstances a stale HTTP/2 stream might cause a tmm crash 11.6.3.3, 12.1.3.4, 13.1.0.6, 14.0.0
701147-2 3-Major K36563645, BT701147 ProxySSL does not work properly with Extended Master Secret and OCSP 13.1.0.6
700057-4 3-Major BT700057 LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved 11.6.4, 12.1.3.6, 13.1.0.6
693910-4 3-Major BT693910 Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) 12.1.4, 13.1.0.6
693244-2 3-Major BT693244 BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned 13.1.0.6, 14.0.0.3
690042-1 3-Major K43412307, BT690042 Potential Tcl leak during iRule suspend operation 11.6.4, 12.1.3.4, 13.1.0.6
689561-1 3-Major BT689561 HTTPS request hangs when multiple virtual https servers shares the same ip address 13.1.0.6
686972-4 3-Major BT686972 The change of APM log settings will reset the SSL session cache. 12.1.3.4, 13.1.0.6
685615-4 3-Major K24447043, BT685615 Incorrect source mac for TCP Reset with vlangroup for host traffic 11.5.6, 11.6.5.1, 12.1.3.6, 13.1.0.6
677525-2 3-Major BT677525 Translucent VLAN group may use unexpected source MAC address 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.6
663821-1 3-Major K41344010, BT663821 SNAT Stats may not include port FTP traffic 12.1.3.2, 13.0.1, 13.1.0.6
653976-4 3-Major K00610259, BT653976 SSL handshake fails if server certificate contains multiple CommonNames 12.1.3.4, 13.1.0.6
594751-1 3-Major K90535529, BT594751 LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN 12.1.5.1, 13.1.0.6


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
710424-2 2-Critical BT710424 Possible SIGSEGV in GTMD when GTM persistence is enabled. 11.6.5.2, 12.1.3.4, 13.1.0.6, 14.0.0
678861-1 2-Critical BT678861 DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other&start; 12.1.3.2, 13.1.0.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
710870 2-Critical BT710870 Temporary browser challenge failure after installing older ASU 13.1.0.6
711011-2 3-Major BT711011 'API Security' security policy template changes 13.1.0.6, 14.0.0
683241-1 3-Major K70517410, BT683241 Improve CSRF token handling 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.6


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
710947-1 2-Critical BT710947 AVR does not send errdef for entity DosIpLogReporting. 13.1.0.6, 14.0.0
710110-1 2-Critical BT710110 AVR does not publish DNS statistics to external log when usr-offbox is enabled. 13.1.0.6, 14.0.0
711929-1 3-Major BT711929 AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth 13.1.0.6, 14.0.0


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
679221-2 1-Blocking BT679221 APMD may generate core file or appears locked up after APM configuration changed 12.1.3.4, 13.1.0.6
708005-1 2-Critical K12423316, BT708005 Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources 13.1.0.6, 14.0.0
703208-1 2-Critical BT703208 PingAccessAgent causes TMM core 13.1.0.6, 14.0.0
702278-2 2-Critical   Potential XSS security exposure on APM logon page. 12.1.3.4, 13.0.1, 13.1.0.6, 14.0.0
700522-1 2-Critical BT700522 APMD may unexpectedly restart when worker threads are stuck 13.1.0.6
700090-2 2-Critical BT700090 tmm crash during execution of a per-request policy when modified during execution. 13.1.0.6, 14.0.0
699686-1 2-Critical BT699686 localdbmgr can occasionally crash during shutdown 13.1.0.6, 14.0.0
697452-1 2-Critical BT697452 Websso crashes because of bad argument in logging 13.0.1, 13.1.0.6
712924-1 3-Major BT712924 In VPE SecurID servers list are not being displayed in SecurID authentication dialogue 12.1.3.6, 13.1.0.6
703793-3 3-Major BT703793 tmm restarts when using ACCESS::perflow get' in certain events 12.1.3.7, 13.1.0.6, 14.0.0
703171-1 3-Major BT703171 High CPU usage for apmd, localdbmgr and oauth processes 13.1.0.6, 14.0.0
702487-3 3-Major BT702487 AD/LDAP admins with spaces in names are not supported 12.1.3.4, 13.1.0.6
684937-3 3-Major K26451305, BT684937 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users 11.5.6, 11.6.3.2, 12.1.3.6, 13.0.1, 13.1.0.6
683113-3 3-Major K22904904, BT683113 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users 11.5.6, 11.6.3.2, 12.1.3.6, 13.0.1, 13.1.0.6
681415-3 3-Major BT681415 Copying of profile with advanced customization or images might fail 12.1.3.4, 13.1.0.6
678427-1 3-Major K03138339, BT678427 Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice 13.1.0.6
675775-4 3-Major BT675775 TMM crashes inside dynamic ACL building session db callback 12.1.3.4, 13.1.0.6
671597-3 3-Major BT671597 Import, export, copy and delete is taking too long on 1000 entries policy 12.1.3.2, 13.0.1, 13.1.0.6
673717-3 4-Minor BT673717 VPE loading times can be very long 12.1.3.2, 13.0.1, 13.1.0.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
701889-1 2-Critical BT701889 Setting log.ivs.level or log-config filter level to informational causes crash 13.1.0.6
679114-4 3-Major BT679114 Persistence record expires early if an error is returned for a BYE command 11.6.3, 12.1.3.6, 13.1.0.6


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
708888-1 2-Critical K79814103, BT708888 Some DNS truncated responses may not be processed by BIG-IP 13.1.0.6, 14.0.0
667353 2-Critical BT667353 Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table 13.1.0.6, 14.0.0


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
702705-2 2-Critical BT702705 Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile 13.1.0.6
699531-1 2-Critical BT699531 Potential TMM crash due to incorrect number of attributes in a PEM iRule command 12.1.3.6, 13.1.0.6, 14.0.0.3
696294-1 2-Critical BT696294 TMM core may be seen when using Application reporting with flow filter in PEM 12.1.3.6, 13.1.0.6
711093-1 3-Major BT711093 PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled 12.1.3.6, 13.1.0.6, 14.0.0.3
709610-3 3-Major BT709610 Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM 12.1.3.6, 13.1.0.6, 14.0.0.3
697718-1 3-Major BT697718 Increase PEM HSL reporting buffer size to 4K. 12.1.3.6, 13.1.0.6
677494-1 3-Major BT677494 Flow filter with Periodic content insertion action could leak insert content record 13.1.0.6
677148-1 3-Major BT677148 Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific 13.1.0.6
676346-2 3-Major BT676346 PEM displays incorrect policy action counters when the gate status is disabled. 13.1.0.6, 14.0.0.3
648802-1 3-Major BT648802 Required custom AVPs are not included in an RAA when reporting an error. 12.1.3.6, 13.1.0.6, 14.0.0.3


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
710701-1 3-Major BT710701 "Application Layer Encryption" option is not saved in DataSafe GUI 13.1.0.6, 14.0.0
709319-2 3-Major BT709319 Post-login client-side alerts are missing username in bigIQ 13.1.0.6, 14.0.0
706835 3-Major BT706835 When cloning a profile, URL parameters are not shown 13.1.0.6
706771-1 3-Major BT706771 FPS ajax-mapping property may be set even when it should be blocked 13.1.0.6, 14.0.0
706651-1 3-Major BT706651 Cloning URL does not clone "Description" field 13.1.0.6, 14.0.0
706276-1 4-Minor BT706276 Unnecessary pop-up appears 13.1.0.6


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
708305-2 3-Major BT708305 Discover task may get stuck in CHECK_IS_ACTIVE step 13.1.0.6, 14.0.0
705593-5 4-Minor   CVE-2015-7940: Bouncy Castle Java Vulnerability 13.1.0.6, 14.0.0



Cumulative fixes from BIG-IP v13.1.0.5 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
633441-1 3-Major BT633441 Datasync Background Tasks running even without features requiring it 13.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
708189 4-Minor BT708189 OAuth Discovery Auto Pilot is implemented 13.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
708840 3-Major BT708840 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured 13.1.0.5, 14.0.0



Cumulative fixes from BIG-IP v13.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
705161-1 CVE-2018-5505 K23520761, BT705161 BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505 13.1.0.4, 14.0.0
703517 CVE-2018-5505 K23520761, BT703517 BIG-IP ASM and BIG-IP AFM/BIG-IP Analytics vulnerability CVE-2018-5505 13.1.0.4
700556-1 CVE-2018-5504 K11718033, BT700556 TMM may crash when processing WebSockets data 12.1.3.2, 13.0.1, 13.1.0.4
699012-1 CVE-2018-5502 K43121447, BT699012 TMM may crash when processing SSL/TLS data 13.0.1, 13.1.0.4
698080-3 CVE-2018-5503 K54562183, BT698080 TMM may consume excessive resources when processing with PEM 12.1.3.2, 13.1.0.4
695901-1 CVE-2018-5513 K46940010, BT695901 TMM may crash when processing ProxySSL data 11.5.6, 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4
691504-1 CVE-2018-5503 K54562183, BT691504 PEM content insertion in a compressed response may cause a crash. 12.1.3.2, 13.1.0.4
704580-1 CVE-2018-5549 K05018525, BT704580 apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4, 14.0.0
701447-1 CVE-2017-5754 K91229003, BT701447 CVE-2017-5754 (Meltdown) 13.0.1, 13.1.0.4, 14.0.0
701445-1 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003, BT701445 CVE-2017-5753 (Spectre Variant 1) 13.0.1, 13.1.0.4, 14.0.0
701359-4 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145 11.6.3.2, 12.1.3.4, 13.0.1, 13.1.0.4
699455-4 CVE-2018-5523 K50254952, BT699455 SAML export does not follow best practices 11.5.6, 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.4
699451-3 CVE-2018-5511 K30500703, BT699451 OAuth reports do not follow best practices 13.0.1, 13.1.0.4
676457-5 CVE-2017-6153 K52167636, BT676457 TMM may consume excessive resource when processing compressed data 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
640766-2 CVE-2016-10088
CVE-2016-9576
K05513373, BT640766 Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576 13.0.1, 13.1.0.4
636986-1 CVE-2021-22982 K72708443, BT636986 big3d agent vulnerability CVE-2021-22982 13.1.0.4


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
686389-1 3-Major BT686389 APM does not honor per-farm HTML5 client disabling at the View Connection Server 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
678524-1 3-Major BT678524 Join FF02::2 multicast group when router-advertisement is configured 13.1.0.4
693007-1 4-Minor BT693007 Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC 12.1.3.6, 13.1.0.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
707226 1-Blocking BT707226 DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations 11.5.6, 11.6.3.1, 12.1.3.3, 13.0.1, 13.1.0.4, 14.0.0
700315-2 1-Blocking K26130444, BT700315 Ctrl+C does not terminate TShark 12.1.3.6, 13.1.0.4
667148-3 1-Blocking K02500042, BT667148 Config load or upgrade can fail when loading GTM objects from a non-/Common partition 12.1.3.2, 13.0.1, 13.1.0.4
706998-3 2-Critical BT706998 Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication 13.1.0.4, 14.0.0
692890-3 2-Critical BT692890 Adding support for BIG-IP 800 in 13.1.x 13.1.0.4
685458-7 2-Critical K44738140, BT685458 merged fails merging a table when a table row has incomplete keys defined. 12.1.5, 13.1.0.4
665354-1 2-Critical K31190471, BT665354 Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log 12.1.3, 13.0.1, 13.1.0.4
703848-1 3-Major BT703848 Possible memory leak when reusing statistics rows in tables 13.0.1, 13.1.0.4
702520-2 3-Major K53330514, BT702520 Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address. 13.1.0.4
694740-3 3-Major BT694740 BIG-IP reboot during a TMM core results in an incomplete core dump 12.1.3.6, 13.1.0.4
692753-1 3-Major BT692753 shutting down trap not sent when shutdown -r or shutdown -h issued from shell 13.1.0.4
689691-2 3-Major BT689691 iStats line length greater than 4032 bytes results in corrupted statistics or merge errors 13.0.1, 13.1.0.4
686029-2 3-Major BT686029 A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces 12.1.3.4, 13.1.0.4
669462-2 3-Major BT669462 Error adding /Common/WideIPs as members to GTM Pool in non-Common partition 12.1.3.2, 13.1.0.4
589083-6 3-Major BT589083 TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. 12.1.2, 13.1.0.4, 14.0.0
699281-1 4-Minor BT699281 Version format of hypervisor bundle matches Version format of ISO 12.1.3.2, 13.1.0.4
685475-1 4-Minor K93145012, BT685475 Unexpected error when applying hotfix 12.1.3.6, 13.1.0.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
706534-1 1-Blocking BT706534 L7 connection mirroring may not be fully mirrored on standby BIG-IP system 13.1.0.4, 14.0.0
698424-1 1-Blocking K11906514, BT698424 Traffic over a QinQ VLAN (double tagged) will not pass 13.1.0.4
700862-1 2-Critical K15130240, BT700862 tmm SIGFPE 'valid node' 12.1.3.4, 13.1.0.4
699298-2 2-Critical BT699298 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV. 13.0.1, 13.1.0.4
698461-1 2-Critical BT698461 Tmm may crash in fastl4 TCP 13.1.0.4, 14.0.0
692970-2 2-Critical BT692970 Using UDP port 67 for purposes other than DHCP might cause TMM to crash 12.1.3.2, 13.0.1, 13.1.0.4
691095-1 2-Critical BT691095 CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes 13.1.0.4
687635-1 2-Critical K58002142, BT687635 Tmm becomes unresponsive and might restart 13.0.1, 13.1.0.4
687205-2 2-Critical BT687205 Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart 12.1.3.4, 13.1.0.4
681175-3 2-Critical K32153360, BT681175 TMM may crash during routing updates 12.1.3.2, 13.1.0.4
674576-3 2-Critical BT674576 Outage may occur with VIP-VIP configurations 12.1.3.2, 13.0.1, 13.1.0.4
452283-5 2-Critical BT452283 An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows 11.6.3.3, 12.1.3.4, 13.1.0.4
440620-1 2-Critical BT440620 New connections may be reset when a client reuses the same port as it used for a recently closed connection 11.6.5.1, 12.1.3.6, 13.1.0.4
704073-1 3-Major K24233427, BT704073 Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm 12.1.3.2, 13.1.0.4
702439 3-Major K04964898, BT702439 Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset 13.1.0.4
698916-1 3-Major BT698916 TMM crash with HTTP/2 under specific condition 12.1.3.6, 13.1.0.4
698379-2 3-Major K61238215, BT698379 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( 12.1.3.6, 13.1.0.4
698000-3 3-Major K04473510, BT698000 Connections may stop passing traffic after a route update 11.6.3, 12.1.3.2, 13.1.0.4
695707-5 3-Major BT695707 BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection 13.1.0.4
691806-1 3-Major K61815412, BT691806 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state 11.5.7, 11.6.3.3, 12.1.3.6, 13.1.0.4
689449-1 3-Major BT689449 Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured 11.6.4, 12.1.3.4, 13.1.0.4, 14.0.0
688571-2 3-Major K40332712, BT688571 Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile. 13.1.0.4
688570-5 3-Major BT688570 BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes 13.1.0.4
686307-3 3-Major K10665315, BT686307 Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later 12.1.3.2, 13.1.0.4
686065-2 3-Major BT686065 RESOLV::lookup iRule command can trigger crash with slow resolver 12.1.3.2, 13.0.1, 13.1.0.4
682104-3 3-Major BT682104 HTTP PSM leaks memory when looking up evasion descriptions 12.1.3.2, 13.1.0.4
680264-2 3-Major BT680264 HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags 12.1.4, 13.0.1, 13.1.0.4
677666-2 3-Major BT677666 /var/tmstat/blades/scripts segment grows in size. 13.0.1, 13.1.0.4
664528-2 3-Major K53282793, BT664528 SSL record can be larger than maximum fragment size (16384 bytes) 12.1.3.4, 13.1.0.4
251162-1 3-Major K11564 The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name 12.1.3.6, 13.1.0.4
685467-1 4-Minor K12933087, BT685467 Certain header manipulations in HTTP profile may result in losing connection. 12.1.3.6, 13.1.0.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
699135-1 2-Critical BT699135 tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip 12.1.3.4, 13.1.0.4
692941-1 2-Critical BT692941 GTMD and TMM SIGSEGV when changing wide IP pool in GTMD 11.5.9, 12.1.3.2, 13.1.0.4
691287-1 2-Critical BT691287 tmm crashes on iRule with GTM pool command 12.1.3.4, 13.1.0.4
682335-1 2-Critical BT682335 TMM can establish multiple connections to the same gtmd 12.1.3.4, 13.1.0.4
580537-3 2-Critical BT580537 The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data 12.1.3.2, 13.0.1, 13.1.0.4
562921-5 2-Critical BT562921 Cipher 3DES and iQuery encrypting traffic between BIG-IP systems 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
705503-3 3-Major BT705503 Context leaked from iRule DNS lookup 12.1.3.6, 13.1.0.4, 14.0.0
703702 3-Major BT703702 Fixed iControl REST not listing GTM Listeners 13.1.0.4
700527-3 3-Major BT700527 cmp-hash change can cause repeated iRule DNS-lookup hang 12.1.3.2, 13.1.0.4
699339-3 3-Major K24634702, BT699339 Geolocation upgrade files fail to replicate to secondary blades 12.1.3.4, 13.1.0.4
696808-1 3-Major BT696808 Disabling a single pool member removes all GTM persistence records 12.1.3.4, 13.1.0.4
691498-3 3-Major BT691498 Connection failure during iRule DNS lookup can crash TMM 12.1.3.2, 13.1.0.4
690166-1 3-Major BT690166 ZoneRunner create new stub zone when creating a SRV WIP with more subdomains 12.1.3.2, 13.1.0.4
687128-1 3-Major BT687128 gtm::host iRule validation for ipv4 and ipv6 addresses 12.1.3.4, 13.1.0.4
680069-1 3-Major K81834254, BT680069 zxfrd core during transfer while network failure and DNS server removed from DNS zone config&start; 12.1.3.6, 13.1.0.4
679149-1 3-Major BT679149 TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] 12.1.3.4, 13.1.0.4
667469-3 3-Major K35324588, BT667469 Higher than expected CPU usage when using DNS Cache 12.1.3.2, 13.0.1, 13.1.0.4
636997-1 4-Minor   big3d may crash 13.1.0.4
636994-1 4-Minor   big3d may crash 13.1.0.4
636992-1 4-Minor   big3d may crash 13.1.0.4
636982-1 4-Minor   big3d may crash 13.1.0.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
705774-1 3-Major BT705774 Add a set of disallowed file types to RDP template 13.1.0.4, 14.0.0
703833-1 3-Major BT703833 Some bot detected features might not work as expected on Single Page Applications 13.1.0.4
702946-3 3-Major BT702946 Added option to reset staging period for signatures 12.1.3.2, 13.1.0.4
701841-2 3-Major BT701841 Unnecessary file recovery_db/conf.tar.gz consumes /var disk space 12.1.3.2, 13.1.0.4
701327-2 3-Major BT701327 failed configuration deletion may cause unwanted bd exit 12.1.3.2, 13.1.0.4
700812-1 3-Major BT700812 asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview 12.1.3.6, 13.1.0.4
700726-2 3-Major BT700726 Search engine list was updated, and fixing case of multiple entries 12.1.3.6, 13.1.0.4, 14.0.0
698919-3 3-Major BT698919 Anti virus false positive detection on long XML uploads 12.1.3.2, 13.1.0.4
697756-1 3-Major BT697756 Policy with CSRF URL parameter cannot be imported as binary policy file 13.1.0.4
697303-1 3-Major BT697303 BD crash 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
696265-5 3-Major K60985582, BT696265 BD crash 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
696073-2 3-Major BT696073 BD core on a specific scenario 13.1.0.4
695563-1 3-Major   Improve speed of ASM initialization on first startup 13.1.0.4
694922-5 3-Major BT694922 ASM Auto-Sync Device Group Does Not Sync 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.4
693780-1 3-Major BT693780 Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices 13.1.0.4
693663-1 3-Major BT693663 Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode 13.1.0.4
691477-2 3-Major BT691477 ASM standby unit showing future date and high version count for ASM Device Group 12.1.3.2, 13.1.0.4
679384-3 3-Major K85153939, BT679384 The policy builder is not getting updates about the newly added signatures. 12.1.3.2, 13.1.0.4
678293-2 3-Major K25066531, BT678293 Uncleaned policy history files cause /var disk exhaustion 12.1.3.2, 13.1.0.4
665992-2 3-Major K40510140, BT665992 Live Update via Proxy No Longer Works 13.1.0.4
608988-1 3-Major BT608988 Error when deleting multiple ASM Policies 13.1.0.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
703233 3-Major BT703233 Some filters don't work in Security->Reporting->URL Latencies page 13.1.0.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
707676-1 2-Critical BT707676 Memory leak in Machine Certificate Check agent of the apmd process 13.1.0.4, 14.0.0
700724-2 2-Critical BT700724 Client connection with large number of HTTP requests may cause tmm to restart 13.0.1, 13.1.0.4
692557-1 2-Critical BT692557 When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted. 13.0.1, 13.1.0.4
690116-1 2-Critical BT690116 websso daemon might crash when logging set to debug 13.1.0.4
689591-2 2-Critical BT689591 When pingaccess SDK processes certain POST requests from the client, the TMM may restart 13.0.1, 13.1.0.4
677368-2 2-Critical BT677368 Websso crash due to uninitialized member in websso context object while processing a log message 13.0.1, 13.1.0.4
631286-3 2-Critical BT631286 TMM Memory leak caused by APM URI cache entries 12.1.3.7, 13.0.1, 13.1.0.4
703429-2 3-Major BT703429 Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services 12.1.3.2, 13.0.1, 13.1.0.4
702263-1 3-Major BT702263 An access profile with large number of SAML Resources (greater than 200) causes APM error ERR_TOOBIG while loading. 13.1.0.4
702222-1 3-Major BT702222 RADIUS and SecurID Auth fails with empty password 13.1.0.4
701740-1 3-Major BT701740 apmd leaks memory when updating Access V2 policy 13.1.0.4
701737-1 3-Major BT701737 apmd may leak memory on destroying Kerberos cache 13.1.0.4
701736-1 3-Major BT701736 Memory leak in Machine Certificate Check agent of the apmd process 13.1.0.4
701639-1 3-Major BT701639 Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP. 13.1.0.4, 14.0.0
697636-3 3-Major BT697636 ACCESS is not replacing headers while replacing POST body 13.0.1, 13.1.0.4
695953-1 3-Major BT695953 Custom URL Filter object is missing after load sys config TMSH command 13.0.1, 13.1.0.4
694624-1 3-Major BT694624 SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor 13.0.1, 13.1.0.4
693844-1 3-Major K58335157, BT693844 APMD may restart continuously and cannot come up 13.1.0.4
692307-3 3-Major BT692307 User with 'operator' role may not be able to view some session variables 12.1.3.2, 13.0.1, 13.1.0.4
687937-1 3-Major BT687937 RDP URIs generated by APM Webtop are not properly encoded 13.1.0.4
685862-1 3-Major BT685862 BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message 12.1.5.1, 13.1.0.4
684583-1 3-Major BT684583 Buitin Okta Scopes Request object uses client -id and client-secret 13.1.0.4
684325-1 3-Major BT684325 APMD Memory leak when applying a specific access profile 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
683389-3 3-Major BT683389 Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file 12.1.3.2, 13.0.1, 13.1.0.4
683297-2 3-Major BT683297 Portal Access may use incorrect back-end for resources referenced by CSS 13.0.1, 13.1.0.4
682500-2 3-Major BT682500 VDI Profile and Storefront Portal Access resource do not work together 12.1.3.2, 13.0.1, 13.1.0.4
678851-3 3-Major BT678851 Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() 12.1.3.2, 13.0.1, 13.1.0.4
675866-4 3-Major BT675866 WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
671627-3 3-Major K06424790, BT671627 HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. 12.1.3.2, 13.1.0.4
632646-1 3-Major BT632646 APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. 11.6.3.2, 12.1.3.2, 13.0.1, 13.1.0.4
629334-1 3-Major BT629334 Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly 13.1.0.4
612792-1 3-Major BT612792 Support RDP redirection for connections launched from APM Webtop on iOS 13.0.1, 13.1.0.4
612118-2 3-Major BT612118 Nexthop explicit proxy is not used for the very first connection to communicate with the backend. 13.0.1, 13.1.0.4
536831-1 3-Major BT536831 APM PAM module does not handle local-only users list correctly 13.1.0.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
698338-1 2-Critical BT698338 Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection 11.6.5.2, 12.1.3.6, 13.1.0.4
689343-2 2-Critical BT689343 Diameter persistence entries with bi-directional flag created with 10 sec timeout 13.1.0.4
685708-4 2-Critical BT685708 Routing via iRule to a host without providing a transport from a transport-config created connection cores 11.6.3.2, 12.1.3.6, 13.1.0.4
700571-4 3-Major BT700571 SIP MR profile, setting incorrect branch param for CANCEL to INVITE 11.6.3.2, 12.1.3.6, 13.1.0.4
696049-1 3-Major BT696049 High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.4
674747-4 3-Major K30837366, BT674747 sipdb cannot delete custom bidirectional persistence entries. 11.6.3, 12.1.3.6, 13.1.0.4
656901-3 3-Major BT656901 MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands 13.1.0.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
704207-1 2-Critical BT704207 DNS query name is not showing up in DNS AVR reporting 13.1.0.4, 14.0.0
692328-1 2-Critical BT692328 Tmm core due to incorrect memory allocation 13.1.0.4
703959 3-Major BT703959 Manual thresholds for DoS Protection Dynamic Signatures are not accepted via TMUI 13.1.0.4
631418-1 3-Major BT631418 Packets dropped by HW grey list may not be counted toward AVR. 13.1.0.4, 14.0.0


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
696383-1 2-Critical BT696383 PEM Diameter incomplete flow crashes when sweeped 12.1.3.2, 13.0.1, 13.1.0.4
694717-1 2-Critical BT694717 Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. 12.1.3.2, 13.0.1, 13.1.0.4
616008-1 2-Critical K23164003, BT616008 TMM core may be seen when using an HSL format script for HSL reporting in PEM 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
696789-1 3-Major BT696789 PEM Diameter incomplete flow crashes when TCL resumed 12.1.3.2, 13.0.1, 13.1.0.4
695968-1 3-Major BT695968 Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. 12.1.3.2, 13.0.1, 13.1.0.4
694319-1 3-Major BT694319 CCA without a request type AVP cannot be tracked in PEM. 12.1.3.2, 13.1.0.4
694318-1 3-Major BT694318 PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. 12.1.3.2, 13.1.0.4
684333-1 3-Major BT684333 PEM session created by Gx may get deleted across HA multiple switchover with CLI command 12.1.3.2, 13.0.1, 13.1.0.4
678820-1 3-Major BT678820 Potential memory leak if PEM Diameter sessions are not created successfully. 12.1.3.2, 13.0.1, 13.1.0.4
642068-4 3-Major BT642068 PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4
624231-4 3-Major BT624231 No flow control when using content-insertion with compression 12.1.3.2, 13.1.0.4
680729-1 4-Minor K64307999, BT680729 DHCP Trace log incorrectly marked as an Error log. 11.6.3, 12.1.3.2, 13.0.1, 13.1.0.4


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
697363-1 2-Critical BT697363 FPS should forward all XFF header values 13.1.0.4
705559-1 3-Major BT705559 FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request 13.1.0.4, 14.0.0
662311-1 3-Major BT662311 CS alerts should contain actual client IP address in XFF header 13.1.0.4


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
671716-1 3-Major BT671716 UCS version check was too strict for IPS hitless upgrade 13.1.0.4



Cumulative fixes from BIG-IP v13.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
702419 3-Major BT702419 Protocol Inspection needs add-on license to work 13.1.0.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
660239-6 4-Minor BT660239 When accessing the dashboard, invalid HTTP headers may be present 11.5.7, 11.6.3.3, 12.1.3.2, 13.0.1, 13.1.0.3


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
677919-4 3-Major BT677919 Enhanced Data Manipulation AJAX Support 13.1.0.3



Cumulative fixes from BIG-IP v13.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
681955-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 K23565223, BT681955 Apache CVE-2017-9788 13.1.0.2
673595-9 CVE-2017-3167 CVE-2017-3169 K34125394 Apache CVE-2017-3167 12.1.3.1, 12.1.3.2, 13.0.1, 13.1.0.2
694274-1 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 K23565223, BT694274 [RHSA-2017:3195-01] Important: httpd security update - EL6.7 12.1.3.2, 13.0.1, 13.1.0.2
672124-6 CVE-2018-5541 K12403422, BT672124 Excessive resource usage when BD is processing requests 11.5.6, 11.6.3.2, 12.1.3.6, 13.1.0.2
679861 CVE-2019-6655 K31152411, BT679861 Weak Access Restrictions on the AVR Reporting Interface 11.5.10, 11.6.5, 12.1.5, 13.1.0.2
673607-9 CVE-2017-3169 K83043359 Apache CVE-2017-3169 12.1.3.2, 13.0.1, 13.1.0.2
672667-6 CVE-2017-7679 K75429050, BT672667 CVE-2017-7679: Apache vulnerability 12.1.3.2, 13.0.1, 13.1.0.2
641101-7 CVE-2016-8743 K00373024 httpd security and bug fix update CVE-2016-8743 13.1.0.2
684033-3 CVE-2017-9798 K70084351, BT684033 CVE-2017-9798 : Apache Vulnerability (OptionsBleed) 12.1.3.2, 13.0.1, 13.1.0.2
661939-2 CVE-2017-2647 K32115847, BT661939 Linux kernel vulnerability CVE-2017-2647 13.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
685056 3-Major BT685056 VE OVAs is not the supported platform to run VMware guest OS customization 13.1.0.2
670103-1 3-Major BT670103 No way to query logins to BIG-IP in TMUI 13.1.0.2
681385-2 4-Minor   Forward proxy forged cert lifespan can be configured from days into hours. 13.1.0.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
700247 2-Critical K60053504, BT700247 APM Client Software may be missing after doing fresh install of BIG-IP VE 13.1.0.2
693979 3-Major BT693979 Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document 13.1.0.2
683131-1 3-Major BT683131 Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present&start; 13.1.0.2
682213-1 3-Major K31623549, BT682213 TLS v1.2 support in IP reputation daemon 12.1.3.2, 13.1.0.2
669585-1 3-Major BT669585 The tmsh sys log filter is unable to display information in uncompressed log files. 13.1.0.2
668826-1 3-Major BT668826 File named /root/.ssh/bigip.a.k.bak is present but should not be 13.1.0.2
668276-1 3-Major BT668276 BIG-IP does not display failed login attempts since last login in GUI 13.1.0.2
668273-1 3-Major K12541531, BT668273 Logout button not available in Configuration Utility when using Client Cert LDAP 13.1.0.2
471237-4 3-Major K12155235, BT471237 BIG-IP VE instances do not work with an encrypted disk in AWS. 12.1.3.2, 13.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
699624-1 2-Critical BT699624 Config with custom 'SIP' or 'Firepass' monitor fails to load after upgrade&start; 13.1.0.2
463097-5 3-Major BT463097 Clock advanced messages with large amount of data maintained in DNS Express zones 12.1.3.1, 13.1.0.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
672504-2 2-Critical K52325625, BT672504 Deleting zones from large databases can take excessive amounts of time. 12.1.3.1, 13.1.0.2
667542-6 2-Critical BT667542 DNS Express does not correctly process multi-message DNS IXFR updates. 13.1.0.2
645615-6 2-Critical K70543226, BT645615 zxfrd may fail and restart after multiple failovers between blades in a chassis. 11.5.7, 11.6.3, 12.1.3.1, 13.1.0.2
655233-2 3-Major K93338593, BT655233 DNS Express using wrong TTL for SOA RRSIG record in NoData response 12.1.3.1, 13.1.0.2
648766-2 3-Major K57853542, BT648766 DNS Express responses missing SOA record in NoData responses if CNAMEs present 12.1.3.1, 13.1.0.2
646615-2 4-Minor BT646615 Improved default storage size for DNS Express database 12.1.3.1, 13.1.0.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
699720-1 2-Critical BT699720 ASM crash when configuring remote logger for WebSocket traffic with response-logging:all 12.1.3.2, 13.1.0.2
691670-5 2-Critical BT691670 Rare BD crash in a specific scenario 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.2
686108-1 2-Critical BT686108 User gets blocking page instead of captcha during brute force attack 13.1.0.2
684312-1 2-Critical K54140729, BT684312 During Apply Policy action, bd agent crashes, causing the machine to go Offline 11.6.3.2, 12.1.3.2, 13.1.0.2
698940-1 3-Major BT698940 Add new security policy template for API driven systems - "API Security" 13.1.0.2
690883-1 3-Major BT690883 BIG-IQ: Changing learning mode for elements does not always take effect 13.1.0.2
686517-2 3-Major BT686517 Changes to a parent policy that has no active children are not synced to the secondary chassis slots. 13.1.0.2
686470-1 3-Major BT686470 Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load. 13.1.0.2
686452-1 3-Major BT686452 File Content Detection Formats are not exported in Policy XML 13.1.0.2
685964-1 3-Major BT685964 cs_qualified_urls bigdb does not cause configured URLs to be qualified. 13.1.0.2
685771-1 3-Major BT685771 Policies cannot be created with SAP, OWA, or SharePoint templates 13.1.0.2
685207-1 3-Major   DoS client side challenge does not encode the Referer header. 11.5.6, 11.6.3.2, 12.1.3.2, 13.1.0.2
685164-1 3-Major K34646484, BT685164 In partitions with default route domain != 0 request log is not showing requests 12.1.5, 13.1.0.2
683508-1 3-Major K00152663, BT683508 WebSockets: umu memory leak of binary frames when remote logger is configured 12.1.3.2, 13.1.0.2
680353-1 3-Major BT680353 Brute force sourced based mitigation is not working as expected 13.1.0.2
674494-4 3-Major K77993010, BT674494 BD memory leak on specific configuration and specific traffic 12.1.3.2, 13.1.0.2
668184-2 3-Major BT668184 Huge values are shown in the AVR statistics for ASM violations 12.1.3.2, 13.1.0.2
694073-3 4-Minor BT694073 All signature update details are shown in 'View update history from previous BIG-IP versions' popup 11.6.3, 12.1.3.2, 13.1.0.2
685193-1 4-Minor BT685193 If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies 13.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
697421 3-Major BT697421 Monpd core when trying to restart 13.1.0.2
688813-2 3-Major K23345645, BT688813 Some ASM tables can massively grow in size. 13.1.0.2
686510-1 3-Major BT686510 If tmm was restarted during an attack, the attack might appear ongoing in GUI 13.1.0.2
683474 3-Major   The case-sensitive problem during comparison of 2 Virtual Servers 13.1.0.2
679088-1 3-Major BT679088 Avr reporting and analytics does not display statistics of many source regions 13.1.0.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
684852-1 2-Critical BT684852 Obfuscator not producing deterministic output 13.1.0.2
692123 3-Major BT692123 GET parameter is grayed out if MobileSafe is not licensed 12.1.3.2, 13.1.0.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
700320 2-Critical BT700320 tmm core under stress when BADOS configured and attack signatures enabled 13.1.0.2
691462-1 3-Major BT691462 Bad actors detection might not work when signature mitigation blocks bad traffic 13.1.0.2
687987 3-Major BT687987 Presentation of signatures in human-readable format 13.1.0.2
687986 3-Major BT687986 High CPU consumption during signature generation, not limited number of signatures per virtual server 13.1.0.2
687984 3-Major BT687984 Attacks with randomization of HTTP headers parameters generates too many signatures 13.1.0.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
698396-1 2-Critical BT698396 Config load failed after upgrade from 12.1.2 to 13.x or 14.x&start; 13.1.0.2



Cumulative fixes from BIG-IP v13.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
686190-1 2-Critical BT686190 LRO performance impact with BWC and FastL4 virtual server 13.1.0.1
667173-1 2-Critical BT667173 13.1.0 cannot join a device group with 13.1.0.1 11.6.3, 12.1.3.1, 13.1.0.1
683114-2 3-Major BT683114 Need support for 4th element version in Update Check 12.1.3.1, 13.1.0.1


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
685628-1 1-Blocking BT685628 Performance regression on B4450 blade&start; 13.1.0.1
673832-1 1-Blocking BT673832 Performance impact for certain platforms after upgrading to 13.1.0. 13.1.0.1, 14.0.0
696525-1 2-Critical BT696525 B2250 blades experience degraded performance. 13.1.0.1

 

Cumulative fix details for BIG-IP v13.1.5 that are included in this release

999933-5 : TMM may crash while processing DNS traffic on certain platforms

Links to More Info: K28042514, BT999933


999125-4 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
13.1.5


997193-3 : TCP connections may fail when AFM global syncookies are in operation.

Links to More Info: K16101409, BT997193


997137-5 : CSRF token modification may allow WAF bypass on GET requests

Component: Application Security Manager

Symptoms:
Under certain conditions a parameter is not processed as expected.

Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter

Impact:
Malicious request will bypass signatures and will not raise any attack signature violation

Workaround:
N/A

Fix:
The parameter is now processed as expected.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1


996381-5 : ASM attack signature may not match as expected

Links to More Info: K41503304, BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


996113-5 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


995853-4 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.

Links to More Info: BT995853

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.

Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.

Impact:
GSLB Server object creation fails.

Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.

Fix:
GSLB Server object creation no longer fails.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


995629-1 : Loading UCS files may hang if ASM is provisioned&start;

Links to More Info: BT995629

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.

Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html

Fix:
Loading UCS files no longer hangs if ASM is provisioned.

Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2


994801-5 : SCP file transfer system

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.

Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.

Workaround:
None

Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2


993981-5 : TMM may crash when ePVA is enabled

Component: Local Traffic Manager

Symptoms:
When ePVA is enabled on the BIG-IP system, Increased CMP redirections can cause tmm to core and report an error:
tmm SIGFPE "nexthop ref valid".

Conditions:
-- ePVA acceleration is enabled on the BIG-IP system.
-- High rate of CMP redirections.

Impact:
Traffic disrupted while TMM restarts, and systems configured as part of a high availability (HA) group may failover.

Workaround:
Disable ePVA acceleration option.

Note: Performing this procedure may increase CPU use because TCP connections are subsequently processed in software by the Traffic Management Microkernel (TMM).

Fix:
TMM now operates as expected with ePVA enabled.

Fixed Versions:
13.1.5


993613-3 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


993489-6 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


992073-5 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Component: Access Policy Manager

Symptoms:
End user clients frequently get a prompt to enter credentials when they should not.

Conditions:
APM Access Profile with NTLM authentication enabled.

Impact:
NTLM handshake failure causing user authentication failures.

Workaround:
N/A

Fix:
APM now processes NTLM requests as expected.

Fixed Versions:
13.1.5


990849-4 : Loading UCS with platform-migrate option hangs and requires exiting from the command&start;

Links to More Info: BT990849

Component: TMOS

Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration.

Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html

Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

Workaround:
None.

Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2


990333-3 : APM may return unexpected content when processing HTTP requests

Links to More Info: K75540265, BT990333


989701-3 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373, BT989701


989009-5 : BD daemon may crash while processing WebSocket traffic

Links to More Info: K05314769, BT989009


987157 : BIG-IP ASM system may not properly perform attack signature checks

Links to More Info: K05391775

Component: Application Security Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K05391775

Conditions:
For more information see: https://support.f5.com/csp/article/K05391775

Impact:
For more information see: https://support.f5.com/csp/article/K05391775

Workaround:
N/A

Fix:
For more information see: https://support.f5.com/csp/article/K05391775

Fixed Versions:
13.1.5


985953-1 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


984593-4 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


982757-7 : APM Access Guided Configuration hardening

Component: Guided Configuration

Symptoms:
APM Guided Configuration does not follow current best practices

Conditions:
- APM provisioned
- Authenticated administrative user

Impact:
Guided Configuration does not follow current best practices.

Workaround:
N/A

Fix:
Guided Configuration now follows current best practices.

Fixed Versions:
13.1.5


982697-3 : ICMP hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM does not follow current best practices for ICMP traffic.

Conditions:
- ICMP traffic
- DNS in use

Impact:
TMM does not follow current best practices.

Workaround:
N/A

Fix:
TMM now follows current best practices while processing ICMP traffic.

Behavior Change:
The change randomly adjusts the BIG-IP's ICMP rate limit to within 1/8% of the configured rate. While the average rate will remain the same, the number of ICMP packets issued second-to-second will vary randomly.

Fixed Versions:
13.1.5


982341-3 : iControl REST endpoint hardening

Component: TMOS

Symptoms:
iControl REST endpoints do not apply current best practices.

Conditions:
- Authenticated administrative user
- Request to iControl endpoint

Impact:
iControl REST endpoints do not follow current best practices.

Workaround:
N/A

Fix:
iControl REST endpoints now follow current best practices.

Fixed Versions:
13.1.5


981693-5 : TMM may consume excessive resources while processing IPSec ALG traffic

Links to More Info: K54892865, BT981693


981461-2 : Unspecified DNS responses cause TMM crash

Links to More Info: K45407662, BT981461


981385-5 : AVRD does not send HTTP events to BIG-IQ DCD

Links to More Info: BT981385

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2


981273-4 : APM webtop hardening

Links to More Info: K41997459, BT981273


981169-4 : F5 TMUI XSS vulnerability CVE-2021-22994

Links to More Info: K66851119, BT981169


980809-4 : ASM REST Signature Rule Keywords Tool Hardening

Links to More Info: K41351250, BT980809


980325-3 : Chmand core due to memory leak from dossier requests.

Links to More Info: BT980325

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


980125-5 : BD Daemon may crash while processing WebSocket traffic

Links to More Info: K42051445, BT980125


976925-4 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT976925


976501-4 : Failed to establish VPN connection

Links to More Info: BT976501

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3


975593-1 : TMM may crash while processing IPSec traffic

Component: Carrier-Grade NAT

Symptoms:
Under certain conditions, TMM may crash while processing IPSec traffic.

Conditions:
-IPSecAGL enabled

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes IPSec traffic as expected.

Fixed Versions:
13.1.5, 14.1.4.5


975233-4 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Links to More Info: K52510511, BT975233


974341-4 : REST API: File upload

Links to More Info: K08402414, BT974341


974093-2 : Linux kernel vulnerability CVE-2020-25705

Links to More Info: K09604370


973333-2 : TMM buffer-overflow vulnerability CVE-2021-22991

Links to More Info: K56715231, BT973333


973261-5 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Links to More Info: BT973261

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


970329-5 : ASM hardening

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


969105-5 : HA failover connections via the management address do not work on vCMP guests running on VIPRION

Links to More Info: BT969105

Component: TMOS

Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.

BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.

HA failover connections using self IPs are unaffected.

Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)

Impact:
Failover state determination over the management port is permanently down.

Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).

To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid


The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.

Add this line to the end of /config/startup:

(sleep 120; touch /var/run/chmand.pid) &

Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.


Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:

#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready

# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.

You may also request an Engineering Hotfix from F5.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


968733-4 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Links to More Info: K42202505, BT968733


968421-5 : ASM attack signature doesn't matched

Links to More Info: K30291321, BT968421

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2


968349-4 : TMM crashes with unspecified message

Links to More Info: K19012930, BT968349


967905-1 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


967745-4 : Last resort pool error for the modify command for Wide IP

Links to More Info: BT967745

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1


966901-4 : CVE-2020-14364: Qemu Vulnerability

Links to More Info: K09081535, BT966901


965853-5 : IM package file hardening&start;

Component: Protocol Inspection

Symptoms:
IM package file uploads do not follow current best practices.

Conditions:
- IM package file uploaded to BIG-IP

Impact:
IM package file uploads do not follow current best practices.

Workaround:
N/A

Fix:
IM package file uploads now follow current best practices.

Fixed Versions:
13.1.5


965485-1 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Links to More Info: K41523201


965229-4 : ASM Load hangs after upgrade&start;

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


964245-4 : ASM reports and enforces username always

Links to More Info: BT964245

Component: Application Security Manager

Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.

Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.

Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.

Workaround:
None

Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


963705-1 : Proxy ssl server response not forwarded

Links to More Info: BT963705

Component: Local Traffic Manager

Symptoms:
A server response may not be forwarded after TLS renegotiation.

Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs

Impact:
Server response may not be not forwarded

Fix:
Proxy ssl will now forward server response after renegotiation

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1


962497-5 : BD crash after ICAP response

Links to More Info: BT962497

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


962433-2 : HTTP::retry for a HEAD request fails to create new connection

Links to More Info: BT962433

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4


962341-3 : BD crash while processing JSON content

Links to More Info: K00602225, BT962341


962177-4 : Results of POLICY::names and POLICY::rules commands may be incorrect

Links to More Info: BT962177

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2


962069-6 : Excessive resource consumption while processing OSCP requests via APM

Links to More Info: K79428827, BT962069


960749-4 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Links to More Info: BT960749

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1


960437-4 : The BIG-IP system may initially fail to resolve some DNS queries

Links to More Info: BT960437

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1


959121-1 : Not following best practices in Guided Configuration Bundle Install worker

Links to More Info: K74151369, BT959121


958093-1 : IPv6 routes missing after BGP graceful restart

Links to More Info: BT958093

Component: TMOS

Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.

Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.

Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1


957905-4 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.

Links to More Info: BT957905

Component: Service Provider

Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.

SIP Responses that don't contain a content_length header are accepted and forwarded to the client.

The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.

Conditions:
SIP request / response without content_length header.

Impact:
RFC 6731 non compliance.

Workaround:
N/A

Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.

content_length header is treated as optional for UDP and SCTP.

Fixed Versions:
13.1.5


957897-3 : Unable to modify gateway-ICMP monitor fields in the GUI

Links to More Info: BT957897

Component: TMOS

Symptoms:
While modifying a gateway-ICMP monitor you see the following error:

01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.

Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.

Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.

Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]

For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description

Fix:
You can now update the Gateway-ICMP monitor fields via the GUI.

Fixed Versions:
13.1.5


956937 : Duplicate Attack signature sets in policy containing server technologies

Component: Application Security Manager

Symptoms:
When creating a new security policy, choosing a server technology for the policy causes duplicate signature sets to be created.

Conditions:
-- Create a new security policy using a server technology
-- Create another security policy using the same server technology

Impact:
Duplicate signature sets are created.

Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.

Fixed Versions:
13.1.5


956589-4 : The tmrouted daemon restarts and produces a core file

Links to More Info: BT956589

Component: TMOS

Symptoms:
The tmrouted daemon restarts and produces a core file.

Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover

Impact:
Traffic disrupted while tmrouted restarts.

Workaround:
None

Fix:
Tmrouted daemon should not restart during blade reset

Fixed Versions:
13.1.5, 15.1.2.1


955617-5 : Cannot modify properties of a monitor that is already in use by a pool

Links to More Info: BT955617

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.

Fixed Versions:
13.1.5


955145-4 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT955145


955017-5 : Excessive CPU consumption by asm_config_event_handler

Links to More Info: BT955017

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2


954381-4 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT954381


953845-5 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Links to More Info: BT953845

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.

Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1


953729-4 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Links to More Info: K56142644 K45056101, BT953729


953677-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188, BT953677


951257-2 : FTP active data channels are not established

Component: Local Traffic Manager

Symptoms:
Under certain conditions FTP active data channels may not be established as expected.

Conditions:
-- The FTP profile has "allow-active-mode" enabled and "port" set to a non-zero value.

Impact:
FTP transfers with active data channels are not processed as expected.

Workaround:
- Disable 'active' FTP and only use passive FTP or
- Use a custom FTP profile with port set to '0' on FTP virtual servers.

Fix:
FTP active data channels are now established as expected.

Fixed Versions:
13.1.5


951033-1 : Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'

Links to More Info: BT951033

Component: Local Traffic Manager

Symptoms:
Virtual server resets all the connections for rstcause 'VIP disabled (administrative)', after all the conditions are met.

Once it happens, the virtual server starts resetting all the incoming connections for rstcause 'VIP disabled (administrative)'. This continues even after the connection limit is deactivated.

Conditions:
-- There is at least one pool member that is DISABLED.
-- Other pool members have a connection limit configured.
-- A configuration change occurs while the connection limit is activated, and the change lowers the connection limit value, for example, the value is changed from 10 to 5.

Impact:
A virtual server continues resetting new connections.

Workaround:
Use Forced offline instead of disabled to prevent this issue.

Fix:
The BIG-IP system no longer continually resets new connections when the connection limit is lowered while it is being enforced.

Fixed Versions:
13.1.3.5, 14.1.3.1


950917-3 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Links to More Info: BT950917

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4


950077-4 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188, BT950077


950017-4 : TMM may crash while processing SCTP traffic

Links to More Info: K94941221, BT950017


949933-3 : BIG-IP APM CTU vulnerability CVE-2021-22980

Links to More Info: K29282483, BT949933


949889-1 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Links to More Info: K04107324, BT949889


949593-1 : Unable to load config if AVR widgets were created under '[All]' partition&start;

Links to More Info: BT949593

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2


949145-3 : Improve TCP's response to partial ACKs during loss recovery

Links to More Info: BT949145

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


948769-3 : TMM panic with SCTP traffic

Links to More Info: K05300051, BT948769


948573-3 : Wr_urldbd list of valid TLDs needs to be updated

Links to More Info: BT948573

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


948113-5 : User-defined report scheduling fails

Links to More Info: BT948113

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


947529-3 : Security tab in virtual server menu renders slowly

Links to More Info: BT947529

Component: TMOS

Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.

Conditions:
Large number of virtual servers using the same ASM policy

Impact:
Loading of Security tab of a virtual server takes a long time

Workaround:
NA

Fix:
Security tab of a virtual server loads fast

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1


946581 : TMM vulnerability CVE-2020-27713

Links to More Info: K37960100, BT946581


946325-4 : PEM subscriber GUI hardening

Component: Policy Enforcement Manager

Symptoms:
The PEM subscriber GUI does not follow current best practices.

Conditions:
- Authenticated administrative user
- PEM GUI request

Impact:
PEM subscriber GUI does not follow current best practices.

Workaround:
N/A

Fix:
PEM subscriber GUI now follows current best practices.

Fixed Versions:
13.1.5


946081-4 : Getcrc tool help displays directory structure instead of version

Links to More Info: BT946081

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.

Fix:
Getcrc utility help now displays version information.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


945109-5 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Links to More Info: K46641512, BT945109


944441-4 : BD_XML logs memory usage at TS_DEBUG level

Links to More Info: BT944441

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None

Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


944121-2 : Missing SNI information when using non-default domain https monitor running in TMM mode.

Links to More Info: BT944121

Component: In-tmm monitors

Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

In-TMM monitors do not send any packet when TLS1.3 monitor is used.

Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

 - Another Condition :

TLS1.3 Monitor is used

Impact:
The TLS connection might fail in case of SNI

No SYN packet is sent in case of TLS1.3 monitor

Workaround:
N/A

Fix:
N/A

Fixed Versions:
13.1.5


943913-5 : ASM attack signature does not match

Links to More Info: K30150004, BT943913

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.

Workaround:
N/A

Fix:
ASM now processes traffic as expected.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2


943889 : Reopening the publisher after a failed publishing attempt

Links to More Info: BT943889

Component: Fraud Protection Services

Symptoms:
TMM crashes repeatedly on SIGSEGV.

Conditions:
This can occur after a HSL disconnect and re-connect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system publishes data to HSL publisher on a second attempt successfully (after a reconnect).

Fixed Versions:
13.1.3.5, 14.1.4


943125-4 : ASM bd may crash while processing WebSocket traffic

Links to More Info: K18570111, BT943125


942701-4 : TMM may consume excessive resources while processing HTTP traffic

Links to More Info: K35408374, BT942701


941853-3 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Links to More Info: BT941853

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1


941649-5 : Local File Inclusion Vulnerability

Links to More Info: K63163637, BT941649


941621-4 : Brute Force breaks server's Post-Redirect-Get flow

Links to More Info: K91414704, BT941621

Component: Application Security Manager

Symptoms:
Brute Force breaks server's Post-Redirect-Get flow

Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.

Impact:
Brute Force breaks server's Post-Redirect-Get flow

Workaround:
None

Fix:
Support PRG mechanism in brute force mitigations.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.1


941449-5 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Links to More Info: K55237223, BT941449


941257-3 : Occasional Nitrox3 ZIP engine hang

Links to More Info: BT941257

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.

You can check if your platform has the nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable http compression

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


941249-1 : Improvement to getcrc tool to print cookie names when cookie attributes are involved

Links to More Info: BT941249

Component: Application Security Manager

Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server

Conditions:
This is applicable when domain and path cookie attributes are present in response from server

Impact:
ASM cookie name which is displayed is incorrect

Workaround:
None

Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


941089-4 : TMM core when using Multipath TCP

Links to More Info: BT941089

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2


940897-4 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Links to More Info: BT940897

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.

Fixed Versions:
12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


940401-4 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Links to More Info: BT940401

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


940317-2 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312, BT940317


940249-4 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Links to More Info: BT940249

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


940185-4 : icrd_child may consume excessive resources while processing REST requests

Links to More Info: K11742742, BT940185


940021-1 : Syslog-ng hang may lead to unexpected reboot

Links to More Info: BT940021

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.

The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.

Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).

Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.

Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.

Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.

This fix is not a complete fix. You will still need to remove unused syslog-ng servers from the BIG-IP configuration.

ID 1040277 tracks the remaining issue.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


939845-4 : BIG-IP MPTCP vulnerability CVE-2021-23004

Links to More Info: K31025212, BT939845


939841-4 : BIG-IP MPTCP vulnerability CVE-2021-23003

Links to More Info: K43470422, BT939841


939529-4 : Branch parameter not parsed properly when topmost via header received with comma separated values

Links to More Info: BT939529

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


938233-4 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Links to More Info: K93231374


937637-5 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT937637


937365-5 : LTM UI does not follow best practices

Links to More Info: K42526507, BT937365


937333-5 : Incomplete validation of input in unspecified forms

Links to More Info: K29500533, BT937333


936557-4 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.

Links to More Info: BT936557

Component: Local Traffic Manager

Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.

Conditions:
This issue occurs when the following conditions are true:

-- Standard TCP virtual server.

-- TCP profile with Verified Accept enabled.

-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.

Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.

Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.

Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1


935721-3 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Links to More Info: K82252291, BT935721


935593-2 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Links to More Info: BT935593

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.

Fixed Versions:
13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1


935433-5 : iControl SOAP

Links to More Info: K53854428, BT935433


935401-5 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Links to More Info: K06440657, BT935401


935293-1 : 'Detected Violation' Field for event logs not showing

Links to More Info: BT935293

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1


933777-3 : Context use and syntax changes clarification

Links to More Info: BT933777

Component: Application Visibility and Reporting

Symptoms:
There are two context and syntax-related issues:

-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.

-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.

Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.

Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.

Workaround:
None

Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2


933741-5 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Links to More Info: K63497634, BT933741


933461-2 : BGP multi-path candidate selection does not work properly in all cases.

Links to More Info: BT933461

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


933297 : FTP virtual server passive data channels do not pass traffic

Links to More Info: K20984059, BT933297


932697-1 : BIG-IP TMM vulnerability CVE-2021-23000

Links to More Info: K34441555, BT932697


932485-1 : Incorrect sum(hits_count) value in aggregate tables

Links to More Info: BT932485

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


932137-3 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Links to More Info: BT932137

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


932133-4 : Payloads with large number of elements in XML take a lot of time to process

Links to More Info: BT932133

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None

Fix:
This fix includes performance improvements for large XML payloads.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


932065-4 : iControl REST vulnerability CVE-2021-22978

Links to More Info: K87502622, BT932065


931837-3 : NTP has predictable timestamps

Links to More Info: K55376430, BT931837


931677-3 : IPv6 hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, handling of IPv6 traffic to BIG-IP owned addressed (e.g. self-IPs) do not follow current best practices.

Conditions:
-- IPv6 strict compliance is enabled (tmsh modify sys db ipv6.strictcompliance value true)
-- IPv6 traffic to BIG-IP owned addresses

Impact:
Handling of IPv6 traffic does not follow current best practices.

Workaround:
Disable IPv6 strict compliance with the command:
tmsh modify sys db ipv6.strictcompliance value false

Fix:
BIG-IP now handles IPv6 traffic in compliance with current best practices.

Fixed Versions:
13.1.5


931513-4 : TMM vulnerability CVE-2021-22977

Links to More Info: K14693346, BT931513


930741-4 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Links to More Info: BT930741

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2


929001-5 : ASM form handling improvements

Links to More Info: K48321015, BT929001

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2


928685-4 : ASM Brute Force mitigation not triggered as expected

Links to More Info: K49549213, BT928685

Component: Application Security Manager

Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.

Conditions:
- ASM enabled
- Brute Force mitigation enabled

Impact:
Brute Force mitigation is not triggered as expected.

Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:

when ASM_REQUEST_DONE

{
    if { [catch { HTTP::username } ] } {
     
     log local0. "ERROR: bad username";
     
     ASM::raise bad_auth_header_custom_violation 
   
   }
}

Fix:
Brute Force mitigation is now triggered as expected.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2


928037-4 : APM Hardening

Links to More Info: K15310332, BT928037


927993-5 : Built-in SSL Orchestrator RPM installation failure

Links to More Info: K97501254, BT927993

Component: SSL Orchestrator

Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:

Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.

Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.

Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.

Workaround:
Step 1. Run the following commands in the BIG-IP command line:

# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')

# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')

# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1

# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done

# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99

---

Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.

---

Step 3. Run the following commands in the BIG-IP command line:

# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2

---

Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.

Fix:
Built-in SSL Orchestrator RPM installation failure

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1


927941-2 : IPv6 static route BFD does not come up after OAMD restart

Links to More Info: BT927941

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1


927617-4 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Links to More Info: BT927617

Component: Application Security Manager

Symptoms:
A valid request that should be passed to the backend server is blocked.

Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.

-- The cookie header that contain the valid cookie value is encoded to base64.

Impact:
A request is blocked that should not be.

Workaround:
Disable 'Base64 Decoding' for the desired cookie.

Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


926929-1 : RFC Compliance Enforcement lacks configuration availability

Links to More Info: BT926929

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that require certain constructions after a header name may not function.

Workaround:
None

Fix:
A configuration item has been introduced to manage RFC-compliance options.

In releases 13.1.4, 14.1.4, 15.1.2.1 and 16.0.1.2 and in subsequent releases in those families, a global flag is used to control the enforcement:

    sys db tmm.http.rfc.allowwsheadername

The possible values are "enabled" and "disabled"; the default is "enabled".

In release 16.1.0 and subsequent releases, there are two per-profile options; these have been added to the Configuration Utility's configuration page for HTTP profiles, in the 'Enforcement' section:

-- Enforce RFC Compliance
-- Allow Space Header Name

The following sample output shows how the RFC-compliance and whitespace-enforcement settings might appear in tmsh, if enabled:

(tmos)# list ltm profile http http-wsheader
ltm profile http http-wsheader {
app-service none
defaults-from http
enforcement {
allow-ws-header-name enabled
rfc-compliance enabled
}
proxy-type reverse
}

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2


926845-3 : Inactive ASM policies are deleted upon upgrade

Links to More Info: BT926845

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.

Fixed Versions:
13.1.5


926341-4 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start;

Links to More Info: BT926341

Component: Application Visibility and Reporting

Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.

Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.

Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.

Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.

When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


924929 : Logging improvements for VDI plugin

Links to More Info: BT924929

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1


924493-5 : VMware EULA has been updated

Links to More Info: BT924493

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1


922317-1 : Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections

Links to More Info: BT922317

Component: Local Traffic Manager

Symptoms:
-- Stalled serverside connections visible in connection table.
-- No traffic going out towards pool member.
-- Sometimes tmm crashes may occur.

Conditions:
The LSN::persistence_entry Tcl command is used inside of an iRule triggered by a serverside event, e.g., SERVER_CONNECTED.

Impact:
-- Traffic not reaching pool members.
-- System disruption while tmm restarts in case of crash.

Workaround:
Do not use the LSN::persistence_entry command in iRules triggered by serverside events.

Fix:
Traffic now reaches pool members, no stalled connections occur, and crashes are eliminated.

Fixed Versions:
12.1.6, 13.1.4


922297-4 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Links to More Info: BT922297

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

You see the following log entries in /var/log/tmm:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.

Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2


922105-5 : Avrd core when connection to BIG-IQ data collection device is not available

Links to More Info: BT922105

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled

Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


921625-5 : The certs extend function does not work for GTM/DNS sync group

Links to More Info: BT921625

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.

-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1


921549-7 : The gtmd process does not receive updates from local big3d.

Links to More Info: BT921549

Component: Global Traffic Manager (DNS)

Symptoms:
Oversized server.crt file prevents gtmd (other devices in a same syncgroup) from receiving from local big3d.

Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.

Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.

Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.

Fixed Versions:
13.1.3.6


921337-1 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Links to More Info: K88230177, BT921337


920265 : TMM may crash if a virtual server undergoes a series of specific configuration changes involving the transparent-nexthop option.

Links to More Info: BT920265

Component: Local Traffic Manager

Symptoms:
TMM crashes and produces a core dump.

Conditions:
This issue occurs when:

- You initially enable the transparent-nexthop setting on a virtual server.
- You then disable the option.
- You then disable auto-lasthop for the virtual server.
- The virtual server receives traffic.

Impact:
Traffic is impacted while TMM restarts.

Workaround:
There is no workaround that you can instantiate to prevent this issue. However, if you are aware that you have already performed the necessary configuration changes to cause this issue to occur, and TMM has not crashed yet, you can delete the virtual server and recreate it (with the intended/final configuration) to prevent the crash.

Fix:
TMM no longer crashes after modifying a virtual server as described under Conditions.

Fixed Versions:
13.1.4


920197-1 : Brute force mitigation can stop mitigating without a notification

Links to More Info: BT920197

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


919553-4 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Links to More Info: BT919553

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


919317-2 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Links to More Info: BT919317

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.

Fixed Versions:
13.1.5


919301-5 : GTP::ie count does not work with -message option

Links to More Info: BT919301

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.

Fix:
'GTP::ie' count is now working with -message option.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


919049 : Guest fails to come up when vCMP guest and host both run BIG-IP v13.1.3.3, assigning FIPS partition

Links to More Info: BT919049

Component: Local Traffic Manager

Symptoms:
The vCMP guest fails to come up.

Conditions:
-- Using i5820-DF, i7820-DF, or 10350v-F platforms.
-- Running BIG-IP software v13.1.3.3 on the hypervisor.
-- Once FIPS card is initialized on the hypervisor:
   1. Create vCMP guest.
   2. Assign FIPS partition (can be default PARTITION_1, or you can resize PARTITION_1 and create a different partition).
   3. Change state of vCMP guest to 'deployed'.

Impact:
The vCMP guest fails to come up with an attached N3FIPS partition.

Note: This happens only when the host is running v13.1.3.3 and the vCMP guest tries to come up with v13.1.3.3.

Workaround:
None.

Fixed Versions:
13.1.4


918933-4 : The BIG-IP ASM system may not properly perform signature checks on cookies

Links to More Info: K88162221, BT918933

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1


918597-1 : Under certain conditions, deleting a topology record can result in a crash.

Links to More Info: BT918597

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


918409-5 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures

Links to More Info: BT918409

Component: TMOS

Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.

Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.

Impact:
Traffic disrupted on the tmm process that is looping indefinitely.

Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.

Note: The change does not persist across software installs.

    a. mount -o remount,rw /usr
    b. Edit /defaults/daemon.conf and put these contents at the top of the file:

sys daemon-ha tmm24 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm25 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm26 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm27 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}

    c. mount -o remount,ro /usr

2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:

    tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm

Fixed Versions:
13.1.5


918169-3 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Links to More Info: BT918169

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.

Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1


917509-1 : BIG-IP ASM vulnerability CVE-2020-27718

Links to More Info: K58102101, BT917509


917005-3 : ISC BIND Vulnerability: CVE-2020-8619

Links to More Info: K19807532


916821-5 : iControl REST vulnerability CVE-2021-22974

Links to More Info: K68652018, BT916821


915981-1 : BIG-IP SCP hardening

Component: TMOS

Symptoms:
Under certain conditions SCP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SCP file transfer

Impact:
BIG-IP do not follow current best practices for filesystem protection.

Workaround:
N/A

Fix:
All filesystem protections now follow best practices.

Fixed Versions:
13.1.5


915825-5 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Links to More Info: BT915825

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1


915689-5 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Links to More Info: BT915689

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


915605-4 : Image install fails if iRulesLX is provisioned and /usr mounted read-write&start;

Links to More Info: K56251674, BT915605

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume as one of the following:

-- Could not access configuration source.
-- Unable to get hosting system product info.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally insta