Supplemental Document : BIG-IP 14.1.4.5 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.4

BIG-IP APM

  • 14.1.4

BIG-IP Analytics

  • 14.1.4

BIG-IP Link Controller

  • 14.1.4

BIG-IP LTM

  • 14.1.4

BIG-IP PEM

  • 14.1.4

BIG-IP AFM

  • 14.1.4

BIG-IP DNS

  • 14.1.4

BIG-IP FPS

  • 14.1.4

BIG-IP ASM

  • 14.1.4
Original Publication Date: 08/23/2021
Updated Date: 05/28/2022

BIG-IP Release Information

Version: 14.1.4.5
Build: 7.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
988549-4 CVE-2020-29573 K27238230 CVE-2020-29573: glibc vulnerability
1032405-4 CVE-2021-23037 K21435974 TMUI XSS vulnerability CVE-2021-23037
1012365-3 CVE-2021-20305 K33101555 Nettle cryptography library vulnerability CVE-2021-20305
941649-4 CVE-2021-23043 K63163637 Local File Inclusion Vulnerability
823877-2 CVE-2019-10098
CVE-2020-1927
K25126370 CVE-2019-10098 apache mod_rewrite vulnerability
803965-2 CVE-2018-20843 K51011533 Expat Vulnerability: CVE-2018-20843


Functional Change Fixes

ID Number Severity Solution Article(s) Description
930633-1 3-Major   Delay in using new route updates by existing connections on BIG-IP.
1015133-2 3-Major   Tail loss can cause TCP TLP to retransmit slowly.
985953-2 4-Minor   GRE Transparent Ethernet Bridging inner MAC overwrite


TMOS Fixes

ID Number Severity Solution Article(s) Description
1042993-1 1-Blocking K19272127 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access'
1039049-1 1-Blocking   Installing EHF on particular platforms fails with error "RPM transaction failure"
831821-3 2-Critical   Corrupted DAG packets causes bcm56xxd core on VCMP host
1043277-2 2-Critical K06520200 'No access' error page displays for APM policy export and apply options
1004929-4 2-Critical   During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid.
996001-2 3-Major   AVR Inspection Dashboard 'Last Month' does not show all data points
989701-4 3-Major   CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
958093-2 3-Major   IPv6 routes missing after BGP graceful restart
940185-3 3-Major   icrd_child may consume excessive resources while processing REST requests
935801-3 3-Major   HSB diagnostics are not provided under certain types of failures
922185-4 3-Major   LDAP referrals not supported for 'cert-ldap system-auth'
900933-2 3-Major   IPsec interoperability problem with ECP PFS
881085-1 3-Major   Intermittent auth failures with remote LDAP auth for BIG-IP managment
1045421-3 3-Major K16107301 No Access error when performing various actions in the TMOS GUI
1032077-3 3-Major   TACACS authentication fails with tac_author_read: short author body
1028669-4 3-Major   Python vulnerability: CVE-2019-9948
1028573-4 3-Major   Perl vulnerability: CVE-2020-10878
1026549-4 3-Major   Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd
1015093-4 3-Major   The "iq" column is missing from the ndal_tx_stats table
1009725-4 3-Major   Excessive resource usage when ixlv drivers are enabled
1003257-3 3-Major   ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected
988533-3 4-Minor   GRE-encapsulated MPLS packet support
889813-1 4-Minor   Show net bwc policy prints bytes-per-second instead of bits-per-second
1030845-3 4-Minor   Time change from TMSH not logged in /var/log/audit
1028497-4 4-Minor   libexpat vulnerability: CVE-2019-15903
713754-1 5-Cosmetic   Apache vulnerability: CVE-2017-15715


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
1005433 1-Blocking   Pool Members may not be updated accurately when multiple identical database monitors are configured
999933-4 2-Critical   TMM may crash while processing DNS traffic on certain platforms
989637-4 2-Critical   TMM may crash while processing SSL traffic
862885-1 2-Critical   Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error
788813-1 2-Critical   TMM crash when deleting virtual-wire config
750702-1 2-Critical   TMM crashes while making changes to virtual wire configuration
1040361-3 2-Critical   TMM crashes during its startup when TMC destination port list attached/deleted to virtual server
1019081-2 2-Critical K97045220 HTTP/2 hardening
1009161 2-Critical   SSL mirroring protect for null sessions
1007489-4 2-Critical   TMM may crash while handling specific HTTP requests
999097-4 3-Major   SSL::profile may select profile with outdated configuration
997193-2 3-Major   TCP connections may fail when AFM global syncookies are in operation.
963705-2 3-Major   Proxy ssl server response not forwarded
910517 3-Major   TMM may crash while processing HTTP traffic
904041-4 3-Major   Ephemeral pool members may be incorrect when modified via various actions
803629-2 3-Major   SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
761477-7 3-Major   Client authentication performance when large CRL is used
1038629-3 3-Major   DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client
1034365-1 3-Major   DTLS handshake fails with DTLS1.2 client version
1020941-3 3-Major   HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags
1018577-2 3-Major   SASP monitor does not mark pool member with same IP Address but different Port from another pool member
1017513-2 3-Major   Config sync fails with error Invalid monitor rule instance identifier
1015161-3 3-Major   Ephemeral pool member may not be created when FQDN resolves to address that matches static node
1008017-1 3-Major   Validation failure on Enforce TLS Requirements and TLS Renegotiation
936557-3 4-Minor   Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
890881-3 4-Minor   ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
1045913-4 4-Minor   COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression
1018493-3 4-Minor   Response code 304 from TMM Cache always closes TCP connection.
1005109-1 4-Minor   TMM crashes when changing traffic-group on IPv6 link-local address
1002945-1 4-Minor   Some connections are dropped on chained IPv6 to IPv4 virtual servers.
898929-2 5-Cosmetic   Tmm might crash when ASM, AVR, and pool connection queuing are in use


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
1035853-4 2-Critical   Transparent DNS Cache can consume excessive resources.
1009037-4 2-Critical   Tcl resume on invalid connection flow can cause tmm crash
863917-3 3-Major   The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
756470-5 3-Major   Additional logging added to detect when monitoring operations in the configuration exceeds capabilities.
1024553-3 3-Major   GTM Pool member set to monitor type "none" results in big3d: timed out
1021417-4 3-Major   Modifying GTM pool members with replace-all-with results in pool members with order 0
1021061-2 3-Major   Config fails to load for large config on platform with Platform FIPS license enabled


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
993613-4 2-Critical   Device fails to request full sync
912149-4 2-Critical   ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
879841-3 2-Critical   Domain cookie same-site option is missing the "None" as value in GUI and rest
1019853-3 2-Critical   Some signatures are not matched under specific conditions
1011061-1 2-Critical   Certain attack signatures may not match in multipart content
984593-3 3-Major   BD crash
974341-3 3-Major   REST API: File upload
948805-3 3-Major   False positive "Null in Request"
907025-1 3-Major   Live update error" 'Try to reload page'
886865-2 3-Major   P3P header is added for all browsers, but required only for Internet Explorer
885765-4 3-Major   ASMConfig Handler undergoes frequent restarts
857633-2 3-Major   Attack Type (SSRF) appears incorrectly in REST result
842013-4 3-Major   ASM Configuration is Lost on License Reactivation
785873-2 3-Major   ASM should treat 'Authorization: Negotiate TlR' as NTLM
731168-1 3-Major   BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash.
1042069-3 3-Major   Some signatures are not matched under specific conditions
1017153-1 3-Major   Asmlogd suddenly deletes all request log protobuf files and records from the database.
1005105-4 3-Major   Requests are missing on traffic event logging
1004069-2 3-Major   Brute force attack is detected too soon
1003317-4 3-Major   ASM signatures do not match as expected
883673-1 4-Minor   BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool
1031029 4-Minor   "Use of uninitialized value" warning observed during UCS restore.


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
832805-1 3-Major   AVR should make sure file permissions are correct (tmstat_tables.xml)
787677-3 3-Major   AVRD stays at 100% CPU constantly on some systems
1035133-2 3-Major   Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab
948113-4 4-Minor   User-defined report scheduling fails


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
883889-1 2-Critical   Tmm might crash when under memory pressure
860617-2 2-Critical   Radius sever pool without attaching the load balancing algorithm will result into core
1006893-1 2-Critical   Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core
993457-3 3-Major   TMM core with ACCESS::policy evaluate iRule
969317-2 3-Major   "Restrict to Single Client IP" option is ignored for vmware VDI
956645-1 3-Major   Per-request policy execution may timeout.
941393 3-Major   Memory leak in SWG
932213-1 3-Major   Local user db not synced to standby device when it is comes online after forced offline state
924857-4 3-Major   Logout URL with parameters resets TCP connection
915509-3 3-Major   RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
853325-3 3-Major   TMM Crash while parsing form parameters by SSO.
828761-3 3-Major   APM OAuth - Auth Server attached iRule works inconsistently
827393-1 3-Major   In rare cases tmm crash is observed when using APM as RDG proxy.
802381-2 3-Major   Localdb authentication fails
738593-1 3-Major   Vmware Horizon session collaboration (shadow session) feature does not work through APM
712857-3 3-Major   SWG-Explicit rejects large POST bodies during policy evaluation
1045229-3 3-Major   APMD leaks Tcl_Objs as part of the fix made for ID 1002557
1044121-1 3-Major   APM logon page is not rendered if db variable "ipv6.enabled" is set to false
1021485-1 3-Major   VDI desktops and apps freeze with Vmware and Citrix intermittently
1001337 3-Major   Cannot read single sign-on configuration from GUI when logged in as guest
942965-1 4-Minor   Local users database can sometimes take more than 5 minutes to sync to the standby device


Service Provider Fixes

ID Number Severity Solution Article(s) Description
1007113-4 2-Critical   Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds
1039329-3 3-Major   MRF per peer mode is not working in vCMP guest.
1025529-3 3-Major   TMM generates core when iRule executes a nexthop command and SIP traffic is sent
1003633-4 4-Minor   There might be wrong memory handling when message routing feature is used


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
1049229-3 2-Critical   When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays.
995433-4 3-Major   IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
956013 3-Major   System reports{{validation_errors}}


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
975593-2 3-Major   TMM may crash while processing IPSec traffic


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
922665-1 3-Major   The admd process is terminated by watchdog on some heavy load configuration process
1023437-4 3-Major   Buffer overflow during attack with large HTTP Headers


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
1033829 2-Critical   Unable to load Traffic Classification package
686783-3 4-Minor   UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.
1032689-4 4-Minor   UlrCat Custom db feedlist is not working for www.croupiest.com with attached feedlist file


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
873545-1 3-Major   SSL Orchestrator Configuration GUI freezes after management IP change.
761314-2 3-Major   OSPF Hello does not work for L2 wire



Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
981461-3 CVE-2021-23032 K45407662 Unspecified DNS responses cause TMM crash
966901-3 CVE-2020-14364 K09081535 CVE-2020-14364: Qemu Vulnerability
940317-3 CVE-2020-13692 K23157312 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability
1017973-3 CVE-2021-25215 K96223611 BIND Vulnerability CVE-2021-25215
1017965-3 CVE-2021-25214 K11426315 BIND Vulnerability CVE-2021-25214
1009029 CVE-2021-23035 K70415522 TMM may crash while processing HTTP requests
975589-2 CVE-2020-8277 K07944249 CVE-2020-8277 Node.js vulnerability
973409-4 CVE-2020-1971 K42910051 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference
962069-1 CVE-2021-23047 K79428827 Excessive resource consumption while processing OSCP requests via APM
1013145-3 CVE-2021-23052 K32734107 APM Hardening


Functional Change Fixes

ID Number Severity Solution Article(s) Description
741869-1 2-Critical   Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups.
923301-1 3-Major   ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group
911141-4 3-Major   GTP v1 APN is not decoded/encoded properly
866073-1 3-Major   Add option to exclude stats collection in qkview to avoid very large data files
754335-1 3-Major   Install ISO does not boot on BIG-IP VE
752542-4 3-Major   Automatic eviction of PEM URLCAT cloud cache
751032-3 4-Minor   TCP receive window may open too slowly after zero-window


TMOS Fixes

ID Number Severity Solution Article(s) Description
1002109-4 1-Blocking   Xen binaries do not follow security best practices
998729 2-Critical   Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries
980325-4 2-Critical   Chmand core due to memory leak from dossier requests.
942549-3 2-Critical   Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
831549-1 2-Critical   Marketing name does not display properly for BIG-IP i10010 (C127)
767013-3 2-Critical   Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
749332-3 2-Critical   Client-SSL Object's description can be updated using CLI and with REST PATCH operation
730852-3 2-Critical   The tmrouted repeatedly crashes and produces core when new peer device is added
718573-1 2-Critical   Internal SessionDB invalid state
1034449 2-Critical   Large CPU consumption by platform_agent
969105-1 3-Major   HA failover connections via the management address do not work on vCMP guests running on VIPRION
965205-3 3-Major   BIG-IP dashboard downloads unused widgets
958465-3 3-Major   in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization
956293-1 3-Major   High CPU from analytics-related REST calls - Dashboard TMUI
950849-2 3-Major   B4450N blades report page allocation failure.
947529-1 3-Major   Security tab in virtual server menu renders slowly
940885-3 3-Major   Add embedded SR-IOV support for Mellanox CX5 Ex adapter
850193-2 3-Major   Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues
827033-3 3-Major   Boot marker is being logged before shutdown logs
809657-2 3-Major   HA Group score not computed correctly for an unmonitored pool when mcpd starts
787881-2 3-Major   TMSH displays TSIG keys
755027-1 3-Major   Timer processing taking too long
741702-3 3-Major   TMM crash
1024877-1 3-Major   Systemd[]: systemd-ask-password-serial.service failed
1010393-3 3-Major   Unable to relax AS-path attribute in multi-path selection
1009949-1 3-Major   High CPU usage when upgrading from previous version
1008837-3 3-Major   Control plane is sluggish when mcpd processes a query for virtual server and address statistics
898441-4 4-Minor   Enable logging of IKE keys
884165-2 4-Minor   Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG
851393-3 4-Minor   Tmipsecd leaves a zombie rm process running after starting up


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
846217-1 2-Critical   Translucent vlan-groups set local bit in destination MAC address
837617-3 2-Critical   Tmm may crash while processing a compression context
745589-6 2-Critical   In very rare situations, some filters may cause data-corruption.
1008077-4 2-Critical   TMM may crash while processing TCP traffic with a FastL4 VS
997929-4 3-Major   Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
978833-3 3-Major   Use of CRL-based Certificate Monitoring Causes Memory Leak
969637-3 3-Major   Config may fail to load with "FIPS 140 operations not available on this system" after upgrade
956133-4 3-Major   MAC address might be displayed as 'none' after upgrading
941481-3 3-Major   iRules LX - nodejs processes consuming excessive memory
941257-2 3-Major   Occasional Nitrox3 ZIP engine hang
915773 3-Major   Restart of TMM after stale interface reference
912945-4 3-Major   A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
910905-2 3-Major   Unexpected tmm core
887965-3 3-Major   Virtual server may stop responding while processing TCP traffic
818833-3 3-Major   TCP re-transmission during SYN Cookie activation results in high latency
778841-2 3-Major   Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother
749608-2 3-Major   HTTP Persistence cookies erroneously sent when cookie persistence turned off
723112-5 3-Major   LTM policies does not work if a condition has more than 127 matches
714372-3 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
550928-4 3-Major   TMM may crash when processing HTTP traffic with a FastL4 virtual server
1015209-1 3-Major   Memory may be leaked when handling chunked responses
1015201-1 3-Major   HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted.
1004897-3 3-Major   'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason
936773-1 4-Minor   Improve logging for "double flow removal" TMM Oops
753925-1 4-Minor   CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections


Performance Fixes

ID Number Severity Solution Article(s) Description
1030665 2-Critical   Apmd crashes during shutdown under certain conditions


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
995853-3 2-Critical   Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.
850509-3 2-Critical   Zone Trusted Signature inadequately maintained, following change of master key
993489-4 3-Major   GTM daemon leaks memory when reading GTM link objects
937333-4 3-Major   Incomplete validation of input in unspecified forms
864797-1 3-Major   Cached results for a record are sent following region modification
847105-3 3-Major   The bigip_gtm.conf is reverted to default after rebooting with license expired
816277-2 4-Minor   Extremely long nameserver name causes GUI Error


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
997137-4 2-Critical   CSRF token removal may allow WAF bypass on GET requests
996381-4 2-Critical   ASM attack signature may not match as expected
970329-4 2-Critical   ASM hardening
965229-3 2-Critical   ASM Load hangs after upgrade
920197-2 2-Critical   Brute force mitigation can stop mitigating without a notification
964245-3 3-Major   ASM reports and enforces username always
962589-1 3-Major   Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
962497-4 3-Major   BD crash after ICAP response
955017-4 3-Major   Excessive CPU consumption by asm_config_event_handler
954425-3 3-Major   Hardening of Live-Update
951133-1 3-Major   Live Update does not work properly after upgrade
946081-3 3-Major   Getcrc tool help displays directory structure instead of version
932133-3 3-Major   Payloads with large number of elements in XML take a lot of time to process
928717-1 3-Major   [ASM - AWS] - ASU fails to sync
920149-2 3-Major   Live Update default factory file for Server Technologies cannot be reinstalled
914277-4 3-Major   [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
904133-2 3-Major   Creating a user-defined signature via iControl REST occasionally fails with a 400 response code
867825-2 3-Major   Export/Import on a parent policy leaves children in an inconsistent state
767057-2 3-Major   In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server
753715-1 3-Major   False positive JSON max array length violation
712336-1 3-Major   bd daemon restart loop
1022269-3 3-Major   False positive RFC compliant violation
1000741-4 3-Major   Fixing issue with input normalization
952509-1 4-Minor   Cross origin AJAX requests are blocked in case there is no Origin header
944441-3 4-Minor   BD_XML logs memory usage at TS_DEBUG level
941249-4 4-Minor   Improvement to getcrc tool to print cookie names when cookie attributes are involved
746167-1 4-Minor   Memory pressure from nsyncd


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
932137-4 3-Major   AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
922105-4 3-Major   Avrd core when connection to BIG-IQ data collection device is not available
909161-4 3-Major   A core file is generated upon avrd process restart or stop
1020705-3 4-Minor   tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
789085-2 2-Critical   When executing the ACCESS::session iRule command under a serverside event, tmm may crash
766921-1 2-Critical   Localdbmgr process crashes and generates a core
1020349-1 2-Critical   APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL
984765-4 3-Major   APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)
949477-2 3-Major   NTLM RPC exception: Failed to verify checksum of the packet
946125-1 3-Major   Tmm restart adds 'Revoked' tokens to 'Active' token count
849029-3 3-Major   No configurable setting for maximum entries in CRLDP cache
844781-1 3-Major   [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
844281-1 3-Major   [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
803825-3 3-Major   WebSSO does not support large NTLM target info length
744407-3 3-Major   While the client has been closed, iRule function should not try to check on a closed session
1007629-2 3-Major   APM policy configured with many ACL policies can create APM memory pressure
1002557-3 3-Major   Tcl free object list growth
1001041-2 3-Major   Reset cause 'Illegal argument'
939877-2 4-Minor   OAuth refresh token not found


Service Provider Fixes

ID Number Severity Solution Article(s) Description
993913-1 2-Critical   TMM SIGSEGV core in Message Routing Framework
1012721-2 2-Critical   Tmm may crash with SIP-ALG deployment in a particular race condition
996113-4 3-Major   SIP messages with unbalanced escaped quotes in headers are dropped
805821-4 3-Major   GTP log message contains no useful information
1030689-3 3-Major   TMM may consume excessive resources while processing Diameter traffic
1008561-5 3-Major   In very rare condition, BIG-IP may crash when SIP ALG is deployed
919301-4 4-Minor   GTP::ie count does not work with -message option
913413-4 4-Minor   'GTP::header extension count' iRule command returns 0


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
990461-2 3-Major   Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade
744204-1 3-Major   PCCD may exhaust system memory when compiling
1012521-4 3-Major   BIG-IP UI file permissions
926425 4-Minor   Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
913453-3 2-Critical   URL Categorization: wr_urldbd cores while processing urlcat-query
760961-3 2-Critical   TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts
958085-2 3-Major   IM installation fails with error: Spec file not found
785605-2 3-Major   Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group
974205-2 4-Minor   Unconstrained wr_urldbd size causing box to OOM


Device Management Fixes

ID Number Severity Solution Article(s) Description
970829-4 2-Critical K03310534 iSeries LCD incorrectly displays secure mode
929213-3 3-Major   iAppLX packages not rolled forward after BIG-IP upgrade


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
946185-4 3-Major   Unable to view iApp component due to error 'An error has occurred while trying to process your request.'


In-tmm monitors Fixes

ID Number Severity Solution Article(s) Description
822245-5 4-Minor   Large number of in-TMM monitors results in some monitors being marked down


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
918317-3 3-Major   SSL Orchestrator resets subsequent requests when HTTP services are being used.



Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
989009-4 CVE-2021-23033 K05314769 BD daemon may crash while processing WebSocket traffic
980125-4 CVE-2021-23030 K42051445 BD Daemon may crash while processing WebSocket traffic
946377-3 CVE-2021-23027 K24301698 HSM WebUI Hardening
968349-1 CVE-2021-23048 K19012930 TMM crashes with unspecified message
950017-3 CVE-2021-23045 K94941221 TMM may crash while processing SCTP traffic
797797-3 CVE-2019-11811 K01512680 CVE-2019-11811 kernel: use-after-free in drivers
968733-5 CVE-2018-1120 K42202505 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
939421-4 CVE-2020-10029 K38481791 CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow


Functional Change Fixes

ID Number Severity Solution Article(s) Description
876937-1 3-Major   DNS Cache not functioning


TMOS Fixes

ID Number Severity Solution Article(s) Description
967905-3 2-Critical   Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
1004517-3 2-Critical   BIG-IP tenants on VELOS cannot install EHFs
1000973-2 2-Critical   Unanticipated restart of TMM due to heartbeat failure
998221-4 3-Major   Accessing pool members from configuration utility is slow with large config
996593-3 3-Major   Password change through REST or GUI not allowed if the password is expired
994801-4 3-Major   SCP file transfer system
908601-4 3-Major   System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
841277-5 3-Major   C4800 LCD fails to load after annunciator hot-swap
804477-4 3-Major   Add HSB register logging when parts of the device becomes unresponsive
819053-2 4-Minor   CVE-2019-13232 unzip: overlapping of files in ZIP container
1004417-1 4-Minor   Provisioning error message during boot up


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
1007505 2-Critical   TLS handshake times out if intermediate CA cert status cannot be determined
1001509-1 2-Critical K11162395 Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates
882549-3 3-Major   Sock driver does not use multiple queues in unsupported environments
962433-3 4-Minor   HTTP::retry for a HEAD request fails to create new connection


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
1017645-3 2-Critical   False positive HTTP compliance violation
981785-2 3-Major   Incorrect incident severity in Event Correlation statistics


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
833113-3 3-Major   Avrd core when sending large messages via https


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
660913-3 2-Critical   For ActiveSync client type, browscap info provided is incorrect.
924521-1 3-Major   OneConnect does not work when WEBSSO is enabled/configured.
470346-2 3-Major   Some IPv6 client connections get RST when connecting to APM virtual


Service Provider Fixes

ID Number Severity Solution Article(s) Description
991037-1 3-Major   MR::message can cause tmm crash
788625-3 3-Major   A pool member is not marked up by the inband monitor even after successful connection to the pool member


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
874677 2-Critical   Traffic Classification auto signature update fails from GUI
976365-1 3-Major   Traffic Classification hardening


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
795329-2 3-Major   IM installation fails if 'auto-add-new-inspections' enabled on profile


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
947925-4 3-Major   TMM may crash when executing L7 Protocol Lookup per-request policy agent



Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
962341-4 CVE-2021-23028 K00602225 BD crash while processing JSON content
935433-4 CVE-2021-23026 K53854428 iControl SOAP
965485-2 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL
949889-2 CVE-2019-3900 K04107324 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
942701-3 CVE-2021-23044 K35408374 TMM may consume excessive resources while processing HTTP traffic
937365-4 CVE-2021-23041 K42526507 LTM UI does not follow best practices
907245-3 CVE-2021-23040 K94255403 AFM UI Hardening
906377-4 CVE-2021-23038 K61643620 iRulesLX hardening
803933-2 CVE-2018-20843 K51011533 Expat XML parser vulnerability CVE-2018-20843
1003557-4 CVE-2021-23015 K74151369 Not following best practices in Guided Configuration Bundle Install worker


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
1004833-1 1-Blocking   NIST SP800-90B compliance
976505-1 3-Major   Rotated restnoded logs will fail logintegrity verification.
975809-2 3-Major   Rotated restjavad logs fail logintegrity verification.
959629-3 3-Major   Logintegrity script for restjavad/restnoded fails
958353-3 3-Major   Restarting the mcpd messaging service renders the PAYG VE license invalid.
946089-1 3-Major   BIG-IP might send excessive multicast/broadcast traffic.
932497-1 3-Major   Autoscale groups require multiple syncs of datasync-global-dg
913849 3-Major   Syslog-ng periodically logs nothing for 20 seconds
764873-2 3-Major   An accelerated flow may transmit packets to an unavailable pool member.
1009133 3-Major   BIG-IP vCMP guests that have HA Groups configured to include trunk scoring may fail to upgrade properly


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
945997-3 2-Critical   LTM policy applied to HTTP/2 traffic may crash TMM
980821-1 3-Major   Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.
895557-1 4-Minor   NTLM profile logs error when used with profiles that do redirect
773253-3 4-Minor   The BIG-IP may send VLAN failsafe probes from a disabled blade


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
918597-4 2-Critical   Under certain conditions, deleting a topology record can result in a crash.
717306-1 2-Critical   Added ability to use Vip-targeting-Vip with DNS Cache server-side connections
973261-4 3-Major   GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
912001-4 3-Major   TMM cores on secondary blades of the Chassis system.
835209-1 3-Major   External monitors mark objects down
746719-1 3-Major   SERVFAIL when attempting to view or edit NS resource records in zonerunner
857953-3 4-Minor   Non-functional disable/enable buttons present in GTM wide IP members page


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
968421-4 2-Critical K30291321 ASM attack signature doesn't matched
943913-4 2-Critical K30150004 ASM attack signature does not match
854001-4 2-Critical   TMM might crash in case of trusted bot signature and API protected url
810497-2 2-Critical   Pabnagd cores during device group settings changes
950917-2 3-Major   Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
928685-3 3-Major K49549213 ASM Brute Force mitigation not triggered as expected
922261-4 3-Major   WebSocket server messages are logged even it is not configured
912089-3 3-Major   Some roles are missing necessary permission to perform Live Update
907337-4 3-Major   BD crash on specific scenario
888289-3 3-Major   Add option to skip percent characters during normalization
883853-1 3-Major   Bot Defense Profile with staged signatures prevents signature update
881757-2 3-Major   Unnecessary HTML response parsing and response payload is not compressed
846181-1 3-Major   Request samples for some of the learning suggestions are not visible
830341-1 3-Major   False positives Mismatched message key on ASM TS cookie
792341-2 3-Major   Google Analytics shows incorrect stats.
673272-4 3-Major   Search by "Signature ID is" does not return results for some signature IDs
941929-1 4-Minor   Google Analytics shows incorrect stats, when Google link is redirected.
911729-1 4-Minor   Redundant learning suggestion to set a Maximum Length when parameter is already at that value


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
981385-4 3-Major   AVRD does not send HTTP events to BIG-IQ DCD
932485-2 3-Major   Incorrect sum(hits_count) value in aggregate tables
913085-4 3-Major   Avrd core when avrd process is stopped or restarted


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
995029 2-Critical   Configuration is not updated during auto-discovery
783233-2 2-Critical   OAuth puts quotation marks around claim values that are not string type
894885 3-Major   [SAML] SSO crash while processing client SSL request
866109-1 3-Major   JWK keys frequency does not support fewer than 60 minutes
757781-3 3-Major   Portal Access: cookie exchange may be broken sometimes
738865-3 3-Major   MCPD might enter into loop during APM config validation
828773-1 4-Minor   Incomplete response to an internal request by Portal Access
766017-1 4-Minor   [APM][LocalDB] Local user database instance name length check inconsistencies
747234-5 4-Minor   Macro policy does not find corresponding access-profile directly


Service Provider Fixes

ID Number Severity Solution Article(s) Description
974881-1 2-Critical   Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic
868781-2 2-Critical   TMM crashes while processing MRF traffic
989753-3 3-Major   In HA setup, standby fails to establish connection to server


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
992213-1 3-Major   Protocol Any displayed as HOPTOPT in AFM policy view
988005-3 3-Major   Zero active rules counters in GUI
783217-1 3-Major   Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks
751116-1 3-Major   DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
716746-1 3-Major   Possible tmm restart when disabling single endpoint vector while attack is ongoing
685904-2 3-Major   Firewall Rule hit counts are not auto-updated after a Reset is done
977005-2 4-Minor   Network Firewall Policy rules-list showing incorrect 'Any' for source column


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
981693-2 2-Critical   TMM may consume excessive resources while processing IPSec ALG traffic
981689-1 2-Critical   TMM memory leak with IPsec ALG
994985-1 3-Major   CGNAT GUI shows blank page when applying SIP profile


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
893721-1 2-Critical   PEM-provisioned systems may suffer random tmm crashes after upgrading
948573-2 3-Major   Wr_urldbd list of valid TLDs needs to be updated
846601-3 3-Major   Traffic classification does not update when an inactive slot becomes active after upgrade


In-tmm monitors Fixes

ID Number Severity Solution Article(s) Description
912425-1 3-Major   Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash



Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
980809-3 CVE-2021-23031 K41351250 ASM REST Signature Rule Keywords Tool Hardening
990333-4 CVE-2021-23016 K75540265 APM may return unexpected content when processing HTTP requests
945109-4 CVE-2015-9382 K46641512 Freetype Parser Skip Token Vulnerability CVE-2015-9382
1002561-1 CVE-2021-23007 K37451543 TMM vulnerability CVE-2021-23007


Functional Change Fixes

ID Number Severity Solution Article(s) Description
933777-2 3-Major   Context use and syntax changes clarification
704552-2 3-Major   Support for ONAP site licensing
918097-1 4-Minor   Cookies set in the URI on Safari


TMOS Fixes

ID Number Severity Solution Article(s) Description
995629-2 2-Critical   Loading UCS files may hang if ASM is provisioned
876957-2 2-Critical   Reboot after tmsh load sys config changes sys FPGA firmware-config value
978393 3-Major   GUI screen shows blank screen while importing a certificate
969213-2 3-Major   VMware: management IP cannot be customized via net.mgmt.addr property
922297-3 3-Major   TMM does not start when using more than 11 interfaces with more than 11 vCPUs
914245-1 3-Major   Reboot after tmsh load sys config changes sys FPGA firmware-config value
841649-2 3-Major   Hardware accelerated connection mismatch resulting in tmm core
839121-1 3-Major K74221031 A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade
829821-3 3-Major   Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
692218-3 3-Major   Audit log messages sent from the primary blade to the secondaries should not be logged.
675911-13 3-Major K13272442 Different sections of the GUI can report incorrect CPU utilization
601220-3 3-Major   Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
569859-5 3-Major   Password policy enforcement for root user when mcpd is not available
879189-3 4-Minor   Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section
658943-2 4-Minor   Errors when platform-migrate loading UCS using trunks on vCMP guest
440599-1 4-Minor   Added DB Variable to configure 'difok' variable in password policy


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
908621-3 2-Critical   Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core
738964-2 2-Critical   Instruction logger debugging enhancement
888517-3 3-Major   Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.
878925-3 3-Major   SSL connection mirroring failover at end of TLS handshake
760406-3 3-Major   HA connection might stall on Active device when the SSL session cache becomes out-of-sync
756812-2 3-Major   Nitrox 3 instruction/request logger may fail due to SELinux permission error
756817-1 4-Minor   ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
971297-3 3-Major   DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade
885201-3 4-Minor   BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
956373-3 3-Major   ASM sync files not cleaned up immediately after processing
947341-3 3-Major   MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
929001-4 3-Major K48321015 ASM form handling improvements
767077-1 3-Major   Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error
824093-3 4-Minor   Parameters payload parser issue


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
869049-2 3-Major   Charts discrepancy in AVR reports


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
883577-2 3-Major   ACCESS::session irule command does not work in HTTP_RESPONSE event


Service Provider Fixes

ID Number Severity Solution Article(s) Description
750679-1 2-Critical   Tmm crash on standby device and Diameter stats issues
982869-3 3-Major   With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0
977053-3 3-Major   TMM crash on standby due to invalid MR router instance
966701-3 3-Major   Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
851745-1 2-Critical   High cpu consumption due when enabling large number of virtual servers


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
914293-1 3-Major   TMM SIGSEGV and crash


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
964577-1 4-Minor   IPS automatic IM download not working as expected



Cumulative fixes from BIG-IP v14.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
975233-3 CVE-2021-22992 K52510511 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
973333-3 CVE-2021-22991 K56715231 TMM buffer-overflow vulnerability CVE-2021-22991
955145-3 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
954381-3 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
953677-3 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
951705-3 CVE-2021-22986 K03009991 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
981169-3 CVE-2021-22994 K66851119 F5 TMUI XSS vulnerability CVE-2021-22994
959121-2 CVE-2021-23015 K74151369 Not following best practices in Guided Configuration Bundle Install worker
953729-3 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
949933-2 CVE-2021-22980 K29282483 BIG-IP APM CTU vulnerability CVE-2021-22980
931837-5 CVE-2020-13817 K55376430 NTP has predictable timestamps
882633-4 CVE-2021-23008 K51213246 Active Directory authentication does not follow current best practices
976925-3 CVE-2021-23002 K71891773 BIG-IP APM VPN vulnerability CVE-2021-23002
954429-3 CVE-2021-23014 K23203045 User authorization changes for live update
948769-4 CVE-2021-23013 K05300051 TMM panic with SCTP traffic
946581-3 CVE-2020-27713 K37960100 TMM vulnerability CVE-2020-27713
938233-3 CVE-2021-23042 K93231374 An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization
937637-4 CVE-2021-23002 K71891773 BIG-IP APM VPN vulnerability CVE-2021-23002
935401-4 CVE-2021-23001 K06440657 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001
932697-2 CVE-2021-23000 K34441555 BIG-IP TMM vulnerability CVE-2021-23000
903889 CVE-2021-22999 K02333782 BIG-IP HTTP/2 vulnerability CVE-2021-22999
877109-3 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy
743105-4 CVE-2021-22998 K31934524 BIG-IP SNAT vulnerability CVE-2021-22998
718189-7 CVE-2021-23011 K10751325 Unspecified IP traffic can cause low-memory conditions


Functional Change Fixes

ID Number Severity Solution Article(s) Description
912289-3 2-Critical   Cannot roll back after upgrading on certain platforms
913829-3 3-Major   i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
867793-3 3-Major   BIG-IP sending the wrong trap code for BGP peer state
794417-1 3-Major   Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
742860-3 3-Major   VE: Predictable NIC ordering based on PCI coordinates until ordering is saved.
719338-2 4-Minor   Concurrent management SSH connections are unlimited


TMOS Fixes

ID Number Severity Solution Article(s) Description
990849-3 2-Critical   Loading UCS with platform-migrate option hangs and requires exiting from the command
940021-2 2-Critical   Syslog-ng hang may lead to unexpected reboot
932437-4 2-Critical   Loading SCF file does not restore files from tar file
915305-3 2-Critical   Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
908517-1 2-Critical   LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
888341-5 2-Critical   HA Group failover may fail to complete Active/Standby state transition
886693-2 2-Critical   System may become unresponsive after upgrading
817085-4 2-Critical   Multicast Flood Can Cause the Host TMM to Restart
811973-2 2-Critical   TMM may crash when shutting down
797221-1 2-Critical   BCM daemon can be killed by watchdog timeout during blade-to-blade failover
785017-1 2-Critical   Secondary blades go offline after new primary is elected
776393-2 2-Critical   Restjavad restarts frequently due to insufficient memory with relatively large configurations
751991-1 2-Critical   BIOS update fails with "flashrom not safe for BIOS updates yet" log message
739507-1 2-Critical   Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check
739505-2 2-Critical   Automatic ISO digital signature checking not required when FIPS license active
973201 3-Major   F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions
967745-2 3-Major   Last resort pool error for the modify command for Wide IP
963017-3 3-Major   The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed
946745-3 3-Major   'System Integrity: Invalid' after Engineering Hotfix installation
945265-3 3-Major   BGP may advertise default route with incorrect parameters
943793 3-Major   Neurond continuously restarting
939541-3 3-Major   TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
930905-1 3-Major   Management route lost after reboot.
927941-3 3-Major   IPv6 static route BFD does not come up after OAMD restart
914081-3 3-Major   Engineering Hotfixes missing bug titles
913433-1 3-Major   On blade failure, some trunked egress traffic is dropped.
909197-5 3-Major   The mcpd process may become unresponsive
904785-3 3-Major   Remotely authenticated users may experience difficulty logging in over the serial console
896817-4 3-Major   iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
896553-2 3-Major   On blade failure, some trunked egress traffic is dropped.
895837-1 3-Major   Mcpd crash when a traffic-matching-criteria destination-port-list is modified
893949 3-Major   Support TCP directional offload for hardware-accelerated connections
893885 3-Major   The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation
891337-3 3-Major   'save_master_key(master): Not ready to save yet' errors in the logs
889029-4 3-Major   Unable to login if LDAP user does not have search permissions
879829-3 3-Major   HA daemon sod cannot bind to ports numbered lower than 1024
876805-1 3-Major   Modifying address-list resets the route advertisement on virtual servers.
862937-2 3-Major   Running cpcfg after first boot can result in daemons stuck in restart loop
838901-2 3-Major   TMM receives invalid rx descriptor from HSB hardware
830413-4 3-Major   Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure
820845-2 3-Major   Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
814053-2 3-Major   Under heavy load, bcm56xxd can be killed by the watchdog
803237-4 3-Major   PVA does not validate interface MTU when setting MSS
799001-3 3-Major   Sflow agent does not handle disconnect from SNMPD manager correctly
787885-1 3-Major   The device status is falsely showing as forced offline on the network map while actual device status is not.
759596-2 3-Major   Tcl errors in iRules 'table' command
754132-2 3-Major   A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
751448-1 3-Major   TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart
751021-1 3-Major   One or more TMM instances may be left without dynamic routes.
750194-4 3-Major   Moderate: net-snmp security update
749007-2 3-Major   South Sudan, Sint Maarten, and Curacao country missing in GTM region list
744252-2 3-Major   BGP route map community value: either component cannot be set to 65535
719555-5 3-Major   Interface listed as 'disable' after SFP insertion and enable
661640-1 3-Major   Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair.
615934-4 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
966277-3 4-Minor   BFD down on multi-blade system
959889-1 4-Minor   Cannot update firewall rule with ip-protocol property as 'any'
947865-3 4-Minor   Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
774617-1 4-Minor   SNMP daemon reports integer truncation error for values greater than 32 bits


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
926929-2 1-Blocking   RFC Compliance Enforcement lacks configuration availability
910653-3 2-Critical   iRule parking in clientside/serverside command may cause tmm restart
889209-1 2-Critical   Sflow receiver configuration may lead to egress traffic dropped after TMM starts.
882157-2 2-Critical   One thread of pkcs11d consumes 100% without any traffic.
876801-3 2-Critical   Tmm crash: invalid route type
812525-3 2-Critical K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
968641-1 3-Major   Fix for zero LACP priority
965537 3-Major   SSL filter does not re-initialize when OCSP validator is modified
953845-4 3-Major   After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
944641-3 3-Major   HTTP2 send RST_STREAM when exceeding max streams
940209-1 3-Major   Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.
932033-1 3-Major   Chunked response may have DATA frame with END_STREAM prematurely
928857-3 3-Major   Use of OCSP responder may leak X509 store instances
928805-3 3-Major   Use of OCSP responder may cause memory leakage
928789-3 3-Major   Use of OCSP responder may leak SSL handshake instances
921881-4 3-Major   Use of IPFIX log destination can result in increased CPU utilization
892941-4 3-Major K20105555 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
889601-1 3-Major K14903688 OCSP revocation not properly checked
889165-1 3-Major   "http_process_state_cx_wait" errors in log and connection reset
868209-1 3-Major   Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection
858701-3 3-Major   Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x
858301-3 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
858297-3 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
858289-3 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
858285-3 3-Major K27551003 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it
845333-3 3-Major   An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
825689-3 3-Major   Enhance FIPS crypto-user storage
818109-3 3-Major   Certain plaintext traffic may cause SSL Orchestrator to hang
795501-3 3-Major   Possible SSL crash during config sync
790845-2 3-Major   An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
785877-2 3-Major   VLAN groups do not bridge non-link-local multicast traffic.
767341-3 3-Major   If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
758099-1 3-Major   TMM may crash in busy environment when handling HTTP responses
757442-2 3-Major   A missed SYN cookie check causes crash at the standby TMM in HA mirroring system
753383-4 3-Major   Deadlock While Attaching NDAL Devices
719304-1 3-Major   Inconsistent node ICMP monitor operation for IPv6 nodes
714642-4 3-Major   Ephemeral pool-member state on the standby is down
962177-3 4-Minor   Results of POLICY::names and POLICY::rules commands may be incorrect
804157-1 4-Minor   ICMP replies are forwarded with incorrect checksums causing them to be dropped
772297-2 4-Minor   LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
748333-4 4-Minor   DHCP Relay does not retain client source IP address for chained relay mode
743253-3 4-Minor   TSO in software re-segments L3 fragments.
738032-1 4-Minor   BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
960749-3 1-Blocking   TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic
933405-3 1-Blocking K34257075 Zonerunner GUI hangs when attempting to list Resource Records
960437-3 2-Critical   The BIG-IP system may initially fail to resolve some DNS queries
905557-6 2-Critical   Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
921625-4 3-Major   The certs extend function does not work for GTM/DNS sync group
891093-3 3-Major   iqsyncer does not handle stale pidfile
858973-3 3-Major   DNS request matches less specific WideIP when adding new wildcard wideips
885869-4 4-Minor   Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime
853585-2 4-Minor   REST Wide IP object presents an inconsistent lastResortPool value


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
846057-2 2-Critical   UCS backup archive may include unnecessary files
960369-3 3-Major   Negative value suggested in Traffic Learning as max value
941621-3 3-Major K91414704 Brute Force breaks server's Post-Redirect-Get flow
929077-1 3-Major   Bot Defense allow list does not apply when using default Route Domain and XFF header
921677-4 3-Major   Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
904053-4 3-Major   Unable to set ASM Main Cookie/Domain Cookie hashing to Never
867373-2 3-Major   Methods Missing From ASM Policy
864677-3 3-Major   ASM causes high mcpd CPU usage
964897-4 4-Minor   Live Update - Indication of "Update Available" when there is no available update
935293-3 4-Minor   'Detected Violation' Field for event logs not showing
922785-4 4-Minor   Live Update scheduled installation is not installing on set schedule
767941-1 4-Minor   Gracefully handle policy builder errors
758336-3 4-Minor   Incorrect recommendation in Online Help of Proactive Bot Defense


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
965581 2-Critical   Statistics are not reported to BIG-IQ
949593-2 3-Major   Unable to load config if AVR widgets were created under '[All]' partition
743826-1 3-Major   Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0)
648242-4 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
894565-2 2-Critical   Autodosd.default crash with SIGFPE
976501-3 3-Major   Failed to establish VPN connection
952557-1 3-Major   Azure B2C Provider OAuth URLs are updated for B2Clogin.com
925573-3 3-Major   SIGSEGV: receiving a sessiondb callback response after the flow is aborted
916969-2 3-Major   Support of Microsoft Identity 2.0 platform
892937-4 3-Major K20105555 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)
850277-3 3-Major   Memory leak when using OAuth
774301-4 3-Major   Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
709126-1 3-Major   Localdb authentication may fail
833049-2 4-Minor   Category lookup tool in GUI may not match actual traffic categorization


Service Provider Fixes

ID Number Severity Solution Article(s) Description
952545-3 3-Major   'Current Sessions' statistics of HTTP2 pool may be incorrect
939529-3 3-Major   Branch parameter not parsed properly when topmost via header received with comma separated values
913373-3 3-Major   No connection error after failover with MRF, and no connection mirroring


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
969509-3 3-Major   Possible memory corruption due to DOS vector reset
965617-1 3-Major   HSB mitigation is not applied on BDoS signature with stress-based mitigation mode
963237-1 3-Major   Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.
910417-3 3-Major   TMM core may be seen when reattaching a vector to a DoS profile
903561-2 3-Major   Autodosd returns small bad destination detection value when the actual traffic is high
887017-2 3-Major   The dwbld daemon consumes a large amount of memory
840809-1 3-Major   If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged
837233-1 3-Major   Application Security Administrator user role cannot use GUI to manage DoS profile
819321-1 3-Major   DoS stats table shows drops count on tcp-half-open global vector for packets dropped by ltm syn cookie
789857-1 3-Major   "TCP half open' reports drops made by LTM syn-cookies mitigation.
773773-2 3-Major   DoS auto-threshold detection values are not reloaded correctly after a reboot.
760497-1 3-Major   Invalid configuration parameters are visible when Dos Vector is in "Auto Detection/Multiplier Based Mitigation"
759004-2 3-Major   Autodosd history files not loaded correctly after software upgrade
753141-2 3-Major   Hardware returning incorrect type of entry when notifying software might cause tmm crash
686043-1 3-Major   dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets
967889-2 4-Minor   Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)
748561-1 4-Minor   Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
845313 2-Critical   Tmm crash under heavy load
941169-1 3-Major   Subscriber Management is not working properly with IPv6 prefix flows.
875401-3 3-Major   PEM subcriber lookup can fail for internet side new connections
842989-7 3-Major   PEM: tmm could core when running iRules on overloaded systems


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
928553-1 2-Critical   LSN64 with hairpinning can lead to a tmm core in rare circumstances
966681-2 3-Major   NAT translation failures while using SP-DAG in a multi-blade chassis


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
943889-1 2-Critical   Reopening the publisher after a failed publishing attempt


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
932737-1 2-Critical   DNS & BADOS high-speed logger messages are mixed
922597-1 3-Major   BADOS default sensitivity of 50 creates false positive attack on some sites
915489-1 4-Minor   LTM Virtual Server Health is not affected by iRule Requests dropped


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
768085-3 4-Minor   Error in python script /usr/libexec/iAppsLX_save_pre line 79


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
964585-4 3-Major   "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update
825501-1 3-Major   IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.



Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
950077-3 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
943125-3 CVE-2021-23010 K18570111 ASM bd may crash while processing WebSocket traffic
941449-4 CVE-2021-22993 K55237223 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993
935029-1 CVE-2020-27720 K04048104 TMM may crash while processing IPv6 NAT traffic
932065-3 CVE-2021-22978 K87502622 iControl REST vulnerability CVE-2021-22978
931513-2 CVE-2021-22977 K14693346 TMM vulnerability CVE-2021-22977
928321-3 CVE-2020-27719 K19166530 K19166530: XSS vulnerability CVE-2020-27719
921337-3 CVE-2021-22976 K88230177 BIG-IP ASM WebSocket vulnerability CVE-2021-22976
917509-5 CVE-2020-27718 K58102101 BIG-IP ASM vulnerability CVE-2020-27718
916821-4 CVE-2021-22974 K68652018 iControl REST vulnerability CVE-2021-22974
908673-3 CVE-2020-27717 K43850230 TMM may crash while processing DNS traffic
904165-3 CVE-2020-27716 K51574311 BIG-IP APM vulnerability CVE-2020-27716
882189-5 CVE-2020-5897 K20346072 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897
882185-5 CVE-2020-5897 K20346072 BIG-IP Edge Client Windows ActiveX
881317-4 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
881293-5 CVE-2020-5896 K15478554 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896
754855-2 CVE-2020-27714 K60344652 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile
939845-3 CVE-2021-23004 K31025212 BIG-IP MPTCP vulnerability CVE-2021-23004
939841-3 CVE-2021-23003 K43470422 BIG-IP MPTCP vulnerability CVE-2021-23003
928037-3 CVE-2020-27729 K15310332 APM Hardening
919841-1 CVE-2020-27728 K45143221 AVRD may crash while processing Bot Defense traffic
912969-4 CVE-2020-27727 K50343630 iAppsLX REST vulnerability CVE-2020-27727
905125-3 CVE-2020-27726 K30343902 Security hardening for APM Webtop
904937-4 CVE-2020-27725 K25595031 Excessive resource consumption in zxfrd
898949-3 CVE-2020-27724 K04518313 APM may consume excessive resources while processing VPN traffic
881445-5 CVE-2020-5898 K69154630 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
880361-3 CVE-2021-22973 K13323323 iRules LX vulnerability CVE-2021-22973
842829-3 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730 Multiple tcpdump vulnerabilities
842717-4 CVE-2020-5855 K55102004 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
832757-5 CVE-2017-18551 K48073202 Linux kernel vulnerability CVE-2017-18551
831777-3 CVE-2020-27723 K42933418 Tmm crash in Ping access use case
811965-2 CVE-2020-27722 K73657294 Some VDI use cases can cause excessive resource consumption
778049-4 CVE-2018-13405 K00854051 Linux Kernel Vulnerability: CVE-2018-13405
693360-4 CVE-2020-27721 K52035247 A virtual server status changes to yellow while still available
852929-7 CVE-2020-5920 K25160703 AFM WebUI Hardening
825413-2 CVE-2021-23053 K36942191 ASM may consume excessive resources when matching signatures
818213-2 CVE-2019-10639 K32804955 CVE-2019-10639: KASLR bypass using connectionless protocols
773693-5 CVE-2020-5892 K15838353 CVE-2020-5892: APM Client Vulnerability
834533-2 CVE-2019-15916 K57418558 Linux kernel vulnerability CVE-2019-15916


Functional Change Fixes

ID Number Severity Solution Article(s) Description
920961-3 3-Major   Devices incorrectly report 'In Sync' after an incremental sync
756139-1 3-Major   Inconsistent logging of hostname files when hostname contains periods
921421-1 4-Minor   iRule support to get/set UDP's Maximum Buffer Packets


TMOS Fixes

ID Number Severity Solution Article(s) Description
809553 1-Blocking   ONAP Licensing - Cipher negotiation fails
957337-4 2-Critical   Tab complete in 'mgmt' tree is broken
954025 2-Critical   "switchboot -b HD1.1" fails to reboot chassis
933409-4 2-Critical   Tomcat upgrade via Engineering Hotfix causes live-update files removal
927033-1 2-Critical   Installer fails to calculate disk size of destination volume
910201-1 2-Critical   OSPF - SPF/IA calculation scheduling might get stuck infinitely
896217-4 2-Critical   BIG-IP GUI unresponsive
860517-3 2-Critical   MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
829277-1 2-Critical   A Large /config folder can cause memory exhaustion during live-install
796601-4 2-Critical   Invalid parameter in errdefsd while processing hostname db_variable
787285 2-Critical   Configuration fails to load after install of v14.1.0 or v14.1.2 on BIG-IP 800
770989 2-Critical   Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.
769817-3 2-Critical   BFD fails to propagate sessions state change during blade restart
706521-4 2-Critical K21404407 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
934941-3 3-Major   Platform FIPS power-up self test failures not logged to console
930741-1 3-Major   Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot
920301-2 3-Major   Unnecessarily high number of JavaScript Obfuscator instances when device is busy
915825-4 3-Major   Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
915497-3 3-Major   New Traffic Class Page shows multiple question marks.
911809-1 3-Major   TMM might crash when sending out oversize packets.
908021-2 3-Major   Management and VLAN MAC addresses are identical
904845-3 3-Major   VMware guest OS customization works only partially in a dual stack environment.
902401-3 3-Major   OSPFd SIGSEGV core when 'ospf clear' is done on remote device
898705-3 3-Major   IPv6 static BFD configuration is truncated or missing
898461-4 3-Major   Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
889041-1 3-Major   Failover scripts fail to access resolv.conf due to permission issues
886689-4 3-Major   Generic Message profile cannot be used in SCTP virtual
867181-3 3-Major   ixlv: double tagging is not working
865241-3 3-Major   Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
865177-2 3-Major   Cert-LDAP returning only first entry in the sequence that matches san-other oid
860317-1 3-Major   JavaScript Obfuscator can hang indefinitely
851733-1 3-Major   Tcpdump messages (warning, error) are sent to stdout instead of stderr
850777-1 3-Major   BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config
846441-1 3-Major   Flow-control is reset to default for secondary blade's interface
846137-3 3-Major   The icrd returns incorrect route names in some cases
843597-3 3-Major   Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
829193-2 3-Major   REST system unavailable due to disk corruption
826905-1 3-Major   Host traffic via IPv6 route pool uses incorrect source address
806073-3 3-Major   MySQL monitor fails to connect to MySQL Server v8.0
795649-3 3-Major   Loading UCS from one iSeries model to another causes FPGA to fail to load
788577-4 3-Major   BFD sessions may be reset after CMP state change
783113-4 3-Major   BGP sessions remain down upon new primary slot election
767737-2 3-Major   Timing issues during startup may make an HA peer stay in the inoperative state
755197-3 3-Major   UCS creation might fail during frequent config save transactions
754971-2 3-Major   OSPF inter-process redistribution might break OSPF route redistribution of various types.
751584-1 3-Major   Custom MIB actions can be blocked by SELINUX permissions
740589-1 3-Major   Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
737098-2 3-Major   ASM Sync does not work when the configsync IP address is an IPv6 address
652502-3 3-Major   snmpd returns 'No Such Object available' for ltm OIDs
933461-3 4-Minor   BGP multi-path candidate selection does not work properly in all cases.
924429-3 4-Minor   Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
892677-4 4-Minor   Loading config file with imish adds the newline character
882713-1 4-Minor   BGP SNMP trap has the wrong sysUpTime value
864757-2 4-Minor   Traps that were disabled are enabled after configuration save
722230-3 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address
591732-5 4-Minor   Local password policy not enforced when auth source is set to a remote type.
583084-8 4-Minor K15101680 iControl produces 404 error while creating records successfully
849085-3 5-Cosmetic   Lines with only asterisks filling message and user.log file


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
941089 2-Critical   TMM core when using Multipath TCP
911041-2 2-Critical   Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
891849-2 2-Critical   Running iRule commands while suspending iRule commands that are running can lead to a crash
879409-2 2-Critical   TMM core with mirroring traffic due to unexpected interface name length
851857-3 2-Critical   HTTP 100 Continue handling does not work when it arrives in multiple packets
851345-2 2-Critical   The TMM may crash in certain rare scenarios involving HTTP/2
850873-1 2-Critical   LTM global SNAT sets TTL to 255 on egress.
824881-2 2-Critical   A rare TMM crash cause by the fix for ID 816625
811161-1 2-Critical   Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992
766509-1 2-Critical   Strict internal checking might cause tmm crash
705768-1 2-Critical   The dynconfd process may core and restart with multiple DNS name servers configured
951033-2 3-Major   Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'
949145-4 3-Major   Improve TCP's response to partial ACKs during loss recovery
948757-3 3-Major   A snat-translation address responds to ARP requests but not to ICMP ECHO requests.
915689-4 3-Major   HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
915605-1 3-Major K56251674 Image install fails if iRulesLX is provisioned and /usr mounted read-write
913249-4 3-Major   Restore missing UDP statistics
901929-4 3-Major   GARPs not sent on virtual server creation
892385-2 3-Major   HTTP does not process WebSocket payload when received with server HTTP response
879413-3 3-Major   Statsd fails to start if one or more of its *.info files becomes corrupted
862597-5 3-Major   Improve MPTCP's SYN/ACK retransmission handling
860005-3 3-Major   Ephemeral nodes/pool members may be created for wrong FQDN name
857845-6 3-Major   TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule
851477-3 3-Major   Memory allocation failures during proxy initialization are ignored leading to TMM cores
851045-3 3-Major   LTM database monitor may hang when monitored DB server goes down
850145-3 3-Major   Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
823921-2 3-Major   FTP profile causes memory leak
820333-3 3-Major   LACP working member state may be inconsistent when blade is forced offline
819329-2 3-Major   Specific FIPS device errors will not trigger failover
818853-3 3-Major   Duplicate MAC entries in FDB
809701-2 3-Major   Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist
805017-2 3-Major   DB monitor marks pool member down if no send/recv strings are configured
803233-3 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
796993-1 3-Major   Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
787853-2 3-Major   BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps.
786517-3 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
783617-1 3-Major   Virtual server resets connections when all pool members are marked disabled
776229-2 3-Major   iRule 'pool' command no longer accepts pool members with ports that have a value of zero
759480-3 3-Major   HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
759056-2 3-Major   stpd memory leak on secondary blades in a multi-blade system
753805-3 3-Major   BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
753594-2 3-Major   In-TMM monitors may have duplicate instances or stop monitoring
750278-4 3-Major K25165813 A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases
745682-1 3-Major   Failed to parse X-Forwarded-For header in HTTP requests
724824-3 3-Major   Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
722707-2 3-Major   mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
720440-4 3-Major   Radius monitor marks pool members down after 6 seconds
718790-1 3-Major   Virtual Server reports unavailable and resets connection erroneously
710930-3 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
935593-3 4-Minor   Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
932937-3 4-Minor   HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
895153-2 4-Minor   HTTP::has_responded returns incorrect values when using HTTP/2
895141 4-Minor   HTTP::has_responded returns incorrect values when using HTTP/2
822025-2 4-Minor   HTTP response not forwarded to client during an early response
808409-3 4-Minor   Unable to specify if giaddr will be modified in DHCP relay chain
801705-4 4-Minor   When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
781225-2 4-Minor   HTTP profile Response Size stats incorrect for keep-alive connections
726983-2 4-Minor   Inserting multi-line HTTP header not handled correctly
859717-3 5-Cosmetic   ICMP-limit-related warning messages in /var/log/ltm


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
919553-3 2-Critical   GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
837637-2 2-Critical K02038650 Orphaned bigip_gtm.conf can cause config load failure after upgrading
788465-2 2-Critical   DNS cache idx synced across HA group could cause tmm crash
926593-3 3-Major   GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
852101-3 3-Major   Monitor fails.
844689-3 3-Major   Possible temporary CPU usage increase with unusually large named.conf file
781829-1 3-Major   GTM TCP monitor does not check the RECV string if server response string not ending with \n
644192-4 3-Major K23022557 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
940249-3 2-Critical   Sensitive data is not masked after "Maximum Array/Object Elements" is reached
927617-3 2-Critical   'Illegal Base64 value' violation is detected for cookies that have a valid base64 value
941853-2 3-Major   Logging Profiles do not disassociate from virtual server when multiple changes are made
940897-2 3-Major   Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
893061-1 3-Major   Out of memory for restjavad
884425-1 3-Major   Creation of new allowed HTTP URL is not possible
868053-1 3-Major   Live Update service indicates update available when the latest update was already installed


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
910097-3 2-Critical   Changing per-request policy while tmm is under traffic load may drop heartbeats
896709-2 2-Critical   Add support for Restart Desktop for webtop in VMware VDI
760130-3 2-Critical   [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK
748572-2 2-Critical   Occasionally ramcache might crash when data is sent without the corresponding event.
924929-1 3-Major   Logging improvements for VDI plugin
914649-2 3-Major   Support USB redirection through VVC (VMware virtual channel) with BlastX
771961-1 3-Major   While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core
760629-3 3-Major   Remove Obsolete APM keys in BigDB
759356-2 3-Major   Access session data cache might leak if there are multiple TMMs
747020-1 3-Major   Requests that evaluate to same subsession can be processed concurrently
739570-3 3-Major   Unable to install EPSEC package


Service Provider Fixes

ID Number Severity Solution Article(s) Description
904373-1 3-Major   MRF GenericMessage: Implement limit to message queues size
891385-4 3-Major   Add support for URI protocol type "urn" in MRF SIP load balancing
924349-1 4-Minor   DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
938165-2 2-Critical   TMM Core after attempted update of IP geolocation database file
747225-1 2-Critical   PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart
872645 3-Major   Protected Object Aggregate stats are causing elevated CPU usage
813301 3-Major   LSN_PB_UPDATE logs are not generated when subscriber info changes
781425 3-Major   Firewall rule list configuration causes config load failure
920361-4 4-Minor   Standby device name sent in Traffic Statistics syslog/Splunk messages


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
783289-1 2-Critical   PEM actions not applied in VE bigTCP.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
815001-1 2-Critical   TMM Crash with inbound traffic during high availability (HA) failover


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
940401-3 5-Cosmetic   Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
944785-1 3-Major   Admd restarting constantly. Out of memory due to loading malformed state file
923125-1 3-Major   Huge amount of admd processes caused oom
818465-2 3-Major   Unnecessary memory allocation in AVR module


Device Management Fixes

ID Number Severity Solution Article(s) Description
767613-2 3-Major   Restjavad can keep partially downloaded files open indefinitely



Cumulative fixes from BIG-IP v14.1.3 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
928029 2-Critical   Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis
905849 3-Major   FastL4 UDP flows might not get offloaded to hardware
829317-6 3-Major   Memory leak in icrd_child due to concurrent REST usage


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
943101 2-Critical   Tmm crash in cipher group delete.
934461 2-Critical   Connection error with server with TLS1.3 single-dh-use.
915957 2-Critical   The wocplugin may get into a restart loop when AAM is provisioned
939209-3 3-Major   FIPS 140-2 SP800-56Arev3 compliance
930385 3-Major   SSL filter does not re-initialize when an OCSP object is modified
921721-2 3-Major   FIPS 140-2 SP800-56Arev3 compliance
809597-3 3-Major   Memory leak in icrd_child observed during REST usage
629787-1 3-Major   vCMP hypervisor version mismatch may cause connection mirroring problems.


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
934393 1-Blocking   APM authentication fails due to delay in sessionDB readiness


Service Provider Fixes

ID Number Severity Solution Article(s) Description
697331-3 3-Major   Some TMOS tools for querying various DBs fail when only a single TMM is running


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
892621-2 3-Major   Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
927993-4 1-Blocking K97501254 Built-in SSL Orchestrator RPM installation failure



Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
935721-4 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
933741-4 CVE-2021-22979 K63497634 BIG-IP FPS XSS vulnerability CVE-2021-22979
911761-4 CVE-2020-5948 K42696541 F5 TMUI XSS vulnerability CVE-2020-5948
879745-1 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic
917469-4 CVE-2020-5946 K53821711 TMM may crash while processing FPS traffic
910017-4 CVE-2020-5945 K21540525 Security hardening for the TMUI Interface page
907201-1 CVE-2021-23039 K66782293 TMM may crash when processing IPSec traffic
889557-2 CVE-2019-11358 K20455158 jQuery Vulnerability CVE-2019-11358
870273-3 CVE-2020-5936 K44020030 TMM may consume excessive resources when processing SSL traffic
856961-2 CVE-2018-12207 K17269881 INTEL-SA-00201 MCE vulnerability CVE-2018-12207
751036-1 CVE-2020-27721 K52035247 Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
818177-4 CVE-2019-12295 K06725231 CVE-2019-12295 Wireshark Vulnerability
717276-7 CVE-2020-5930 K20622530 TMM Route Metrics Hardening
858537-3 CVE-2019-1010204 K05032915 CVE-2019-1010204: Binutilis Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
890229-3 3-Major   Source port preserve setting is not honored
747013-3 3-Major   Add OCSP server support to IKEv2 negotiation for IPsec peer authentication
617929-2 3-Major   Support non-default route domains


TMOS Fixes

ID Number Severity Solution Article(s) Description
920481 2-Critical   REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase
871561-3 2-Critical   Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'
860349-1 2-Critical   Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication
856713-1 2-Critical   IPsec crash during rekey
854493-3 2-Critical   Kernel page allocation failures messages in kern.log
842865-1 2-Critical   Add support for Auto MAC configuration (ixlv)
841953-5 2-Critical   A tunnel can be expired when going offline, causing tmm crash
841333-5 2-Critical   TMM may crash when tunnel used after returning from offline
818253-1 2-Critical   Generate signature files for logs
817709-2 2-Critical   IPsec: TMM cored with SIGFPE in racoon2
811149-1 2-Critical   Remote users are unable to authenticate via serial console.
807453-1 2-Critical   IPsec works inefficiently with a second blade in one chassis
777229-1 2-Critical   IPsec improvements to internal pfkey messaging between TMMs on multi-blade
774361-2 2-Critical   IPsec High Availability sync during multiple failover via RFC6311 messages
769357-1 2-Critical   IPsec debug logging needs more organization and is missing HA-related logging
755716-1 2-Critical   IPsec connection can fail if connflow expiration happens before IKE encryption
749249-1 2-Critical   IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP
741676-2 2-Critical   Intermittent crash switching between tunnel mode and interface mode
593536-7 2-Critical K64445052 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
924493-4 3-Major   VMware EULA has been updated
904705-3 3-Major   Cannot clone Azure marketplace instances.
888497-4 3-Major   Cacheable HTTP Response
887089-3 3-Major   Upgrade can fail when filenames contain spaces
880625-2 3-Major   Check-host-attr enabled in LDAP system-auth creates unusable config
880165-1 3-Major   Auto classification signature update fails
858197-1 3-Major   Merged crash when memory exhausted
856953-2 3-Major   IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1
844085-3 3-Major   GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
838297-1 3-Major   Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
828789-3 3-Major   Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
820213-2 3-Major   'Application Service List' empty after UCS restore
814585-3 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
810381-4 3-Major   The SNMP max message size check is being incorrectly applied.
807337-3 3-Major   Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
804537-1 3-Major   Check SAs in context callbacks
802889 3-Major   Problems establishing HA connections on chassis platforms
797829-5 3-Major   The BIG-IP system may fail to deploy new or reconfigure existing iApps
783753-1 3-Major   Increase vCPU amount guests can use on i11800-DS platforms.
761753-2 3-Major   BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs
759564-4 3-Major   GUI not available after upgrade
758517-1 3-Major   Callback for Diffie Hellman crypto is missing defensive coding
758516-1 3-Major   IKEv2 auth encryption is missing defensive coding that checks object validity
757862-1 3-Major   IKEv2 debug logging an uninitialized variable leading to core
748443-1 3-Major   HiGig MAC recovery mechanism may fail continuously at runtime
746704-2 3-Major   Syslog-ng Memory Leak
745261-2 3-Major   The TMM process may crash in some tunnel cases
726416-3 3-Major   Physical disk HD1 not found for logical disk create
489572-4 3-Major K60934489 Sync fails if file object is created and deleted before sync to peer BIG-IP
431503-3 3-Major K14838 TMSH crashes in rare initial tunnel configurations
919745-4 4-Minor   CSV files downloaded from the Dashboard have the first row with all 'NaN
918209-1 4-Minor   GUI Network Map icons color scheme is not section 508 compliant
914761-1 4-Minor   Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
906889-1 4-Minor   Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
902417-4 4-Minor   Configuration error caused by Drafts folder in a deleted custom partition
890277-2 4-Minor   Full config sync to a device group operation takes a long time when there are a large number of partitions.
822377-2 4-Minor   CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability
779857-1 4-Minor   Misleading GUI error when installing a new version in another partition
777237-1 4-Minor   IPsec high availability (HA) for failover confused by runtime changes in blade count
751103-4 4-Minor   TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
767269-2 5-Cosmetic   Linux kernel vulnerability: CVE-2018-16884
714176-3 5-Cosmetic   UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
858429 2-Critical   BIG-IP system sending ICMP packets on both virtual wire interface
851581-1 2-Critical   Server-side detach may crash TMM
839749-2 2-Critical   Virtual server with specific address list might fail to create via GUI
813561-3 2-Critical   MCPD crashes when assigning an iRule that uses a proc
726518-3 2-Critical   Tmsh show command terminated with CTRL-C can cause TMM to crash.
915281-1 3-Major   Do not rearm TCP Keep Alive timer under certain conditions
816881-1 3-Major   Serverside conection may use wrong VLAN when virtual wire is configured
810445-2 3-Major   PEM: ftp-data not classified or reported
800101-1 3-Major   BIG-IP chassis system may send out duplicated UDP packets to the server side
788753-4 3-Major   GATEWAY_ICMP monitor marks node down with wrong error code
785701-1 3-Major   Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile
785481-2 3-Major   A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
781753-3 3-Major   WebSocket traffic is transmitted with unknown opcodes
766169-2 3-Major   Replacing all VLAN interfaces resets VLAN MTU to a default value
758437-6 3-Major   SYN w/ data disrupts stat collection in Fast L4
758436-4 3-Major   Optimistic ACKs degrade Fast L4 statistics
745663-3 3-Major   During traffic forwarding, nexthop data may be missed at large packet split
726734-4 3-Major   DAGv2 port lookup stringent may fail
814037-4 4-Minor   No virtual server name in Hardware Syncookie activation logs.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
783125-2 2-Critical   iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
800265-2 3-Major   Undefined subroutine in bigip_add_appliance_helper message


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
911629 2-Critical   Manual upload of LiveUpdate image file results in NULL response
918933-3 3-Major K88162221 The BIG-IP ASM system may not properly perform signature checks on cookies
901061-4 3-Major   Safari browser might be blocked when using Bot Defense profile and related domains.
888285-3 3-Major K18304067 Sensitive positional parameter not masked in 'Referer' header value
848445-3 3-Major K86285055 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer
919001-1 4-Minor   Live Update: Update Available notification is shown twice in rare conditions
879777 4-Minor   Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
908065-4 3-Major   Logrotation for /var/log/avr blocked by files with .1 suffix
866613-1 4-Minor   Missing MaxMemory Attribute


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
891505-1 2-Critical   TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.
579219-3 2-Critical   Access keys missing from SessionDB after multi-blade reboot.
706782-3 3-Major   Inefficient APM processing in large configurations.
679751-1 4-Minor   Authorization header can cause a connection reset
602396-1 4-Minor   EPSEC Upload Package Button Is Greyed Out
478450-2 4-Minor   Improve log details when "Detection invalid host header ()" is logged


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
763121-3 2-Critical   Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM.
870385-3 3-Major   TMM may restart under very heavy traffic load
811157-2 3-Major   Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself
757555-2 3-Major   Network DoS Logging Profile does not work with other logging profiles together
757279-1 3-Major   LDAP authenticated Firewall Manager role cannot edit firewall policies
746483-2 3-Major   The autodosd process consumes a lot of memory and continuously restarts.
703165-4 3-Major   shared memory leakage
803149-1 4-Minor   Flow Inspector cannot filter on IP address with non-default route_domain
906885 5-Cosmetic   Spelling mistake on AFM GUI Flow Inspector screen


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
741213-2 3-Major   Modifying disabled PEM policy causes coredump


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
837269 3-Major   Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
876581-4 3-Major   JavaScript engine file is empty if the original HTML page cached for too long
891729-4 4-Minor   Errors in datasyncd.log


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
797277-2 3-Major   URL categorization fails when multiple segments present in URL path and belong to different categories.
761273-2 3-Major   wr_urldbd creates sparse log files by writing from the previous position after logrotate.



Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
912221-2 CVE-2020-12662
CVE-2020-12663
K37661551 CVE-2020-12662 & CVE-2020-12663
900905-1 CVE-2020-5926 K42830212 TMM may crash while processing SIP data
891457-4 CVE-2020-5939 K75111593 NIC driver may fail while transmitting data
888417-4 CVE-2020-8840 K15320518 Apache Vulnerability: CVE-2020-8840
846917-3 CVE-2019-10744 K47105354 lodash Vulnerability: CVE-2019-10744
841577-4 CVE-2020-5922 K20606443 iControl REST hardening
839453-4 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
788057-5 CVE-2020-5921 K00103216 MCPD may crash while processing syncookies
917005-4 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619
909837-2 CVE-2020-5950 K05204103 TMM may consume excessive resources when AFM is provisioned
888489-4 CVE-2020-5927 K55873574 ASM UI hardening
886085-3 CVE-2020-5925 K45421311 BIG-IP TMM vulnerability CVE-2020-5925
832885-3 CVE-2020-5923 K05975972 Self-IP hardening
816413-2 CVE-2019-1125 K31085564 CVE-2019-1125: Spectre SWAPGS Gadget
888493-4 CVE-2020-5928 K40843345 ASM GUI Hardening
839145-2 CVE-2019-10744 K47105354 CVE-2019-10744: lodash vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
816233-3 2-Critical   Session and authentication cookies should use larger character set
724556-3 2-Critical   icrd_child spawns more than maximum allowed times (zombie processes)
858189-1 3-Major   Make restnoded/restjavad/icrd timeout configurable with sys db variables.
802977-2 3-Major   PEM iRule crashes when more than 10 policies are tried to be set for a subscriber
691499-3 3-Major   GTP::ie primitives in iRule to be certified
745465-1 4-Minor   The tcpdump file does not provide the correct extension


TMOS Fixes

ID Number Severity Solution Article(s) Description
864513-3 1-Blocking K48234609 ASM policies may not load after upgrading to 14.x or later from a previous major version
891477 2-Critical   No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server
829677-1 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
811701-1 2-Critical   AWS instance using xnet driver not receiving packets on an interface.
810593-2 2-Critical K10963690 Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade
805417-1 2-Critical   Unable to enable LDAP system auth profile debug logging
769581-1 2-Critical   Timeout when sending many large iControl Rest requests
758604-2 2-Critical   Deleting a port from a single-port trunk does not work.
891721-1 3-Major   Anti-Fraud Profile URLs with query strings do not load successfully
871657-2 3-Major   Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
867013-1 3-Major   Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout
842189-2 3-Major   Tunnels removed when going offline are not restored when going back online
821309-3 3-Major   After an initial boot, mcpd has a defunct child "systemctl" process
812929-2 3-Major   mcpd may core when resetting a DSC connection
811053-2 3-Major   REBOOT REQUIRED prompt appears after failover and clsh reboot
810821-1 3-Major   Management interface flaps after rebooting the device.
807005-1 3-Major   Save-on-auto-sync is not working as expected with large configuration objects
806985 3-Major   Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package
802685-3 3-Major   Unable to configure performance HTTP virtual server via GUI
793121-3 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
788949-3 3-Major   MySQL Password Initialization Loses Already Written Password
760950-4 3-Major   Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
756153-3 3-Major   Add diskmonitor support for MySQL /var/lib/mysql
753860-3 3-Major   Virtual server config changes causing incorrect route injection.
720610-2 3-Major   Updatecheck logs bogus 'Update Server unavailable' on every run
701529-2 3-Major   Configuration may not load or not accept vlan or tunnel names as "default" or "all"
688399-2 3-Major   HSB failure results in continuous TMM restarts
683135-1 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
605675-4 3-Major   Sync requests can be generated faster than they can be handled
831293-3 4-Minor   SNMP address-related GET requests slow to respond.
804309-2 4-Minor   [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument
755018-2 4-Minor   Egress traffic processing may be stopped on one or more VE trunk interfaces
743815-2 4-Minor   vCMP guest observes connflow reset when a CMP state change occurs.
484683-2 4-Minor   Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
842937-4 2-Critical   TMM crash due to failed assertion 'valid node'
751589-1 2-Critical   In BIG-IP VE, some IP rules may not be created during the first boot up.
893281-1 3-Major   Possible ssl stall on closed client handshake
852873 3-Major   Proprietary Multicast PVST+ packets are forwarded instead of dropped
848777-1 3-Major   Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
828601-3 3-Major   IPv6 Management route is preferred over IPv6 tmm route
813701-3 3-Major   Proxy ARP failure
810533-4 3-Major   SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
802245-1 3-Major   When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.
790205-3 3-Major   Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
781041-1 3-Major   SIP monitor in non default route domain is not working.
778517-1 3-Major K91052217 Large number of in-TMM monitors results in delayed processing
760050-2 3-Major   "cwnd too low" warning message seen in logs
758599-1 3-Major   IPv6 Management route is preferred over IPv6 tmm route
758041-3 3-Major   Pool Members may not be updated accurately when multiple identical database monitors are configured
757446-2 3-Major   Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses.
756494-3 3-Major   For in-tmm monitoring: multiple instances of the same agent are running on the Standby device
752530-1 3-Major   TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-1 3-Major   Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
750473-4 3-Major   VA status change while 'disabled' are not taken into account after being 'enabled' again
746922-6 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
714502-2 3-Major   bigd restarts after loading a UCS for the first time
686059-4 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
608952-3 3-Major   MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
522241-1 3-Major   Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
918169-2 2-Critical   The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
744743-1 2-Critical   Rolling DNSSEC Keys may stop generating after BIG-IP restart
803645-3 3-Major   GTMD daemon crashes
789421-2 3-Major   Resource-administrator cannot create GTM server object through GUI
778365-2 3-Major   dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service
774481-2 3-Major   DNS Virtual Server creation problem with Dependency List
769385-1 3-Major   GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message
758772-3 3-Major   DNS Cache RRSET Evictions Stat not increasing
757464-1 3-Major   DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
746348-2 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
712335-3 4-Minor   GTMD may intermittently crash under unusual conditions.
774257-2 5-Cosmetic   tmsh show gtm pool and tmsh show gtm wideip print duplicate object types


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
904593-2 2-Critical   Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
868641-1 2-Critical   Possible TMM crash when disabling bot profile for the entire connection
865461-3 2-Critical   BD crash on specific scenario
843801-1 2-Critical   Like-named previous Signature Update installations block Live Update usage after upgrade
813409-1 2-Critical   BD crash under certain circumstances
803813-2 2-Critical   TMM may experience high latency when processing WebSocket traffic
903357-3 3-Major   Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
900797-4 3-Major   Brute Force Protection (BFP) hash table entry cleanup
900793-2 3-Major K32055534 APM Brute Force Protection resources do not scale automatically
900789-4 3-Major   Alert before Brute Force Protection (BFP) hash are fully utilized
898825-4 3-Major   Attack signatures are enforced on excluded headers under some conditions
898741-4 3-Major   Missing critical files causes FIPS-140 system to halt upon boot
892653-2 3-Major   Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
880789-1 3-Major   ASMConfig Handler undergoes frequent restarts
880753-1 3-Major K38157961 Possible issues when using DoSL7 and Bot Defense profile on the same virtual server
874753-1 3-Major   Filtering by Bot Categories on Bot Requests Log shows 0 events
868721-3 3-Major   Transactions are held for a long time on specific server related conditions
863609-2 3-Major   Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies
850677-2 3-Major   Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
833685-3 3-Major   Idle async handlers can remain loaded for a long time doing nothing
809125-2 3-Major   CSRF false positive
802873-1 3-Major   Manual changes to policy imported as XML may introduce corruption for Login Pages
799749-1 3-Major   Asm logrotate fails to rotate
793149-3 3-Major   Adding the Strict-transport-Policy header to internal responses
785529-1 3-Major   ASM unable to handle ICAP responses which length is greater then 10K
783165-3 3-Major   Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile
772165-1 3-Major   Sync Failed due to Bot Defense profile not found
759449-1 3-Major   Unable to modify the application language with 'Copy ASM Policy'
751430-1 3-Major   Unnecessary reporting of errors with complex denial-of-service policies
745324-1 3-Major   MCP crash or blocked for a long time when loading configuration
742549-2 3-Major   Cannot create non-ASCII entities in non-UTF ASM policy using REST
726401-1 3-Major   ASM cannot complete initial startup with modified management interface on VE
722337-1 3-Major   Always show violations in request log when post request is large
640842-3 3-Major   ASM end user using mobile might be blocked when CSRF is enabled
896285-4 4-Minor   No parent entity in suggestion to add predefined-filetype as allowed filetype
882769-3 4-Minor   Request Log: wrong filter applied when searching by Response contains or Response does not contain
852613-1 4-Minor   Connection Mirroring and ASM Policy not supported on the same virtual server


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
902485-2 3-Major   Incorrect pool member concurrent connection value
838685-2 3-Major   DoS report exist in per-widget but not under individual virtual


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
838861-2 2-Critical   TMM might crash once after upgrading SSL Orchestrator
895313 3-Major   Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2
831517-1 3-Major   TMM may crash when Network Access tunnel is used
799149-2 3-Major   Authentication fails with empty password
750631-2 3-Major   There may be a latency between session termination and deletion of its associated IP address mapping
600985-1 3-Major   Network access tunnel data stalls
719589-2 4-Minor   GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic


Service Provider Fixes

ID Number Severity Solution Article(s) Description
814097-2 2-Critical   Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
898997-4 3-Major   GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
842625-3 3-Major   SIP message routing remembers a 'no connection' failure state forever
825013-3 3-Major   GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
815529-2 3-Major   MRF outbound messages are dropped in per-peer mode
803809-2 3-Major   SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
782353-6 3-Major   SIP MRF via header shows TCP Transport when TLS is enabled
754658-2 3-Major   Improved matching of response messages uses end-to-end ID
754617-2 3-Major   iRule 'DIAMETER::avp read' command does not work with 'source' option
746731-1 3-Major   BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
696348-3 3-Major   "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
788513-2 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
786981-3 4-Minor   Pending GTP iRule operation maybe aborted when connection is expired
793005-3 5-Cosmetic   'Current Sessions' statistic of MRF/Diameter pool may be incorrect


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
802421 2-Critical   The /var partition may become 100% full requiring manual intervention to clear space
755721-1 3-Major   A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
753014-4 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
888625-2 3-Major   CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks
806825 3-Major   Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool
761517-1 4-Minor   nat64 and ltm pool conflict


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
787965-1 3-Major   URLCAT by URI does not work if it contains port number
754257-2 3-Major   URL lookup queries not working



Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
900757-4 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895525-4 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
909237-4 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability
909233-4 CVE-2020-8616 K97810133 DNS Hardening
905905-3 CVE-2020-5904 K31301245 TMUI CSRF vulnerability CVE-2020-5904
895993-4 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895981-4 CVE-2020-5902 K52145254 TMUI RCE vulnerability CVE-2020-5902
895881-3 CVE-2020-5903 K43638305 BIG-IP TMUI XSS vulnerability CVE-2020-5903


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
742628-3 3-Major   A tmsh session initiation adds increased control plane pressure


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
897229 3-Major   TLS session ticket resumption SNI check



Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
883717-3 CVE-2020-5914 K37466356 BD crash on specific server cookie scenario
879025-4 CVE-2020-5913 K72752002 When processing TLS traffic, LTM may not enforce certificate chain restrictions
866013 CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
K78234183 Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479
852445-3 CVE-2019-6477 K15840535 Big-IP : CVE-2019-6477 BIND Vulnerability
838677-3 CVE-2019-10744 K47105354 lodash library vulnerability CVE-2019-10744
837773-2 CVE-2020-5912 K12936322 Restjavad Storage and Configuration Hardening
834257-3 CVE-2020-5931 K25400442 TMM may crash when processing HTTP traffic
830401-3 CVE-2020-5877 K54200228 TMM may crash while processing TCP traffic with iRules
819197-4 CVE-2019-13135 K20336394 BIGIP: CVE-2019-13135 ImageMagick vulnerability
819189-3 CVE-2019-13136 K03512441 BIGIP: CVE-2019-13136 ImageMagick vulnerability
814953-3 CVE-2020-5940 K43310520 TMUI dashboard hardening
805837-2 CVE-2019-6657 K22441651 REST does not follow current design best practices
802261-2 CVE-2020-5875 K65372933 TMM may crash while processing SSL traffic via an HTTP/2 full-proxy
794561-1 CVE-2020-5874 K46901953 TMM may crash while processing JWT/OpenID traffic.
780601-2 CVE-2020-5873 K03585731 SCP file transfer hardening
769589-2 CVE-2019-6974 K11186236 CVE-2019-6974: Linux Kernel Vulnerability
767373-1 CVE-2019-8331 K24383845 CVE-2019-8331: Bootstrap Vulnerability
762453-2 CVE-2020-5872 K63558580 Hardware cryptography acceleration may fail
745377-1 CVE-2020-5871 K43450419 TMM cores in certain scenarios with HTTP virtual server
739971 CVE-2018-5391 K74374841 Linux kernel vulnerability: CVE-2018-5391
873469-1 CVE-2020-5889 K24415506 APM Portal Access: Base URL may be set to incorrectly
872673-3 CVE-2020-5918 K26464312 TMM can crash when processing SCTP traffic
868349-3 CVE-2020-5935 K62830532 TMM may crash while processing iRules with MQTT commands
864109-3 CVE-2020-5889 K24415506 APM Portal Access: Base URL may be set to incorrectly
859089-5 CVE-2020-5907 K00091341 TMSH allows SFTP utility access
858349-1 CVE-2020-5934 K44808538 TMM may crash while processing SAML SLO traffic
858025-3 CVE-2021-22984 K33440533 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984
848405-4 CVE-2020-5933 K26244025 TMM may consume excessive resources while processing compressed HTTP traffic
838881-3 CVE-2020-5853 K73183618 APM Portal Access Vulnerability: CVE-2020-5853
837837-3 CVE-2020-5917 K43404629 F5 SSH server key size vulnerability CVE-2020-5917
832021-1 CVE-2020-5888 K73274382 Port lockdown settings may not be enforced as configured
832017-1 CVE-2020-5887 K10251014 Port lockdown settings may not be enforced as configured
829121-3 CVE-2020-5886 K65720640 State mirroring default does not require TLS
829117-3 CVE-2020-5885 K17663061 State mirroring default does not require TLS
811789-2 CVE-2020-5915 K57214921 Device trust UI hardening
810537-2 CVE-2020-5883 K12234501 TMM may consume excessive resources while processing iRules
805557-2 CVE-2020-5882 K43815022 TMM may crash while processing crypto data
789921-2 CVE-2020-5881 K03386032 TMM may restart while processing VLAN traffic
775833-2 CVE-2020-5880 K94325657 Administrative file transfer may lead to excessive resource consumption
887637-1 CVE-2019-3815 K22040951 Systemd-journald Vulnerability: CVE-2019-3815
868097-1 CVE-2020-5891 K58494243 TMM may crash while processing HTTP/2 traffic
823893-2 CVE-2020-5890 K03318649 Qkview may fail to completely sanitize LDAP bind credentials
748122-1 CVE-2018-15333 K53620021 BIG-IP Vulnerability CVE-2018-15333
746091-1 CVE-2019-19151 K21711352 TMSH Vulnerability: CVE-2019-19151
760723-2 CVE-2015-4037 K64765350 Qemu Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
870389-1 3-Major   Increase size of /var logical volume to 1.5 GiB for LTM-only VE images
858229-3 3-Major K22493037 XML with sensitive data gets to the ICAP server
738330-3 3-Major   /mgmt/toc endpoint issue after configuring remote authentication


TMOS Fixes

ID Number Severity Solution Article(s) Description
819009-3 2-Critical   Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol.
792285-2 2-Critical   TMM crashes if the queuing message to all HSL pool members fails
777993-2 2-Critical   Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
775897-1 2-Critical   High Availability failover restarts tmipsecd when tmm connections are closed
769169-3 2-Critical   BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring
767689-1 2-Critical   F5optics_install using different versions of RPM
749388-3 2-Critical   'table delete' iRule command can cause TMM to crash
748205-3 2-Critical   SSD bay identification incorrect for RAID drive replacement
699515-2 2-Critical   nsm cores during update of nexthop for ECMP recursive route
882557-4 3-Major   TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)
873877 3-Major   Kernel page allocation failure seen on VIPRION blades
866925-3 3-Major   The TMM pages used and available can be viewed in the F5 system stats MIB
852001-3 3-Major   High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously
849405-1 3-Major   LTM v14.1.2.1 does not log after upgrade&stastarf;
842125-4 3-Major   Unable to reconnect outgoing SCTP connections that have previously aborted
812981-4 3-Major   MCPD: memory leak on standby BIG-IP device
810957-2 3-Major   Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
802281-1 3-Major   Gossip shows active even when devices are missing
800185-4 3-Major   Saving a large encrypted UCS archive may fail and might trigger failover
795685-2 3-Major   Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
772117-3 3-Major   Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card
762073-2 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
759735-2 3-Major   OSPF ASE route calculation for new external-LSA delayed
759172-1 3-Major   Read Access Denied: user (gu, guest) type (Certificate Order Manager)
758387-2 3-Major   BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it
751573-1 3-Major   Updates to HSL pool members may not take effect
749785-2 3-Major   nsm can become unresponsive when processing recursive routes
749690-1 3-Major   MOS_Image2Disk_Installation- kjournald service error
746861-1 3-Major   SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated
641450-7 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
755317-1 4-Minor   /var/log logical volume may run out of space due to agetty error message in /var/log/secure


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
715032-2 1-Blocking K73302459 iRulesLX Hardening
860881-1 2-Critical   TMM can crash when handling a compressed response from HTTP server
853329-4 2-Critical   HTTP explicit proxy can crash TMM when used with classification profile
839401-3 2-Critical   Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
831325-2 2-Critical K10701310 HTTP PSM detects more issues with Transfer-Encoding headers
799649-2 2-Critical   TMM crash
757391-2 2-Critical   Datagroup iRule command class can lead to memory corruption
755134-1 2-Critical   HTTP/2 connections may leak memory if server-side connection not established
868889 3-Major   BIG-IP may reset a stream with an empty DATA frame as END_STREAM
853613-2 3-Major   Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
851789-3 3-Major   SSL monitors flap with client certs with private key stored in FIPS
847325-1 3-Major   Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior.
843105-1 3-Major   Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP)
809729-2 3-Major   When HTTP/2 stream is reset by a client, BIG-IP may not respond properly
795261-2 3-Major   LTM policy does not properly evaluate condition when an operand is missing
788741-2 3-Major   TMM cores in the MQTT proxy under rare conditions
777269-1 3-Major   Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup
770477-2 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
761030-2 3-Major   tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route
758631-4 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
757827-1 3-Major   Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
755997-2 3-Major   Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
755727-2 3-Major   Ephemeral pool members not created after DNS flap and address record changes
755213-1 3-Major   TMM cores in certain scenarios with HTTP/2 virtual server
751052-1 3-Major   HTTP iRule event HTTP_REJECT broken
746078-1 3-Major   Upgrades break existing iRulesLX workspaces that use node version 6
745923-2 3-Major   Connection flow collision can cause packets to be sent with source and/or destination port 0
743257-3 3-Major   Fix block size insecurity init and assign
705112-4 3-Major   DHCP server flows are not re-established after expiration
636842-2 3-Major K51472519 A FastL4 virtual server may drop a FIN packet when mirroring is enabled
601189-4 3-Major   The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
599567-4 3-Major   APM assumes SNAT automap, does not use SNAT pool
859113-3 4-Minor   Using "reject" iRules command inside "after" may causes core
852373-2 4-Minor   HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error
839245-1 4-Minor   IPother profile with SNAT sets egress TTL to 255
830833-2 4-Minor   HTTP PSM blocking resets should have better log messages
760683-1 4-Minor   RST from non-floating self-ip may use floating self-ip source mac-address
757777-3 4-Minor   bigtcp does not issue a RST in all circumstances
746077-4 4-Minor   If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
807177-2 2-Critical   HTTPS monitoring is not caching SSL sessions correctly
704198-4 2-Critical K29403988 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
802961-2 3-Major   The 'any-available' prober selection is not as random as in earlier versions
772233-4 3-Major   IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV.
754901-1 3-Major   Frequent zone update notifications may cause TMM to restart
750213-4 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
744280-2 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
852437-1 2-Critical K25037027 Overly aggressive file cleanup causes failed ASU installation
882377-1 3-Major   ASM Application Security Editor Role User can update/install ASU
871905-1 3-Major K02705117 Incorrect masking of parameters in event log
854177-3 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
850673-3 3-Major   BD sends bad ACKs to the bd_agent for configuration
681010-3 3-Major K33572148 'Referer' is not masked when 'Query String' contains sensitive parameter


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
838709-1 2-Critical   Enabling DoS stats also enables page-load-time
828937-3 2-Critical K45725467 Some systems can experience periodic high IO wait due to AVR data aggregation
870957-1 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage
863161-3 3-Major   Scheduled reports are sent via TLS even if configured as non encrypted
835381-1 3-Major   HTTP custom analytics profile 'not found' when default profile is modified
830073-3 3-Major   AVRD may core when restarting due to data collection device connection timeout
817649-2 3-Major   AVR statistics for NAT cannot be shown on multi-bladed machine
865053-1 4-Minor   AVRD core due to a try to load vip lookup when AVRD is down
863069-3 4-Minor   Avrmail timeout is too small


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
879401-3 2-Critical K90423190 Memory corruption during APM SAML SSO
871761-4 2-Critical   Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS
788593-2 2-Critical K43404365 APM logs may contain additional data
884797-2 3-Major   Portal Access: in some cases data is not delivered via WebSocket connection
866685-3 3-Major   Empty HSTS headers when HSTS mode for HTTP profile is disabled
866161-3 3-Major   Client port reuse causes RST when the security service attempts server connection reuse.
852313-2 3-Major   VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
832569-2 3-Major   APM end-user connection reset
831781-5 3-Major   AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
798261-2 3-Major   APMD fails to create session variables if spanning is enabled on SWG transparent virtual server
771905-2 3-Major   JWT token rejected due to unknown JOSE header parameters
768025-4 3-Major   SAML requests/responses fail with "failed to find certificate"
749036-2 3-Major   Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
747725-3 3-Major   Kerberos Auth agent may override settings that manually made to krb5.conf
747624-2 3-Major   RADIUS Authentication over RSA SecureID is not working in challenge mode


Service Provider Fixes

ID Number Severity Solution Article(s) Description
811105-1 2-Critical   MRF SIP-ALG drops SIP 183 and 200 OK messages
781725-2 2-Critical   BIG-IP systems might not complete a short ICAP request with a body beyond the preview
882273 3-Major   MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
876077-3 3-Major   MRF DIAMETER: stale pending retransmission entries may not be cleaned up
868381-3 3-Major   MRF DIAMETER: Retransmission queue unable to delete stale entries
866021-3 3-Major   Diameter Mirror connection lost on the standby due to "process ingress error"
853545-3 3-Major   MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
824149-3 3-Major   SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured
815877-1 3-Major   Information Elements with zero-length value are rejected by the GTP parser
811033-2 3-Major   MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used
788093 3-Major   MRF iRule command MR::restore with no argument causes tmm to crash
859721-3 4-Minor   Using GENERICMESSAGE create together with reject inside periodic after may cause core
836357-3 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
788005-2 4-Minor   Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP)


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
778869-3 2-Critical K72423000 ACLs and other AFM features (e.g., IPI) may not function as designed
751292-1 2-Critical   mcpd core after changing parent netflow to use version9
852289-2 3-Major K23278332 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector
771173-3 3-Major   FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
857725 3-Major   Anti-Fraud/DataSafe Logging Settings page not found


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
761199-1 2-Critical   Wr_urldbd might crash while system is in a restarting loop.
816529-2 3-Major   If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.


Device Management Fixes

ID Number Severity Solution Article(s) Description
839597-4 3-Major   Restjavad fails to start if provision.extramb has a large value
815649-1 3-Major   Named.config entry getting overwriting on SSL Orchestrator deployment


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
852557-1 2-Critical   Tmm core while using service chaining for SSL Orchestrator
759191-1 2-Critical   While using explicit or transparent http type service on SSL Orchestrator, TMM cores.
864329-1 3-Major   Client port reuse causes RST when the backend server-side connection is open
852481-1 3-Major   Failure to check virtual-server context when closing server-side connection
852477-1 3-Major   Tmm core when SSL Orchestrator is enabled
886713-3 4-Minor   Error log seen in case of SSL Orchestrator configured with http service during connection close.



Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release


Functional Change Fixes

None


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
867413-2 2-Critical   The allow-only-in-enterprise LAN feature on Mac OS not working after reboot



Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
849761-1 CVE-2019-6675 K55655944 CVE-2019-6675: LDAP vulnerability
846365-3 CVE-2020-5878 K35750231 TMM may crash while processing IP traffic
818709-2 CVE-2020-5858 K36814487 TMSH does not follow current best practices
818429-4 CVE-2020-5857 K70275209 TMM may crash while processing HTTP traffic
808301-2 CVE-2019-6678 K04897373 TMM may crash while processing IP traffic
757357-3 CVE-2019-6676 K92002212 TMM may crash while processing traffic
782529-2 CVE-2019-6685 K30215839 iRules does not follow current design best practices
761144-4 CVE-2019-6684 K95117754 Broadcast frames may be dropped
761112-3 CVE-2019-6683 K76328112 TMM may consume excessive resources when processing FastL4 traffic
725551-2 CVE-2019-6682 K40452417 ASM may consume excessive resources
846157-3 CVE-2020-5862 K01054113 TMM may crash while processing traffic on AWS
817917-1 CVE-2020-5856 K00025388 TMM may crash when sending TCP packets
789893-2 CVE-2019-6679 K54336216 SCP file transfer hardening
749324-1 CVE-2012-6708 K62532311 jQuery Vulnerability: CVE-2012-6708
738236-7 CVE-2019-6688 K25607522 UCS does not follow current best practices


Functional Change Fixes

ID Number Severity Solution Article(s) Description
819397-1 1-Blocking K50375550 TMM does not enforce RFC compliance when processing HTTP traffic
769193-5 3-Major   Added support for faster congestion window increase in slow-start for stretch ACKs
760234-1 4-Minor   Configuring Advanced shell for Resource Administrator User has no effect


TMOS Fixes

ID Number Severity Solution Article(s) Description
806093-1 2-Critical   Unwanted LDAP referrals slow or prevent administrative login
789169-2 2-Critical   Unable to create virtual servers with port-lists from the GUI
780817-5 2-Critical   TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
762385 2-Critical   Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later
762205-2 2-Critical   IKEv2 rekey fails to recognize VENDOR_ID payload when it appears
809205 3-Major   CVE-2019-3855: libssh2 Vulnerability
794501-2 3-Major   Duplicate if_indexes and OIDs between interfaces and tunnels
785741-1 3-Major K19131357 Unable to login using LDAP with 'user-template' configuration
778125-1 3-Major   LDAP remote authentication passwords are limited to fewer than 64 bytes
760439-4 3-Major   After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
760259-3 3-Major   Qkview silently fails to capture qkviews from other blades
759654-1 3-Major   LDAP remote authentication with remote roles and user-template failing
759499-2 3-Major   Upgrade from version 12.1.x to version 13.1.x and later failing with error
758781-3 3-Major   iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
758527-2 3-Major K39604784 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
757519-1 3-Major K92525101 Unable to logon using LDAP authentication with a user-template
756450-1 3-Major   Traffic using route entry that's more specific than existing blackhole route can cause core
754691-1 3-Major   During failover, an OSPF routing daemon may crash.
750318-3 3-Major   HTTPS monitor does not appear to be using cert from server-ssl profile
746266-3 3-Major   A vCMP guest VLAN MAC mismatch across blades.
738943-3 3-Major   imish command hangs when ospfd is enabled
705037-7 3-Major K32332000 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
816273-2 1-Blocking   L7 Policies may execute CONTAINS operands incorrectly.
826601-5 2-Critical   Prevent receive window shrinkage for looped flows that use a SYN cookie
817417-1 2-Critical   Blade software installation stalled at Waiting for product image
816625-1 2-Critical   The TMM may crash in a rare scenario involving HTTP unchunking, and plugins.
800369-2 2-Critical   The fix for ID 770797 may cause a TMM crash
800305-2 2-Critical   VDI::cmp_redirect generates flow with random client port
791057-1 2-Critical   MCP may crash when traffic matching criteria is updated
770797-1 2-Critical   HTTP2 streams may get stuck in rare situations
836661 3-Major   Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
834373-3 3-Major   Possible handshake failure with TLS 1.3 early data
830797-2 3-Major   Standby high availability (HA) device passes traffic through virtual wire
815449-2 3-Major   BIG-IP closes connection when an unsized response is served to a HEAD request
814761-2 3-Major   PostgreSQL monitor fails on second ping with count != 1
797977-1 3-Major   Self-IP traffic does not preserve the TTL from the Linux host
789365-1 3-Major   pkcs11d CPU usage increases after running nethsm self validation test
772545-3 3-Major   Tmm core in SSLO environment
765517-1 3-Major   Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN
761185-2 3-Major K50375550 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
760771-1 3-Major   FastL4-steered traffic might cause SSL resume handshake delay
758992-2 3-Major   The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address
758872-3 3-Major   TMM memory leak
758655-1 3-Major   TMC does not allow inline addresses with non-zero Route-domain.
753514-3 3-Major   Large configurations containing LTM Policies load slowly
749689-2 3-Major   HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
726176-2 3-Major   Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
712919-2 3-Major K54802336 Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server.
687887-3 3-Major   Unexpected result from multiple changes to a monitor-related object in a single transaction
824365-3 4-Minor   Need informative messages for HTTP iRule runtime validation errors
806085-2 4-Minor   In-TMM MQTT monitor is not working as expected
791337-1 4-Minor   Traffic matching criteria fails when using shared port-list with virtual servers
769309-2 4-Minor   DB monitor reconnects to server on every probe when count = 0
754003-3 4-Minor K73202036 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate
747628-1 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
744210-2 4-Minor   DHCPv6 does not have the ability to override the hop limit from the client.


Performance Fixes

ID Number Severity Solution Article(s) Description
776133-1 2-Critical   RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
761032-2 3-Major K36328238 TMSH displays TSIG keys
760471-3 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
813945-3 2-Critical   PB core dump while processing many entities
813389-1 2-Critical   TMM Crashes upon failure in Bot Defense Client-Side code
791669 2-Critical   TMM might crash when Bot Defense is configured for multiple domains
790349-2 2-Critical   merged crash with a core file
756108-1 2-Critical   BD crash on specific cases
754109-1 2-Critical   ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive
832857 3-Major   Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log
832205 3-Major   ASU cannot be completed after Signature Systems database corruption following binary Policy import
831661-2 3-Major   ASMConfig Handler undergoes frequent restarts
824101-1 3-Major   Request Log export file is not visible for requests including binary data
824037-2 3-Major   Bot Defense whitelists do not apply for IP 'Any' when using route domains
812341-2 3-Major   Patch or Delete commands take a long time to complete when modifying an ASM signature set.
805353-1 3-Major   ASM reporting for WebSocket frames has empty username field
800453-3 3-Major K72252057 False positive virus violations
793017-1 3-Major   Files left behind by failed Attack Signature updates are not cleaned
786913-2 3-Major   Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7
783513-2 3-Major   ASU is very slow on device with hundreds of policies due to logging profile handling
781021-2 3-Major   ASM modifies cookie header causing it to be non-compliant with RFC6265
778681-2 3-Major   Factory-included Bot Signature update file cannot be installed without subscription
754841-1 3-Major   Policy updates stall and never complete
754425-1 3-Major   Exported requests cannot be opened in Internet Explorer or Edge browser
739618-2 3-Major   When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
734228 3-Major   False-positive illegal-length violation can appear
795769-3 4-Minor   Incorrect value of Systems in system-supplied signature sets
789817-1 4-Minor   In rare conditions info fly-out not shown
760462-1 4-Minor   Live update notification is shown only for provisioned/licensed modules
758459-1 4-Minor   Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection
620301-1 4-Minor   Policy import fails due to missing signature System in associated Signature Set


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
781581-3 3-Major   Monpd uses excessive memory on requests for network_log data


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
757782-1 2-Critical   OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
825805-1 3-Major   NTLM Auth may fail due to incorrect handling of EPM response
766577-2 3-Major   APMD fails to send response to client and it already closed connection.
756363-1 3-Major   SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset
741222-2 3-Major   Install epsec1.0.0 into software partition.
643935-4 3-Major   Rewriting may cause an infinite loop while processing some objects


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
833213-3 3-Major   Conditional requests are served incorrectly with AAM policy in webacceleration profile


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
802865-1 3-Major   The iControl REST query request returning empty list for DoS Protected Objects
761345-3 3-Major   Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode
738284-2 3-Major   Creating or deleting rule list results in warning message: Schema object encode failed


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
821133-2 3-Major   Wrong wildcard URL matching when none of the configured URLS include QS


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
748813-3 2-Critical   tmm cores under stress test on virtual server with DoS profile with admd enabled
767045-2 3-Major   TMM cores while applying policy


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
787845 4-Minor   Tmsh command 'show running-config' fails when Protocol Inspection is not licensed.


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
777241-2 3-Major   smtps partial_conncount issues and unexpected resets



Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
741163-3 CVE-2018-3693 K54252492 RHEL7: Kernel CVE-2018-3693
740755-6 CVE-2018-3620 K95275140 Kernel vulnerability: CVE-2018-3620
721319-1 CVE-2018-3639 K29146534 CVE-2018-3639


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
815689-3 3-Major   Azure walinuxagent has been updated to v2.2.42.
760574 3-Major   Updating BIG-IP 14.1.x Linux kernel to RHEL7.5
760468 3-Major   Route domains cause diskmonitor errors in logs



Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
795437-4 CVE-2019-6677 K06747393 Improve handling of TCP traffic for iRules
795197-1 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
781377-2 CVE-2019-6681 K93417064 tmrouted may crash while processing Multicast Forwarding Cache messages
778077-3 CVE-2019-6680 K53183580 Virtual to virtual chain can cause TMM to crash
771873-5 CVE-2019-6642 K40378764 TMSH Hardening
767653-1 CVE-2019-6660 K23860356 Malformed HTTP request can result in endless loop in an iRule script
636400-3 CVE-2019-6665 K26462555 CPB (BIG-IP->BIGIQ log node) Hardening
810657-2 CVE-2019-6674 K21135478 Tmm core while using service chaining for SSLO
809165-2 CVE-2020-5854 K50046200 TMM may crash will processing connector traffic
808525-2 CVE-2019-6686 K55812535 TMM may crash while processing Diameter traffic
795797-2 CVE-2019-6658 K21121741 AFM WebUI Hardening
788773-2 CVE-2019-9515 K50233772 HTTP/2 Vulnerability: CVE-2019-9515
788769-2 CVE-2019-9514 K01988340 HTTP/2 Vulnerability: CVE-2019-9514
788033 CVE-2020-5851 K91171450 tpm-status may return "Invalid" after engineering hotfix installation
781449-2 CVE-2019-6672 K14703097 Increase efficiency of sPVA DoS protection on wildcard virtual servers
777737-3 CVE-2019-6671 K39225055 TMM may consume excessive resources when processing IP traffic
773673-2 CVE-2019-9512 K98053339 HTTP/2 Vulnerability: CVE-2019-9512
768981-2 CVE-2019-6670 K05765031 VCMP Hypervisor Hardening
761014-2 CVE-2019-6669 K11447758 TMM may crash while processing local traffic
758018-5 CVE-2019-6661 K61705126 APD/APMD may consume excessive resources
756458-3 CVE-2018-18559 K28241423 Linux kernel vulnerability: CVE-2018-18559
756218-1 CVE-2019-6654 K45644893 Improve default management port firewall
751152-1 CVE-2018-5407 K49711130 OpenSSL Vulnerability: CVE-2018-5407
751143-1 CVE-2018-5407 K49711130 OpenSSL Vulnerability: CVE-2018-5407
745103-6 CVE-2018-7159 K27228191 NodeJS Vulnerability: CVE-2018-7159
798249-2 CVE-2019-6673 K81557381 TMM may crash while processing HTTP/2 requests
779177-2 CVE-2019-19150 K37890841 Apmd logs "client-session-id" when access-policy debug log level is enabled
759536-2 CVE-2019-8912 K31739796 Linux kernel vulnerability: CVE-2019-8912
757617-1 CVE-2018-16864
CVE-2018-16865
K06044762 Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865


Functional Change Fixes

ID Number Severity Solution Article(s) Description
759135-2 3-Major   AVR report limits are locked at 1000 transactions
714292-3 3-Major   Transparent forwarding mode across multiple VLAN groups or virtual-wire
788269-3 4-Minor   Adding toggle to disable AVR widgets on device-groups


TMOS Fixes

ID Number Severity Solution Article(s) Description
793045-2 2-Critical   File descriptor leak in net-snmpd while reading /shared/db/cluster.conf
770953 2-Critical   'smbclient' executable does not work
767877-3 2-Critical   TMM core with Bandwidth Control on flows egressing on a VLAN group
765533-2 2-Critical K58243048 Sensitive information logged when DEBUG logging enabled
760475-1 2-Critical   Apache spawns more processes than the configured limit, causing system low memory condition
755575-1 2-Critical   In MOS, the 'image2disk' utility with the '-format' option does not function properly
726240-1 2-Critical   'Cannot find disk information' message when running Configuration Utility
788557-5 3-Major   BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
788301-5 3-Major K58243048 SNMPv3 Hardening
777261-4 3-Major   When SNMP cannot locate a file it logs messages repeatedly
766873 3-Major   Omission of lower-layer types from sFlow packet samples
761993-2 3-Major   The nsm process may crash if it detects a nexthop mismatch
761933-1 3-Major   Reboot with 'tmsh reboot' does not log message in /var/log/audit
761160-2 3-Major   OpenSSL vulnerability: CVE-2019-1559
760998-1 3-Major   F5.ip_forwarding iAPP fails to deploy
759814-1 3-Major   Unable to view iApp component view
758119-6 3-Major K58243048 qkview may contain sensitive information
747592-1 3-Major   PHP vulnerability CVE-2018-17082
724109-2 3-Major   Manual config-sync fails after pool with FQDN pool members is deleted
680917-5 3-Major   Invalid monitor rule instance identifier
648621-6 3-Major   SCTP: Multihome connections may not expire
776073-1 4-Minor   OOM killer killing tmm in system low memory condition as process OOM score is high
760680-1 4-Minor K36350541 TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
759968-3 1-Blocking   Distinct vCMP guests are able to cluster with each other.
803845-2 2-Critical   When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown
787825-2 2-Critical K58243048 Database monitors debug logs have plaintext password printed in the log file
774913-1 2-Critical   IP-based bypass can fail if SSL ClientHello is not accepted
760078-1 2-Critical   Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet.
758714-1 2-Critical   Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports.
757578-2 2-Critical   RAM cache is not compatible with verify-accept
757441-4 2-Critical   Specific sequence of packets causes Fast Open to be effectively disabled
755585-1 2-Critical   mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction
747858-2 2-Critical   OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires
746710-1 2-Critical   Use of HTTP::cookie after HTTP:disable causes TMM core
737985-2 2-Critical   BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode.
734551-3 2-Critical   L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server
801497-2 3-Major   Virtual wire with LACP pinning to one link in trunk.
798105-1 3-Major   Node Connection Limit Not Honored
794581 3-Major   Transfer might stall for an object served from WAM cache
788325-2 3-Major K39794285 Header continuation rule is applied to request/response line
787433-3 3-Major   SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed
784713-3 3-Major   When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct
773821-1 3-Major   Certain plaintext traffic may cause SSLO to hang
773421-1 3-Major   Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
769801-1 3-Major   Internal tmm UDP filter does not set checksum
761385-1 3-Major   Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire.
761381-1 3-Major   Incorrect MAC Address observed in L2 asymmetric virtual wire
754525-1 3-Major   Disabled virtual server accepts and serves traffic after restart
748891-2 3-Major   Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system.
742237-4 3-Major   CPU spikes appear wider than actual in graphs
719300-3 3-Major   ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address
689361-4 3-Major   Configsync can change the status of a monitored pool member
751586 4-Minor   Http2 virtual does not honour translate-address disabled
747585-3 4-Minor   TCP Analytics supports ANY protocol number


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
783849-2 3-Major   DNSSEC Key Generations are not imported to secondary FIPS card


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
781637-2 3-Major   ASM brute force counts unnecessary failed logins for NTLM
781605-3 3-Major   Fix RFC issue with the multipart parser
781069-2 3-Major   Bot Defense challenge blocks requests with long Referer headers
773553-2 3-Major   ASM JSON parser false positive.
769997-1 3-Major   ASM removes double quotation characters on cookies
769981-2 3-Major   bd crashes in a specific scenario
764373-3 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
753711-1 3-Major   Copied policy does not retain signature staging
751710-4 3-Major   False positive cookie hijacking violation
746394-1 3-Major   With ASM CORS set to 'Disabled' it strips all CORS headers in response.
745802-1 3-Major   Brute Force CAPTCHA response page truncates last digit in the support id
727107-4 3-Major   Request Logs are not stored locally due to shmem pipe blockage
803445-3 4-Minor   When adding several mitigation exceptions, the previously configured actions revert to the default action
772473-3 4-Minor   Request reconstruct issue after challenge
761088-1 4-Minor   Remove policy editing restriction in the GUI while auto-detect language is set
695878-2 4-Minor   Signature enforcement issue on specific requests


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
761749-2 2-Critical   Security pages unavailable after switching RT mode on off few times
797785-2 3-Major   AVR reports no ASM-Anomalies data.
792265-3 3-Major   Traffic logs does not include the BIG-IQ tags
773925-2 3-Major   Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files
765785-3 3-Major   Monpd core upon "bigstart stop monpd" while Real Time reporting is running


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
811145-2 2-Critical   VMware View resources with SAML SSO are not working
797541-1 2-Critical   NTLM Auth may fail when user's information contains SIDS array
784989-2 2-Critical   TMM may crash with panic message: Assertion 'cookie name exists' failed
777173-2 2-Critical   Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error
821369 3-Major   Incomplete Action 'Deny' does not take effect for HTTP-Connect
788417-2 3-Major   Remote Desktop client on macOS may show resource auth token on credentials prompt
787477-2 3-Major   Export fails from partitions with '-' as second character
786173-1 3-Major   UI becomes unresponsive when accessing Access active session information
783817-2 3-Major   UI becomes unresponsive when accessing Access active session information
782569-1 3-Major   SWG limited session limits on SSLO deployments
775621-2 3-Major   urldb memory grows past the expected ~3.5GB
769853-2 3-Major K24241590 Access Profile option to restrict connections from a single client IP is not honored for native RDP resources
756777-1 3-Major   VDI plugin might crash on process shutdown during RDG connections handling
750823-1 3-Major   Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
749161-2 3-Major   Problem sync policy contains non-ASCII characters
746768-4 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
697590-2 3-Major   APM iRule ACCESS::session remove fails outside of Access events
781445-1 4-Minor   Named or dnscached cannot bind to IPv6 address
759579-1 4-Minor   Full Webtop: 'URL Entry' field is available again
756019-1 4-Minor   OAuth JWT Issuer claim requires URI format


Service Provider Fixes

ID Number Severity Solution Article(s) Description
811745-2 3-Major   Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
804313-2 3-Major   MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
761685-3 3-Major   Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set
750431-1 3-Major   Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout'
748253-1 3-Major   Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
786565-2 4-Minor   MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
800209-1 3-Major   The tmsh recursive list command includes DDoS GUI-specific data info
780837-1 3-Major   Firewall rule list configuration causes config load failure
761234-2 3-Major   Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached
760355 4-Minor   Firewall rule to block ICMP/DHCP from 'required' to 'default'


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
760438-3 3-Major   PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions
759192-3 3-Major   TMM core during display of PEM session under some specific conditions
756311-4 3-Major   High CPU during erroneous deletion
753163-4 3-Major   PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
804185-2 3-Major   Some WebSafe request signatures may not work as expected
783565-2 3-Major   Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP
775013-2 3-Major   TIME EXCEEDED alert has insufficient data for analysis


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
803477-2 3-Major   BaDoS State file load failure when signature protection is off


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
759439-1 2-Critical   Unable to attach default SSL and FTP profiles to virtual server
781313-1 3-Major   AVR dashboard displays incorrect client/server bytes-in/bytes-out stats



Cumulative fixes from BIG-IP v14.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
773649-6 CVE-2019-6656 K23876153 APM Client Logging


Functional Change Fixes

ID Number Severity Solution Article(s) Description
771705-1 3-Major   You may not be able to log into BIG-IP Cloud Edition if FSCK fails
754875-1 3-Major   Enable FIPS 140-2 Level 1 Compliant Mode in PAYG VE images on first boot


TMOS Fixes

ID Number Severity Solution Article(s) Description
808129-1 2-Critical   Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS.


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
753485-1 2-Critical K50285521 AVR global settings are being overridden by high availability (HA) peers


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
757306-3 3-Major   SNMP MIBS for AFM NAT do not yet exist


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
794285 1-Blocking K36191493 BIG-IQ reading AFM configuration fails with status 400



Cumulative fixes from BIG-IP v14.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
807477-10 CVE-2019-6650 K04280042 ConfigSync Hardening
797885-2 CVE-2019-6649 K05123525 ConfigSync Hardening
796469-6 CVE-2019-6649 K05123525 ConfigSync Hardening
810557-8 CVE-2019-6649 K05123525 ASM ConfigSync Hardening
809377-6 CVE-2019-6649 K05123525 AFM ConfigSync Hardening
799617-2 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-2 CVE-2019-6649 K05123525 ConfigSync Hardening
794389-6 CVE-2019-6651 K89509323 iControl REST endpoint response inconsistency
794413-2 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471
793937-1 CVE-2019-6664 K03126093 Management Port Hardening


Functional Change Fixes

ID Number Severity Solution Article(s) Description
744937-8 3-Major K00724442 BIG-IP DNS and GTM DNSSEC security exposure


TMOS Fixes

ID Number Severity Solution Article(s) Description
798949-3 3-Major   Config-Sync fails when Config-Sync IP configured to management IP
760622-3 3-Major   Allow Device Certificate renewal from BIG-IP Configuration Utility
760363-1 3-Major   Update Alias Address field with default placeholder text


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
811333-2 3-Major   Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile



Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
769361-2 CVE-2019-6630 K33444350 TMM may crash while processing SSLO traffic
767401-1 CVE-2019-6629 K95434410 TMM may crash while processing TLS traffic
759343-6 CVE-2019-6668 K49827114 MacOS Edge Client installer does not follow best security practices
758909-1 CVE-2019-6628 K04730051 TMM may crash will processing PEM traffic
758065-4 CVE-2019-6667 K82781208 TMM may consume excessive resources while processing FIX traffic
757084-2 CVE-2019-6627 K00432398 Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled
757023-2 CVE-2018-5743 K74009656 BIND vulnerability CVE-2018-5743
756538-4 CVE-2019-6645 K15759349 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
754944-1 CVE-2019-6626 K00432398 AVR reporting UI does not follow best practices
754345-2 CVE-2019-6625 K79902360 WebUI does not follow best security practices
754103-1 CVE-2019-6644 K75532331 iRulesLX NodeJS daemon does not follow best security practices
753975-2 CVE-2019-6666 K92411323 TMM may crash while processing HTTP traffic with webacceleration profile
753776-2 CVE-2019-6624 K07127032 TMM may consume excessive resources when processing UDP traffic
748502-1 CVE-2019-6623 K72335002 TMM may crash when processing iSession traffic
737731-6 CVE-2019-6622 K44885536 iControl REST input sanitization
737574-6 CVE-2019-6621 K20541896 iControl REST input sanitization
737565-6 CVE-2019-6620 K20445457 iControl REST input sanitization
726393-2 CVE-2019-6643 K36228121 DHCPRELAY6 can lead to a tmm crash
726327 CVE-2018-12120 K37111863 NodeJS debugger accepts connections from any host
757455-2 CVE-2019-6647 K87920510 Excessive resource consumption when processing REST requests
753796-1 CVE-2019-6640 K40443301 SNMP does not follow best security practices
750460-1 CVE-2019-6639 K61002104 Subscriber management configuration GUI
750298-1 CVE-2019-6638 K67825238 iControl REST may fail while processing requests
750187-1 CVE-2019-6637 K29149494 ASM REST may consume excessive resources
745371-1 CVE-2019-6636 K68151373 AFM GUI does not follow best security practices
745257-1 CVE-2018-14634 K20934447 Linux kernel vulnerability: CVE-2018-14634
742226-6 CVE-2019-6635 K11330536 TMSH platform_check utility does not follow best security practices
710857-5 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage
702469-7 CVE-2019-6633 K73522927 Appliance mode hardening in scp
673842-6 CVE-2019-6632 K01413496 VCMP does not follow best security practices
773653-6 CVE-2019-6656 K23876153 APM Client Logging
773641-6 CVE-2019-6656 K23876153 APM Client Logging
773637-6 CVE-2019-6656 K23876153 APM Client Logging
773633-6 CVE-2019-6656 K23876153 APM Client Logging
773621-6 CVE-2019-6656 K23876153 APM Client Logging


Functional Change Fixes

ID Number Severity Solution Article(s) Description
749704-2 4-Minor   GTPv2 Serving-Network field with mixed MNC digits


TMOS Fixes

ID Number Severity Solution Article(s) Description
774445-1 1-Blocking K74921042 BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2
789993-1 2-Critical   Failure when upgrading to 15.0.0 with config move and static management-ip.
773677-1 2-Critical K72255850 BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase
769809-4 2-Critical   The vCMP guests 'INOPERATIVE' after upgrade
765801 2-Critical   WCCP service info field corrupted in upgrade to 14.1.0 final
760573-1 2-Critical K00730586 TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0
760508-1 2-Critical K91444000 On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist
760408-3 2-Critical   System Integrity Status: Invalid after BIOS update
760164-1 2-Critical   BIG-IP VE Compression Offload HA action requires modification of db variable
757722-2 2-Critical   Unknown notify message types unsupported in IKEv2
756402-2 2-Critical   Re-transmitted IPsec packets can have garbled contents
756071-3 2-Critical   MCPD crash
755254-1 2-Critical K54339562 Remote auth: PAM_LDAP buffer too small errors
753650-2 2-Critical   The BIG-IP system reports frequent kernel page allocation failures.
750586-2 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
743803-1 2-Critical   IKEv2 potential double free of object when async request queueing fails
741503-1 2-Critical   The BIG-IP system fails to load base config file when upgrading with static IPv4
726487-4 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
648270-1 2-Critical   mcpd can crash if viewing a fast-growing log file through the GUI
766365-1 3-Major   Some trunks created on VE platform stay down even when the trunk's interfaces are up
766329-2 3-Major   SCTP connections do not reflect some SCTP profile settings
765033 3-Major   Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions
760597-1 3-Major   System integrity messages not logged
760594 3-Major   On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details.
758879 3-Major   BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot
748206-1 3-Major   Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
748187-4 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
746657-1 3-Major   tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
745809-2 3-Major   The /var partition may become 100% full, requiring manual intervention to clear space
740543-1 3-Major   System hostname not display in console
725791-6 3-Major K44895409 Potential HW/HSB issue detected
718405-2 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
581921-5 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
754500-2 4-Minor   GUI LTM Policy options disappearing
726317-6 4-Minor   Improved debugging output for mcpd


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
759723-1 2-Critical   Abnormally terminated connections on server side may cause client side streams to stall
758465-1 2-Critical   TMM may crash or iRule processing might be incorrect
756356-2 2-Critical   External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
753912-4 2-Critical K44385170 UDP flows may not be swept
752930-3 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
747727-1 2-Critical   HTTP Profile Request Header Insert Tcl error
747239-1 2-Critical   TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection
745533-6 2-Critical   NodeJS Vulnerability: CVE-2016-5325
741048-1 2-Critical   iRule execution order could change after editing the scripts
766293-1 3-Major   Monitor logging fails on v14.1.0.x releases
760550-5 3-Major   Retransmitted TCP packet has FIN bit set
758311-1 3-Major   Policy Compilation may cause MCPD to crash
757985-1 3-Major K79562045 TMM memory leak
757698-1 3-Major   TMM crashes in certain situations of which iRule execution interleaves client side and server side flows
756270-4 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
754985-1 3-Major   Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic
752078-2 3-Major   Header Field Value String Corruption
749414-4 3-Major   Invalid monitor rule instance identifier error
747907-2 3-Major   Persistence records leak while the high availability (HA) mirror connection is down
742078-6 3-Major   Incoming SYNs are dropped and the connection does not time out.
740959-4 3-Major   User with manager rights cannot delete FQDN node on non-Common partition
740345-3 3-Major   TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled.
696755-3 3-Major   HTTP/2 may truncate a response body when served from cache
696735-2 3-Major   TCP ToS Passthrough mode does not work correctly
504522-4 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
747968-3 4-Minor   DNS64 stats not increasing when requests go through DNS cache resolver


Performance Fixes

ID Number Severity Solution Article(s) Description
777937-3 1-Blocking   AWS ENA: packet drops due to bad checksum


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
759721-2 3-Major K03332436 DNS GUI does not follow best practices
749508-1 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
749222-1 3-Major   dname compression offset overflow causes bad compression pointer
748902-5 3-Major   Incorrect handling of memory allocations while processing DNSSEC queries
746877-1 3-Major   Omitted check for success of memory allocation for DNSSEC resource record
744707-2 3-Major   Crash related to DNSSEC key rollover
723288-4 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
748177-1 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
759360-2 2-Critical   Apply Policy fails due to policy corruption from previously enforced signature
749912-1 2-Critical   [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement
723790-3 2-Critical   Idle asm_config_server handlers consumes a lot of memory
765449-1 3-Major   Update availability status may be inaccurate
763001-1 3-Major K70312000 Web-socket enforcement might lead to a false negative
761941-1 3-Major   ASM does not remove CSRT token query parameter before forwarding a request to the backend server
761194-2 3-Major   param data type violation on an Integer parameter, if an integer value is sent via websocket JSON
760878-3 3-Major   Incorrect enforcement of explicit global parameters
759483-1 3-Major   Message about HTTP status code which are set by default disappeared from the UI
758085-1 3-Major   CAPTCHA Custom Response fails when using certain characters
756418-1 3-Major   Live Update does not authenticate remote users
742558-1 3-Major   Request Log export document fails to show some UTF-8 characters
687759-3 3-Major   bd crash
774941-1 4-Minor   GUI misspelling in Bot Defense logging profile
768761-2 4-Minor   Improved accept action description for suggestions to disable signature/enable metacharacter in policy
766357-1 4-Minor   Two simultaneously manual installations can cause live-update inconsistency
765413-1 4-Minor   ASM cluster syncs caused by PB ignored suggestions updates
761921-1 4-Minor   avrd high CPU utilization due to perpetual connection attempts
761553-2 4-Minor   Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic
761549-2 4-Minor   Traffic Learning: Accept and Stage action is shown only in case entity is not in staging
761231-2 4-Minor K79240502 Bot Defense Search Engines getting blocked after configuring DNS correctly
759462-1 4-Minor   Site names and vulnerabilities cannot be retrieved from WhiteHat server
755005-1 4-Minor   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
750689-3 4-Minor   Request Log: Accept Request button available when not needed
749184-2 4-Minor   Added description of subviolation for the suggestions that enabled/disabled them
747560-5 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities
769061-2 5-Cosmetic   Improved details for learning suggestions to enable violation/sub-violation


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
763349-3 2-Critical   AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out
756205-1 2-Critical   TMSTAT offbox statistics are not continuous
756102-2 2-Critical   TMM can crash with core on ABORT signal due to non-responsive AVR code
771025-3 3-Major   AVR send domain names as an aggregate
764665-2 3-Major   AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change
763005-3 3-Major   Aggregated Domain Names in DNS statistics are shown as random domain name
760356-2 3-Major   Users with Application Security Administrator role cannot delete Scheduled Reports


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
770557-3 2-Critical   Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one
769281-1 2-Critical   Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English
755447-1 2-Critical   SSLO does not deliver content generated/originated from inline device
753370-3 2-Critical   RADIUS auth might not be working as configured when there is change in RADIUS auth config name.
774633-2 3-Major   Memory leak in tmm when session db variables are not cleaned up
774213-1 3-Major   SWG session limits on SSLO deployments
760410-1 3-Major   Connection reset is seen when Category lookup agent is used in per-req policy
760250 3-Major   'Unsupported SSO Method' error when requests sharing the same TCP session
759868-1 3-Major   TMM crash observed while rendering internal pages (like blocked page) for per-request policy
758764-2 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
758701-1 3-Major   APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install
757992-3 3-Major   RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup
757360-1 3-Major   Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO
755475-1 3-Major   Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync
755047-1 3-Major   Category lookup returns wrong category on CONNECT traffic through SSLO
754542-2 3-Major   TMM may crash when using RADIUS Accounting agent
752875-2 3-Major   tmm core while using service chaining for SSLO
751807-1 3-Major   SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel
751424-1 3-Major   HTTP Connect Category Lookup not working properly
749057-1 3-Major   VMware Horizon idle timeout is ignored when connecting via APM
745574-1 3-Major   URL is not removed from custom category when deleted
738430-3 3-Major   APM is not able to do compliance check on iOS devices running F5 Access VPN client
734291-1 3-Major   Logon page modification fails to sync to standby
695985-4 3-Major   Access HUD filter has URL length limit (4096 bytes)
766761-2 4-Minor   Ant-server does not log requests that are excluded from scanning


Service Provider Fixes

ID Number Severity Solution Article(s) Description
766405-2 2-Critical   MRF SIP ALG with SNAT: Fix for potential crash on next-active device
754615-2 2-Critical   Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
763157-2 3-Major   MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped
760370-2 3-Major   MRF SIP ALG with SNAT: Next active ingress queue filling
759077-2 3-Major   MRF SIP filter queue sizes not configurable
755630-1 3-Major   MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
752822-1 3-Major   SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
751179-1 3-Major   MRF: Race condition may create to many outgoing connections to a peer
746825-1 3-Major   MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls
745947-2 3-Major   Add log events for MRF SIP registration/deregistration and media flow creation/deletion
745590-1 3-Major   SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added
760930-2 4-Minor   MRF SIP ALG with SNAT: Added additional details to log events
747909-5 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
757524 1-Blocking   Data operation attempt on object that has not been loaded
757359-1 2-Critical   pccd crashes when deleting a nested Address List
754805 2-Critical K97981358 Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured
753028-2 3-Major   AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
756477-2 5-Cosmetic   Drop Redirect tab incorrectly named as 'Redirect Drop'


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744516-4 2-Critical   TMM panics after a large number of LSN remote picks


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
748121-3 2-Critical   admd livelock under CPU starvation
653573-6 2-Critical   ADMd not cleaning up child rsync processes
756877-1 3-Major   Virtual server created with Guided Configuration is not visible in Grafana


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
752803-1 2-Critical   CLASSIFICATION_DETECTED running reject can lead to a tmm core
752047-1 2-Critical   iRule running reject in CLASSIFICATION_DETECTED event can cause core


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
758818-2 2-Critical   While using explicit or transparent http type service on SSL Orchestrator, TMM cores.
756167-1 3-Major   No URL category data on SSL Orchestrator dashboard and on SSL Orchestrator statistics page after upgrade
748252-2 3-Major   Connection reset seen with SSL bypass on a L2 wire setup



Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
755817 3-Major   v14.1.0.5 includes Guided Configuration 4.1
751824-1 3-Major   Restore old 'merge' functionally with new tmsh verb 'replace'


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
663819-1 3-Major   APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue)


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
761173-1 2-Critical   tmm crash after extended whitelist modification
751869-2 2-Critical   Possible tmm crash when using manual mode mitigation in DoS Profile
760393 3-Major   GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes
750477-1 3-Major   LTM NAT does not forward ICMP traffic
737035-2 3-Major   New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup.


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
757088-1 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
758536 3-Major   Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x


Protocol Inspection Fixes

ID Number Severity Solution Article(s) Description
737558-1 2-Critical   Protocol Inspection user interface elements are active but do not work
774881 3-Major   Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed.


SSL Orchestrator Fixes

ID Number Severity Solution Article(s) Description
760278 2-Critical   F5 SSL Orchestrator may fail to install an RPM software package on BIG-IP systems running point release versions



Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745783-1 3-Major   Anti-fraud: remote logging of login attempts


TMOS Fixes

ID Number Severity Solution Article(s) Description
758667-1 2-Critical   BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs
754541-2 2-Critical   Reconfiguring an iApp that uses a client SSL profile fails
760222 3-Major   SCP fails unexpected when FIPS mode is enabled
725625-1 3-Major   BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK



Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-1 CVE-2018-5744 K00040234 BIND Update
756774-6 CVE-2019-6612 K24401914 Aborted DNS queries to a cache may cause a TMM crash
750292-2 CVE-2019-6592 K54167061 TMM may crash when processing TLS traffic
749879-2 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
744035-6 CVE-2018-15332 K12130880 APM Client Vulnerability: CVE-2018-15332
757027-1 CVE-2019-6465 K01713115 BIND Update
757026-1 CVE-2018-5745 K25244852 BIND Update
745713-4 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic
745387-1 CVE-2019-6618 K07702240 Resource-admin user roles can no longer get bash access
745165-1 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
737910-4 CVE-2019-6609 K18535734 Security hardening on the following platforms
724680-6 CVE-2018-0732 K21665601 OpenSSL Vulnerability: CVE-2018-0732
703835-5 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-7 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
698376-5 CVE-2019-6614 K46524395 Non-admin users have limited bash commands and can only write to certain directories
713806-8 CVE-2018-0739 K08044291 CVE-2018-0739: OpenSSL Vulnerability
699977-3 CVE-2016-7055 K43570545 CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX


Functional Change Fixes

ID Number Severity Solution Article(s) Description
755641-1 2-Critical   Unstable asm_config_server after upgrade, 'Event dispatcher aborted'
744685-2 2-Critical   BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
744188-1 2-Critical   First successful auth iControl REST requests will now be logged in audit and secure log files
739432 3-Major   F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems
738108-1 3-Major   SCTP multi-homing INIT address parameter doesn't include association's primary address


TMOS Fixes

ID Number Severity Solution Article(s) Description
753642-1 2-Critical   iHealth may report false positive for Critical Malware
752835-2 2-Critical K46971044 Mitigate mcpd out of memory error with auto-sync enabled.
750580-1 2-Critical   Installation using image2disk --format may fail after TMOS v14.1.0 is installed
707013-3 2-Critical   vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
668041-4 2-Critical K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
621260-2 2-Critical   mcpd core on iControl REST reference to non-existing pool
753564-1 3-Major   Attempt to change password using /bin/passwd fails
751011-3 3-Major   ihealth.sh script and qkview locking mechanism not working
751009-3 3-Major   Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
750661 3-Major   URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
750447-3 3-Major   GUI VLAN list page loading slowly with 50 records per screen
749382-1 3-Major   Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
746873-1 3-Major   Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
745825-1 3-Major   The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
737536-2 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
721585-1 3-Major   mcpd core processing ltm monitors with deep level of inheritance
639619-7 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
751636-1 4-Minor   Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership
737423-2 4-Minor   Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
754143-1 2-Critical K45456231 TCP connection may hang after FIN
747617-2 2-Critical   TMM core when processing invalid timer
742184-3 2-Critical   TMM memory leak
738945-4 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
716714-4 2-Critical   OCSP should be configured to avoid TMM crash.
750200-3 3-Major   DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749294-4 3-Major   TMM cores when query session index is out of boundary
746131-4 3-Major   OpenSSL Vulnerability: CVE-2018-0732
744686-2 3-Major   Wrong certificate can be chosen during SSL handshake
743900-1 3-Major   Custom DIAMETER monitor requests do not have their 'request' flag set
739963-4 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739349-3 3-Major   LRO segments might be erroneously VLAN-tagged.
724327-2 3-Major   Changes to a cipher rule do not immediately have an effect
720219-3 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
717896-4 3-Major   Monitor instances deleted in peer unit after sync
717100-1 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716167-2 3-Major   The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp
704450-5 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
703593-1 3-Major   TMSH tab completion for adding profiles to virtual servers is not working as expected


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756094-2 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
752942-1 2-Critical   Live Update cannot be used by Administrator users other than 'admin' and 'root'
750922-1 2-Critical   BD crash when content profile used for login page has no parse parameters set
749136-1 2-Critical   Disk partition /var/log is low on free disk space
748321-1 2-Critical   bd crash with specific scenario
744347-4 2-Critical   Protocol Security logging profiles cause slow ASM upgrade and apply policy
721741-4 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
754420-1 3-Major   Missing policy name in exported ASM request details
754066-1 3-Major   Newly added Systems are not added as part of installing a Server Technologies update file
753295-1 3-Major   ASM REST: All signatures being returned for policy Signatures regardless of signature sets
750973-1 3-Major   Import XML policy error
750793-2 3-Major   Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750686-1 3-Major   ASE user cannot create or modify a bot signature.
750683-1 3-Major   REST Backwards Compatibility: Cannot modify enforcementMode of host-name
750668-1 3-Major   Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750666-1 3-Major   Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'
750356-2 3-Major   Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
749500-1 3-Major   Improved visibility for Accept on Microservice action in Traffic Learning
749109-3 3-Major   CSRF situation on BIGIP-ASM GUI
748999-3 3-Major   invalid inactivity timeout suggestion for cookies
748848-2 3-Major   Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
748409-2 3-Major   Illegal parameter violation when json parsing a parameter on a case-insensitive policy
747977-1 3-Major   File manually uploaded information is not synced correctly between blades
747777-3 3-Major   Extractions are learned in manual learning mode
747550-3 3-Major   Error 'This Logout URL already exists!' when updating logout page via GUI
746750-1 3-Major   Search Engine get Device ID challenge when using the predefined profiles
746298-1 3-Major   Server Technologies logos all appear as default icon
745813-1 3-Major   Requests are reported to local log even if only Bot Defense remote log is configured
745624-1 3-Major   Tooltips for OWASP Bot Categories and Anomalies were added
745607-1 3-Major   Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly
745531-2 3-Major   Puffin Browser gets blocked by Bot Defense
742852-1 3-Major   Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header
739945-4 3-Major   JavaScript challenge on POST with 307 breaks application
738676-1 3-Major   Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests
737866-2 3-Major   Rare condition memory corruption
754365-5 4-Minor   Updated flags for countries that changed their flags since 2010
721724-1 4-Minor   LONG_REQUEST notice print incorrect in BD log


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
746941-2 2-Critical   Memory leak in avrd when BIG-IQ fails to receive stats information
753446-2 3-Major   avrd process crash during shutdown if connected to BIG-IQ
749464-2 3-Major   Race condition while BIG-IQ updates common file
749461-2 3-Major   Race condition while modifying analytics global-settings
745027-2 3-Major   AVR is doing extra activity of DNS data collection even when it should not
744595-3 3-Major   DoS-related reports might not contain some of the activity that took place
744589-3 3-Major   Missing data for Firewall Events Statistics
715110-1 3-Major   AVR should report 'resolutions' in module GtmWideip


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
752592-1 2-Critical   VMware Horizon PCoIP clients may fail to connect shortly after logout
754346-2 3-Major   Access policy was not found while creating configuration snapshot.
746771-3 3-Major   APMD recreates config snapshots for all access profiles every minute
745654-4 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
743437-3 3-Major   Portal Access: Issue with long 'data:' URL


Service Provider Fixes

ID Number Severity Solution Article(s) Description
749603-1 3-Major   MRF SIP ALG: Potential to end wrong call when BYE received
749227-1 3-Major   MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
748043-2 3-Major   MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
747187-2 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
745715-2 3-Major   MRF SIP ALG now supports reading SDP from a mime multipart payload
745628-1 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-1 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
745404-4 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
744949-1 3-Major   MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
744275-1 3-Major   BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
742829-1 3-Major   SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-1 1-Blocking K52868493 LibSSH: CVE-2018-10933
752363-2 2-Critical   Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
749331-3 2-Critical   Global DNS DoS vector does not work in certain cases
747922-3 2-Critical   With AFM enabled, during bootup, there is a small possibility of a tmm crash
748176-1 3-Major   BDoS Signature can wrongly match a DNS packet
748081-1 3-Major   Memory leak in Behavioral DoS module
747926-2 3-Major   Rare TMM restart due to NULL pointer access during AFM ACL logging


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-5 3-Major   PEM content insertion in a compressed response may truncate some data


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
752782-1 3-Major   'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe'
741449-3 4-Minor   alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
738677-1 4-Minor   Configured name of wildcard parameter is not sent in data integrity alerts


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
755378-1 2-Critical   HTTPS connection error from Chrome when BADOS TLS signatures configured
727136-1 3-Major   One dataset contains large number of variations of TLS hello messages on Chrome


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
745733-3 3-Major   TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup



Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745629 2-Critical   Ordering Symantec and Comodo certificates from BIG-IP
713817-1 3-Major   BIG-IP images are available in Alibaba Cloud
738891-1 4-Minor   TLS 1.3: Server SSL fails to increment key exchange method statistics


TMOS Fixes

ID Number Severity Solution Article(s) Description
746424 2-Critical   Patched Cloud-Init to support AliYun Datasource
745851 3-Major   Changed Default Cloud-Init log level to INFO from DEBUG
742251-1 4-Minor   Add Alibaba Cloud support to Qkview


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
745774-1 3-Major   Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
749774-5 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-5 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records

 

Cumulative fix details for BIG-IP v14.1.4.5 that are included in this release

999933-4 : TMM may crash while processing DNS traffic on certain platforms

Component: Local Traffic Manager

Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge (HSB) may crash while processing DNS traffic.

Conditions:
-DNS profile enabled
-Hardware system (or vCMP guests) with a High-Speed Bridge (HSB)

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes DNS traffic as expected.


999097-4 : SSL::profile may select profile with outdated configuration

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.


998729 : Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries

Component: TMOS

Symptoms:
If there are hundreds of virtual addresses and hundreds of address entries spanning one or more address lists, mcpd might take seconds to reply to a query for virtual address statistics.

One of the more commonly visible signs of this is high CPU usage by mcpd if it's processing a large number of queries for virtual address statistics. It is also likely that snmpd responses will be severely delayed to SNMP agent requests.

Conditions:
-- Hundreds of virtual servers.
-- Hundreds of address entries spanning one or many address lists.
-- Running SNMP queries for virtual address statistics.

Impact:
-- High CPU usage by mcpd.
-- SNMP requests/polling timeouts occur because mcpd takes hundreds of milliseconds to respond.

Note: If the address lists that contain the entries are not used in traffic-matching-criteria (and therefore do not increase the size of the tmstat virtual_address_stat table), mcpd response time is in the tens of milliseconds.

Workaround:
None

Fix:
Improved performance for query for virtual address statistics when there are hundreds of virtual address and address lists entries.


998221-4 : Accessing pool members from configuration utility is slow with large config

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.


997929-4 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic

Component: Local Traffic Manager

Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.

If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.

Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.

-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.

Impact:
The virtual server stops processing traffic.

Workaround:
To recover, you can do either of the following:

-- Restart tmm:
bigstart restart tmm

-- Change the virtual server's port back to 'any' (0).


997193-2 : TCP connections may fail when AFM global syncookies are in operation.

Component: Local Traffic Manager

Symptoms:
TCP connections are rejected by the BIG-IP system with reset cause "No flow found for ACK".

Conditions:
1) AFM is provisioned.

2) AFM global syncookies are in operation.

3a) The traffic arrives over an APM VPN tunnel, and is handled by one of the internal default APM listeners (not a more specific listener).

-or-

3b) The device is Active for multiple floating traffic-groups, said traffic-groups don't use MAC masquerading, and connection.syncookies.algorithm is set to software.

-or-

3c) The traffic belongs to traffic-group-local-only, and connection.syncookies.algorithm is set to software.

Impact:
Application failures as TCP connections fail.

Workaround:
You can work around this issue as follows.

- For the APM VPN case: define a listener (e.g. virtual server) over the tunnel to process the traffic (instead of relying on one of the default internal APM listeners). Note that the workaround may not work if the device is Active for multiple floating traffic-groups at the same time.

- For the device Active for multiple floating traffic-groups case: use MAC masquerading for all floating traffic-group, or set connection.syncookies.algorithm back to its default of hardware.

- For the traffic-group-local-only case: set connection.syncookies.algorithm back to its default of hardware, or disable AFM global syncookies by turning off the TCP Half-Open attack vector at the device level.

Fix:
TCP connections now establish successfully regardless of syncookies being in operation.


997137-4 : CSRF token removal may allow WAF bypass on GET requests

Component: Application Security Manager

Symptoms:
Under certain conditions the "csrt" parameter is not processed as expected.

Conditions:
1. CSRF feature is configured
2. Request contains a crafted "csrt" parameter

Impact:
Malicious request will bypass signatures and will not raise any attack signature violation

Workaround:
N/A

Fix:
"csrt" parameter is now processed as expected.


996593-3 : Password change through REST or GUI not allowed if the password is expired

Component: TMOS

Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:

Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.

Impact:
Expired password cannot be updated through REST or the GUI.

Workaround:
Update password using tmsh:

tmsh modify auth password <username>

Fix:
You can now change an expired password through REST or the GUI.


996381-4 : ASM attack signature may not match as expected

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.


996113-4 : SIP messages with unbalanced escaped quotes in headers are dropped

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None


996001-2 : AVR Inspection Dashboard 'Last Month' does not show all data points

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.


995853-3 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.

Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.

Impact:
GSLB Server object creation fails.

Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.

Fix:
GSLB Server object creation no longer fails.


995629-2 : Loading UCS files may hang if ASM is provisioned

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.

Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html

Fix:
Loading UCS files no longer hangs if ASM is provisioned.


995433-4 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT

Component: Advanced Firewall Manager

Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.

Conditions:
This is encountered when viewing PPTP log entries.

Impact:
IPV6 addresses in PPTP logs are truncated.

Workaround:
None

Fix:
The full IPv6 address is now logged in PPTP logs.


995029 : Configuration is not updated during auto-discovery

Component: Access Policy Manager

Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:

-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token

Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).

Impact:
JWT auto-discovery fails and the configuration is not updated.

Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.

Fix:
Fixed an issue with auto-discovery and JWKs.


994985-1 : CGNAT GUI shows blank page when applying SIP profile

Component: Carrier-Grade NAT

Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.

Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.

Impact:
The virtual server properties page does not display the configuration.

Workaround:
None.

Fix:
The GUI shows virtual server config page with all config values


994801-4 : SCP file transfer system

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.

Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.

Workaround:
None

Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.


993913-1 : TMM SIGSEGV core in Message Routing Framework

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


993613-4 : Device fails to request full sync

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.


993489-4 : GTM daemon leaks memory when reading GTM link objects

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None


993457-3 : TMM core with ACCESS::policy evaluate iRule

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.


992213-1 : Protocol Any displayed as HOPTOPT in AFM policy view

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.


991037-1 : MR::message can cause tmm crash

Component: Service Provider

Symptoms:
The iRule command MR::message drop can occasionally trigger a memory corruption and tmm crash.

Conditions:
The iRule command MR::message drop is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


990849-3 : Loading UCS with platform-migrate option hangs and requires exiting from the command

Component: TMOS

Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration.

Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html

Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

Workaround:
None.

Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.


990461-2 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.


990333-4 : APM may return unexpected content when processing HTTP requests

Solution Article: K75540265


989753-3 : In HA setup, standby fails to establish connection to server

Component: Service Provider

Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:

err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config

Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.

Impact:
Standby BIG-IP system fails to establish a connection to the server.

Workaround:
None.

Fix:
Standby is now able to establish a connection to the server.


989701-4 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Component: TMOS

Symptoms:
A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response allow for local memory corruption and possibly privilege escalation.

Conditions:
Mounting an unauthenticated server can cause this flaw

Impact:
Can cause local memory corruption and possibly privilege escalation.

Workaround:
While there is no known mitigation to this flaw, configuring authentication and only mounting authenticated NFSv4 servers will significantly reduce the risk of this flaw being successfully exploited.

Fix:
Kernel patched to resolve CVE-2020-25212


989637-4 : TMM may crash while processing SSL traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may consume excessive resources while processing SSL traffic

Conditions:
-SSL profile enabled
-Client authentication enabled

Impact:
TMM consumes excessive resources, potentially leading to a crash and failover event.

Workaround:
N/A

Fix:
TMM now processes SSL traffic as expected.


989009-4 : BD daemon may crash while processing WebSocket traffic

Solution Article: K05314769


988549-4 : CVE-2020-29573: glibc vulnerability

Solution Article: K27238230


988533-3 : GRE-encapsulated MPLS packet support

Component: TMOS

Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).

Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.

Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.

Workaround:
None

Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.


988005-3 : Zero active rules counters in GUI

Component: Advanced Firewall Manager

Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).

Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules

Impact:
Incorrect information on active rules count is seen in the UI.

Workaround:
Disable firewall inline editor.

Fix:
The active rules count column now displays the correct number of times a rule has been hit.


985953-2 : GRE Transparent Ethernet Bridging inner MAC overwrite

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.


984765-4 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)

Component: Access Policy Manager

Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.

Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.

Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.

Workaround:
To resolve the issue temporarily, use either of the following:

-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.

-- Run the command:
bigstart restart nlad

The problem can reappear after a week, so you must repeat these steps each time the issue occurs.


984593-3 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.


982869-3 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0

Component: Service Provider

Symptoms:
Tmm may crash.

Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes under these conditions.


981785-2 : Incorrect incident severity in Event Correlation statistics

Component: Application Security Manager

Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".

Conditions:
Usually happens for the first incident after ASM startup.

Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.

Workaround:
Use severity info from the Incidents list.

Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.


981693-2 : TMM may consume excessive resources while processing IPSec ALG traffic

Component: Carrier-Grade NAT

Symptoms:
When processing IPSec ALG traffic, TMM may consume excessive resources.

Conditions:
-- IPsec ALG virtual server with ALG logging profile.
-- IPsec traffic is passed.

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes IPSec traffic as expected.


981689-1 : TMM memory leak with IPsec ALG

Component: Carrier-Grade NAT

Symptoms:
TMM crash due to out of memory.

Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.

Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm memory leak related to IPsec ALG connections.


981461-3 : Unspecified DNS responses cause TMM crash

Solution Article: K45407662


981385-4 : AVRD does not send HTTP events to BIG-IQ DCD

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.


981169-3 : F5 TMUI XSS vulnerability CVE-2021-22994

Solution Article: K66851119


980821-1 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.

Component: Local Traffic Manager

Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.

Conditions:
There are two virtual servers configured:
  - One with a specific port and ip-protocol 'any'
  - One with port any and a specific ip-protocol

Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.

Workaround:
Create individual listeners for specific protocols.

For example, given the configuration:
  ltm virtual vs-port80-protoAny {
    destination 10.1.1.1:80
    ip-protocol any
    ...
  }
  ltm virtual vs-portAny-protoTCP {
    destination 10.1.1.1:0
    ip-protocol TCP
    ...
  }

Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
  ltm virtual vs-port80-protoTCP {
    destination 10.1.1.1:80
    ip-protocol TCP
    ...
  }
  ltm virtual vs-port80-protoUDP {
    destination 10.1.1.1:80
    ip-protcol UDP
    ...
  }

Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.


980809-3 : ASM REST Signature Rule Keywords Tool Hardening

Solution Article: K41351250


980325-4 : Chmand core due to memory leak from dossier requests.

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.


980125-4 : BD Daemon may crash while processing WebSocket traffic

Solution Article: K42051445


978833-3 : Use of CRL-based Certificate Monitoring Causes Memory Leak

Component: Local Traffic Manager

Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.

Conditions:
CRL certificate validator is configured.

Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.

Workaround:
None.

Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.


978393 : GUI screen shows blank screen while importing a certificate

Component: TMOS

Symptoms:
When you click the import button of an existing certificate, the screen goes blank.

Go to:
1. System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: existing_certificate.crt ::
2. Click the 'Import' button at the bottom of the page.

Conditions:
-- Device is upgraded from 13.1.x to 14.1.x.
-- Attempting to import a certificate that was created prior to the upgrade.

Impact:
You are unable to import from a certificate using the GUI.

Workaround:
There are three workarounds:

-- Use the GUI to download and reimport:
1. Download the cert and key.
2. Delete the cert and key from system.
3. Import it back.


-- Use the GUI to rename and save:
1. Rename the cert and key, removing extensions from the file.
2. Update the config file accordingly. The Import button works successfully.

-- Use tmsh to update the certs.

Fix:
Certificates can now be imported via the GUI after upgrade.


977053-3 : TMM crash on standby due to invalid MR router instance

Component: Service Provider

Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.

Conditions:
-- HA environment.
-- Connection mirroring is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM on the standby device no longer crashes under these conditions.


977005-2 : Network Firewall Policy rules-list showing incorrect 'Any' for source column

Component: Advanced Firewall Manager

Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.

Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.

Impact:
GUI shows 'Any' extra text under the source column

Workaround:
None

Fix:
The GUI no longer shows extra text


976925-3 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: K71891773


976505-1 : Rotated restnoded logs will fail logintegrity verification.

Component: TMOS

Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restnoded logs fail logintegrity verification.

Workaround:
None

Fix:
Restnoded logs are now verified successfully by the logintegrity utility.


976501-3 : Failed to establish VPN connection

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.


976365-1 : Traffic Classification hardening

Component: Traffic Classification Engine

Symptoms:
Traffic Classification IM packages do not follow current best practices.

Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user

Impact:
Traffic Classification IM packages do not follow current best practices.

Workaround:
No Workaround

Fix:
Traffic Classification IM packages now follow current best practices.


975809-2 : Rotated restjavad logs fail logintegrity verification.

Component: TMOS

Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restjavad logs fail logintegrity verification.

Workaround:
None

Fix:
Restjavad logs are now verified successfully by the logintegrity utility.


975593-2 : TMM may crash while processing IPSec traffic

Component: Carrier-Grade NAT

Symptoms:
Under certain conditions, TMM may crash while processing IPSec traffic.

Conditions:
-IPSecAGL enabled

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes IPSec traffic as expected.


975589-2 : CVE-2020-8277 Node.js vulnerability

Solution Article: K07944249


975233-3 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Solution Article: K52510511


974881-1 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic

Component: Service Provider

Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.

Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to handling certain events in an iRule.


974341-3 : REST API: File upload

Component: Application Security Manager

Symptoms:
Under certain conditions, the REST API does not process file uploads as expected

Conditions:
- REST API access
- File uploaded

Impact:
File uploads are not processed as expected.

Workaround:
N/A

Fix:
The REST API now handles file uploads as expected


974205-2 : Unconstrained wr_urldbd size causing box to OOM

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.


973409-4 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Solution Article: K42910051


973333-3 : TMM buffer-overflow vulnerability CVE-2021-22991

Solution Article: K56715231


973261-4 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.


973201 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions

Component: TMOS

Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.

Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.

Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.

Workaround:
None

Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.


971297-3 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.

Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded

Impact:
The keys are stored locally following the upgrade.

Workaround:
None.


970829-4 : iSeries LCD incorrectly displays secure mode

Solution Article: K03310534

Component: Device Management

Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.

Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.

Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:

-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.


The restjavad-audit.*.log may contain similar messages

[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}

Workaround:
None

Fix:
The LCD now functions normally, and no authentication errors appear in the logs.


970329-4 : ASM hardening

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected


969637-3 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"

Conditions:
-- A small subset of the following BIG-IP platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Configuration load fails and the device does not come online.


969509-3 : Possible memory corruption due to DOS vector reset

Component: Advanced Firewall Manager

Symptoms:
Unpredictable result due to possible memory corruption

Conditions:
DOS vector configuration change

Impact:
Memory corruption

Fix:
Added correct logic to reset DOS vector.


969317-2 : "Restrict to Single Client IP" option is ignored for vmware VDI

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.


969213-2 : VMware: management IP cannot be customized via net.mgmt.addr property

Component: TMOS

Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.

Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.

Impact:
Management IP cannot be customized in VMware during the VM setup.


969105-1 : HA failover connections via the management address do not work on vCMP guests running on VIPRION

Component: TMOS

Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.

BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.

HA failover connections using self IPs are unaffected.

Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)

Impact:
Failover state determination over the management port is permanently down.

Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).

To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid


The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.

Add this line to the end of /config/startup:

(sleep 120; touch /var/run/chmand.pid) &

Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.


Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:

#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready

# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.

You may also request an Engineering Hotfix from F5.


968733-5 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Solution Article: K42202505


968641-1 : Fix for zero LACP priority

Component: Local Traffic Manager

Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.

Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.

Impact:
BIG-IP may be unable to connect to Cisco trunks.

Workaround:
None.

Fix:
Eliminate LACP priority equal 0


968421-4 : ASM attack signature doesn't matched

Solution Article: K30291321

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.


968349-1 : TMM crashes with unspecified message

Solution Article: K19012930


967905-3 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.


967889-2 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)

Component: Advanced Firewall Manager

Symptoms:
Custom signature of virtual server shows incorrect attack information.

Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)

Impact:
GUI shows incorrect information for custom signature

Fix:
GUI shows correct information for custom signature


967745-2 : Last resort pool error for the modify command for Wide IP

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.


966901-3 : CVE-2020-14364: Qemu Vulnerability

Solution Article: K09081535


966701-3 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP

Component: Service Provider

Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.

Conditions:
-- SCTP transport profile
-- MRF generic msg router profile

Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing

Fix:
Enable the return type in generic msg filter when data received over SCTP transport


966681-2 : NAT translation failures while using SP-DAG in a multi-blade chassis

Component: Carrier-Grade NAT

Symptoms:
NAT translation fails

Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans

Impact:
Traffic failure, performance degraded

Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096

Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.


966277-3 : BFD down on multi-blade system

Component: TMOS

Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.

Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots

Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.


965617-1 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode

Component: Advanced Firewall Manager

Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB

Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support

Impact:
More resources loading during DDoS attack

Fix:
Correct free spot search with offloading to HSB


965581 : Statistics are not reported to BIG-IQ

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.

Conditions:
A BIG-IP system is attached to BIG-IQ.

Impact:
No statistics collected.

Fix:
The avrd process no longer fails, and statistics are collected as expected.


965537 : SSL filter does not re-initialize when OCSP validator is modified

Component: Local Traffic Manager

Symptoms:
The client SSL or server SSL profile can specify an OCSP object for client or server certificate status validation.
After modifying the DNS resolver of the OCSP object, the new nameserver is never picked up. In other words, an incorrect OCSP responder will be contacted.

Conditions:
OCSP object is configured in Client Certificate Constrained Delegation (C3D) client SSL or in server SSL and is later modified.

Impact:
The incorrect (or the original) OCSP responder is contacted to get the peer certificate revocation status.

Workaround:
None

Fix:
When an OCSP validator is modified, the system now reloads the SSL profile to pick up the new DNS resolver.


965485-2 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Solution Article: K41523201


965229-3 : ASM Load hangs after upgrade

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None


965205-3 : BIG-IP dashboard downloads unused widgets

Component: TMOS

Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.

Conditions:
This occurs when viewing the BIG-IP dashboard.

Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.

Workaround:
None.


964897-4 : Live Update - Indication of "Update Available" when there is no available update

Component: Application Security Manager

Symptoms:
Live Update notifies you that an update is available even though there is no available update.

Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status

Impact:
Live Update erroneously indicates that an update is available.

Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat

Fix:
Fixed an issue with Live Update notification.


964585-4 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update

Component: Protocol Inspection

Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.

Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.

Impact:
- The error message does not accurately explain the cause of the problem.

Workaround:
None.

Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.


964577-1 : IPS automatic IM download not working as expected

Component: Protocol Inspection

Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.

IPS automatic IM download considers the BIG-IP software major and minor version numbers.

However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.

Conditions:
Auto download of IM package for IPS.

Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.

Workaround:
Manually download the IM package and upload it onto the BIG-IP system.

Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.


964245-3 : ASM reports and enforces username always

Component: Application Security Manager

Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.

Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.

Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.

Workaround:
None

Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.


963705-2 : Proxy ssl server response not forwarded

Component: Local Traffic Manager

Symptoms:
A server response may not be forwarded after TLS renegotiation.

Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs

Impact:
Server response may not be not forwarded

Fix:
Proxy ssl will now forward server response after renegotiation


963237-1 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.

Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server

Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.


963017-3 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed

Component: TMOS

Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):

err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid

In addition, a message similar to the following may appear on the serial console while the system is booting:

[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid

Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:

# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
   Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since <...>
 Main PID: #### (code=exited, status=1/FAILURE)

<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.


However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.

Conditions:
This may occur under the following conditions:

-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
   - BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
   - VIPRION B4450 blades

Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.

This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.

Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check

Fix:
This incorrect status reporting has been corrected.


962589-1 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.


962497-4 : BD crash after ICAP response

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A


962433-3 : HTTP::retry for a HEAD request fails to create new connection

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.


962341-4 : BD crash while processing JSON content

Solution Article: K00602225


962177-3 : Results of POLICY::names and POLICY::rules commands may be incorrect

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.


962069-1 : Excessive resource consumption while processing OSCP requests via APM

Solution Article: K79428827


960749-3 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.


960437-3 : The BIG-IP system may initially fail to resolve some DNS queries

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.


960369-3 : Negative value suggested in Traffic Learning as max value

Component: Application Security Manager

Symptoms:
Negative value suggested in Traffic Learning as max value

Conditions:
A huge parameter value is seen in traffic

Impact:
Wrong learning suggestion issued

Workaround:
Manually change maximum allowed value on the parameter to ANY

Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY


959889-1 : Cannot update firewall rule with ip-protocol property as 'any'

Component: TMOS

Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.

Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update

Impact:
Cannot update the firewall rule from GUI.

Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.


959629-3 : Logintegrity script for restjavad/restnoded fails

Component: TMOS

Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:

find: '14232restnoded_log_pattern': No such file or directory.

Conditions:
When the logintegrity script runs.

Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.

Workaround:
Modify the script file /usr/bin/rest_logintegrity:

1. mount -o remount,rw /usr

2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original

3. vi /usr/bin/rest_logintegrity

4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log

With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log

5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)

With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)

6. mount -o remount,ro /usr

Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.


959121-2 : Not following best practices in Guided Configuration Bundle Install worker

Solution Article: K74151369


958465-3 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization

Component: TMOS

Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):

MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.

The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.


958353-3 : Restarting the mcpd messaging service renders the PAYG VE license invalid.

Component: TMOS

Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.

Conditions:
Restarting the mcpd messaging service.

Impact:
The license becomes expired. A message is displayed in the console:

mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).

Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).

Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.


958093-2 : IPv6 routes missing after BGP graceful restart

Component: TMOS

Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.

Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.

Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.


958085-2 : IM installation fails with error: Spec file not found

Component: Traffic Classification Engine

Symptoms:
IM installation fails with an error message:

ERROR Error during switching: Spec file not found

Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.

Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.

Workaround:
None.

Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.


957337-4 : Tab complete in 'mgmt' tree is broken

Component: TMOS

Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:

(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"

Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete

Impact:
You are unable to configure objects in mgmt.

This issue also prevents users with the admin role from accessing the following REST endpoints:

shared/authz/users
shared/echo-js

The error returned was HTTP/1.1 401 F5 Authorization Required

Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.


956645-1 : Per-request policy execution may timeout.

Component: Access Policy Manager

Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.

Impact:
Some clients will fail to connect to their destination.

Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).

Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.

Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.


956373-3 : ASM sync files not cleaned up immediately after processing

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.


956293-1 : High CPU from analytics-related REST calls - Dashboard TMUI

Component: TMOS

Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.

Conditions:
Leaving UI dashboard page left open.

Impact:
System performance is impacted if the dashboard page is kept open.


956133-4 : MAC address might be displayed as 'none' after upgrading

Component: Local Traffic Manager

Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.

Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0

Impact:
Traffic disrupted when the MAC address is set to 'none'

Workaround:
None.


956013 : System reports{{validation_errors}}

Component: Policy Enforcement Manager

Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses

Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.

Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.

Workaround:
None.


955145-3 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


955017-4 : Excessive CPU consumption by asm_config_event_handler

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.


954429-3 : User authorization changes for live update

Solution Article: K23203045


954425-3 : Hardening of Live-Update

Component: Application Security Manager

Symptoms:
Under certain conditions, the Live-Update process does not follow current best practices.

Conditions:
- Live-Update in use
- Specially-crafted update files

Impact:
The Live-Update process does not follow current best practices.

Workaround:
N/A

Fix:
The Live-Update process now follows current best practices.


954381-3 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


954025 : "switchboot -b HD1.1" fails to reboot chassis

Component: TMOS

Symptoms:
Changing the default boot image with "switchboot -b HD1.1" fails to reboot the chassis.

Conditions:
-- Install 14.1.x-tmos-bugs 14.1.2.8 Build 434.0 on HD1.2 of a chassis with two blades and boot to HD1.2 .
-- Execute switchboot -b HD1.1

Impact:
Switchboot command does not work and you are unable to change the default boot image.

Fix:
You can now change the default boot image.


953845-4 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.


953729-3 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Solution Article: K56142644 K45056101


953677-3 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488 K70031188


952557-1 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com

Component: Access Policy Manager

Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.

Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.

Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.

Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.

For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.

Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.


952545-3 : 'Current Sessions' statistics of HTTP2 pool may be incorrect

Component: Service Provider

Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552

Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.

Workaround:
None.

Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.


952509-1 : Cross origin AJAX requests are blocked in case there is no Origin header

Component: Application Security Manager

Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.

Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.

Impact:
Request is blocked.

Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix:
Check referrer header also when modifying CORS headers.


951705-3 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Solution Article: K03009991


951133-1 : Live Update does not work properly after upgrade

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat


951033-2 : Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'

Component: Local Traffic Manager

Symptoms:
Virtual server resets all the connections for rstcause 'VIP disabled (administrative)', after all the conditions are met.

Once it happens, the virtual server starts resetting all the incoming connections for rstcause 'VIP disabled (administrative)'. This continues even after the connection limit is deactivated.

Conditions:
-- There is at least one pool member that is DISABLED.
-- Other pool members have a connection limit configured.
-- A configuration change occurs while the connection limit is activated, and the change lowers the connection limit value, for example, the value is changed from 10 to 5.

Impact:
A virtual server continues resetting new connections.

Workaround:
Use Forced offline instead of disabled to prevent this issue.

Fix:
The BIG-IP system no longer continually resets new connections when the connection limit is lowered while it is being enforced.


950917-2 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------


950849-2 : B4450N blades report page allocation failure.

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This occurs on B4450N blades regardless of configuration.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You must perform the workaround on each blade installed in the system.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands:

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures on B4450 (A114) blades.


950077-3 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Solution Article: K18132488 K70031188


950017-3 : TMM may crash while processing SCTP traffic

Solution Article: K94941221


949933-2 : BIG-IP APM CTU vulnerability CVE-2021-22980

Solution Article: K29282483


949889-2 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Solution Article: K04107324


949593-2 : Unable to load config if AVR widgets were created under '[All]' partition

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.


949477-2 : NTLM RPC exception: Failed to verify checksum of the packet

Component: Access Policy Manager

Symptoms:
NTLM authentication fails with the error:

RPC exception: Failed to verify checksum of the packet.

Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.

Impact:
User authentication fails.

Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.

2. Disable encryption for nlad:
   # vim /etc/bigstart/startup/nlad

   change:
   exec /usr/bin/${service} -use-log-tag 01620000

   to:
   exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no

3. Restart nlad to make the change effective, and to force the schannel to be re-established:
   # bigstart restart nlad


949145-4 : Improve TCP's response to partial ACKs during loss recovery

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.


948805-3 : False positive "Null in Request"

Component: Application Security Manager

Symptoms:
A false positive violation "Null in Request" is thrown erroneously.

Conditions:
-- BIG-IP receives a query string in the "Referrer" header

Impact:
False positive violation "Null in Request" is thrown

Workaround:
None

Fix:
Fixed a false positive violation.


948769-4 : TMM panic with SCTP traffic

Solution Article: K05300051


948757-3 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

Component: Local Traffic Manager

Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.

Conditions:
A snat-translation address is configured with ARP enabled.

Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.

Workaround:
None.

Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.


948573-2 : Wr_urldbd list of valid TLDs needs to be updated

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.


948113-4 : User-defined report scheduling fails

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)


947925-4 : TMM may crash when executing L7 Protocol Lookup per-request policy agent

Component: SSL Orchestrator

Symptoms:
TMM may crash when executing the L7 Protocol Lookup per-request policy agent.

Conditions:
-- APM or SSL Orchestrator is licensed and provisioned.
-- L7 Protocol Lookup agent is included in the per-request policy for APM/SWG use cases.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not crash anymore when executing the L7 Protocol Lookup agent in the per-request policy.


947865-3 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read

Component: TMOS

Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:

err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer

Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.

Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.


947529-1 : Security tab in virtual server menu renders slowly

Component: TMOS

Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.

Conditions:
Large number of virtual servers using the same ASM policy

Impact:
Loading of Security tab of a virtual server takes a long time

Workaround:
NA

Fix:
Security tab of a virtual server loads fast


947341-3 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.

Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

2. To identify the empty partitions, look into:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"

3. For every partition that is empty, manually (or via shell script) execute this sql:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"

   Note: <empty_partition_name> must be substituted with the partition name, for example p100001.


4. Increase 'open_files_limit' to '10000'.
--------------------------------

   In the /etc/my.cnf file:
   1. Change the value of the 'open_files_limit' parameter to 10000.
   2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5. pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases the default 'open_files_limit' to '10000'.


946745-3 : 'System Integrity: Invalid' after Engineering Hotfix installation

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.

Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.


946581-3 : TMM vulnerability CVE-2020-27713

Solution Article: K37960100


946377-3 : HSM WebUI Hardening

Solution Article: K24301698


946185-4 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'

Component: iApp Technology

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:

An error has occurred while trying to process your request.

Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.

Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List

2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.

Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.


946125-1 : Tmm restart adds 'Revoked' tokens to 'Active' token count

Component: Access Policy Manager

Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)

Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm

Impact:
User is denied access even though token limit per user is not reached

Fix:
Fixed an issue where users were unable to log in after a tmm restart.


946089-1 : BIG-IP might send excessive multicast/broadcast traffic.

Component: TMOS

Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.

Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.

Impact:
Excessive multicast/broadcast traffic.


946081-3 : Getcrc tool help displays directory structure instead of version

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.

Fix:
Getcrc utility help now displays version information.


945997-3 : LTM policy applied to HTTP/2 traffic may crash TMM

Component: Local Traffic Manager

Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.

Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.


945265-3 : BGP may advertise default route with incorrect parameters

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>


945109-4 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Solution Article: K46641512


944785-1 : Admd restarting constantly. Out of memory due to loading malformed state file

Component: Anomaly Detection Services

Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.

Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.

Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption

Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD

If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD

Fix:
No more memory corruption, no OOM nor ADMD restarts.


944641-3 : HTTP2 send RST_STREAM when exceeding max streams

Component: Local Traffic Manager

Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.

Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.

Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.

Workaround:
None.

Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.


944441-3 : BD_XML logs memory usage at TS_DEBUG level

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None

Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.


943913-4 : ASM attack signature does not match

Solution Article: K30150004

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.

Workaround:
N/A

Fix:
ASM now processes traffic as expected.


943889-1 : Reopening the publisher after a failed publishing attempt

Component: Fraud Protection Services

Symptoms:
TMM crashes repeatedly on SIGSEGV.

Conditions:
This can occur after a HSL disconnect and re-connect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system publishes data to HSL publisher on a second attempt successfully (after a reconnect).


943793 : Neurond continuously restarting

Component: TMOS

Symptoms:
Neurond continuously restarts.

Conditions:
-- BIG-IP iSeries hardware platform
-- issuing the command "service --status-all"

Impact:
Neuron communications will be impacted

Fix:
Fix for handling neurond.init script treating unknown arg as "start": Added code for default case to handle all unknown args


943125-3 : ASM bd may crash while processing WebSocket traffic

Solution Article: K18570111


943101 : Tmm crash in cipher group delete.

Component: Local Traffic Manager

Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.

Conditions:
Deleting a cipher group associated with multiple profiles.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an issue with cipher group delete.


942965-1 : Local users database can sometimes take more than 5 minutes to sync to the standby device

Component: Access Policy Manager

Symptoms:
Local db sync to standby devices take more than 5 minutes to sync

Conditions:
High availability (HA) setup
 - add a local db user in the active device
 - Wait for it to get synced to the standby device
 - Sometimes the sync may not happen in 5 minutes.

Impact:
Sync of the changes to the local user db may take several minutes to sync to the standby devices.

Workaround:
None.


942701-3 : TMM may consume excessive resources while processing HTTP traffic

Solution Article: K35408374


942549-3 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Component: TMOS

Symptoms:
During boot of a i15xxx system you see the message:

Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Conditions:
This issue can occur on any i15xxx device, although some devices exhibit the failure consistently and others never exhibit the issue.

Impact:
When this failure occurs in a system, the system is inoperable.

Workaround:
In order to workaround this issue, the system must be updated to install a script that is capable of resetting the hardware device during the HSB load process.

If it's not possible to install an EHF with the updated script or a version of BIG-IP with the fix, then it can be installed manually by providing the fw_update_post.init file and replacing it in /etc/init.d/fw_update_post. It is recommended that the existing fw_update_post is backed-up and this is only done in cases where the EHF or a fixed version of BIG-IP cannot be installed.

Fix:
A 'Dataplane INOPERABLE - Only 7 HSBs found. Expected 8' condition caused by a PCIE linking failure is resolved by an updated HSB load script which correctly resets BIG-IP i15xxx system hardware during boot.

Persistent 'Dataplane INOPERABLE' messages, after this fix is installed, indicate an unrelated failure.


941929-1 : Google Analytics shows incorrect stats, when Google link is redirected.

Component: Application Security Manager

Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
-- Google link is responded to (by the server) with a redirect.

-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
None


941853-2 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.


941649-4 : Local File Inclusion Vulnerability

Solution Article: K63163637


941621-3 : Brute Force breaks server's Post-Redirect-Get flow

Solution Article: K91414704

Component: Application Security Manager

Symptoms:
Brute Force breaks server's Post-Redirect-Get flow

Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.

Impact:
Brute Force breaks server's Post-Redirect-Get flow

Workaround:
None

Fix:
Support PRG mechanism in brute force mitigations.


941481-3 : iRules LX - nodejs processes consuming excessive memory

Component: Local Traffic Manager

Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.

You can check the iRule LX plugins memory usage using the command:

tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):

Memory (bytes)
  Total Virtual Size 946.8M
  Resident Set Size 14.5K

Conditions:
-- iRulesLX in use.

Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.

Workaround:
Restart the iRule LX plugin that is leaking memory:

tmsh restart ilx plugin <PLUGIN_NAME>


941449-4 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Solution Article: K55237223


941393 : Memory leak in SWG

Component: Access Policy Manager

Symptoms:
A memory leak was observed in TMM during internal stress testing.

Conditions:
SWG provisioned. Real-world conditions are unknown.

Impact:
System can run out of memory resource.

Workaround:
No workaround

Fix:
Release execution context when done.


941257-2 : Occasional Nitrox3 ZIP engine hang

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.

You can check if your platform has the nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable http compression


941249-4 : Improvement to getcrc tool to print cookie names when cookie attributes are involved

Component: Application Security Manager

Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server

Conditions:
This is applicable when domain and path cookie attributes are present in response from server

Impact:
ASM cookie name which is displayed is incorrect

Workaround:
None

Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s


941169-1 : Subscriber Management is not working properly with IPv6 prefix flows.

Component: Policy Enforcement Manager

Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.

Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).

Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.

Workaround:
None.


941089 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.


940897-2 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.


940885-3 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter

Component: TMOS

Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.

Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.

Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.

Fix:
Added the CX5 Ex device ID to the BIG-IP's Mellanox SR-IOV driver so that it can be used with that adapter.


940401-3 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.


940317-3 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Solution Article: K23157312


940249-3 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.


940209-1 : Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.

Component: Local Traffic Manager

Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, the BIG-IP system may not properly close established server-side connections causing subsequent HTTP/2 requests to stall.

Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.

Impact:
HTTP/2 requests intermittently stall due to the existing server-side TCP connection remaining open.

Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.

Fix:
HTTP/2 requests no longer stall, as the server side TCP connection is properly closed.


940185-3 : icrd_child may consume excessive resources while processing REST requests

Component: TMOS

Symptoms:
Under certain conditions, icrd_child may consume excessive resources while processing REST requests

Conditions:
- Specially-crafted REST requests

Impact:
Increase in ICRD resource usage over time. Eventually host memory will be exhausted potentially leading to a failover event.

Workaround:
N/A

Fix:
icrd_child now processes REST requests as expected.


940021-2 : Syslog-ng hang may lead to unexpected reboot

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.

The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.

Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).

Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.

Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.

Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.


939877-2 : OAuth refresh token not found

Component: Access Policy Manager

Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:

err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)

Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb

Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.

Workaround:
Clear/reset the Authorization code column value manually:

As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }

Copy the value corresponding to <db_name>.

Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)

mysql> use <db_name>;

mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';

(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)

Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.


939845-3 : BIG-IP MPTCP vulnerability CVE-2021-23004

Solution Article: K31025212


939841-3 : BIG-IP MPTCP vulnerability CVE-2021-23003

Solution Article: K43470422


939541-3 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE

Component: TMOS

Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
TMM no longer shuts down prematurely during initialization.


939529-3 : Branch parameter not parsed properly when topmost via header received with comma separated values

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.


939421-4 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow

Solution Article: K38481791


939209-3 : FIPS 140-2 SP800-56Arev3 compliance

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.

Fix:
Updated cryptographic algorithms and self-tests according to the SP800-56Arev3 standard.


938233-3 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Solution Article: K93231374


938165-2 : TMM Core after attempted update of IP geolocation database file

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.

For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.

Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.


937637-4 : BIG-IP APM VPN vulnerability CVE-2021-23002

Solution Article: K71891773


937365-4 : LTM UI does not follow best practices

Solution Article: K42526507


937333-4 : Incomplete validation of input in unspecified forms

Component: Global Traffic Manager (DNS)

Symptoms:
Incomplete validation of input in unspecified forms

Conditions:
DNS Provisioned

Impact:
Incomplete validation

Fix:
Proper input validation now performed


936773-1 : Improve logging for "double flow removal" TMM Oops

Component: Local Traffic Manager

Symptoms:
/var/log/tmm contains this entry
notice Oops @ 0x286feeb:1127: double flow removal

Conditions:
The conditions under which this message is logged are unknown or may vary. This item is for logging the flow tuple and virtual server name to aid in diagnosing the cause.

Impact:
None


936557-3 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.

Component: Local Traffic Manager

Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.

Conditions:
This issue occurs when the following conditions are true:

-- Standard TCP virtual server.

-- TCP profile with Verified Accept enabled.

-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.

Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.

Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.

Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.


935801-3 : HSB diagnostics are not provided under certain types of failures

Component: TMOS

Symptoms:
In rare cases where the HSB detects an error and triggers an high availability (HA) failover, HSB-specific diagnostic data is not provided.

An example are XLMAC errors, which can be seen in the LTM logs:

<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.

Conditions:
The HSB detects an internal error.

Impact:
There is less HSB data for analysis when an internal HSB occurs.

Workaround:
None.

Fix:
Dump HSB registers on all HSB initiated high availability (HA) failovers.


935721-4 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291


935593-3 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.


935433-4 : iControl SOAP

Solution Article: K53854428


935401-4 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Solution Article: K06440657


935293-3 : 'Detected Violation' Field for event logs not showing

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.


935029-1 : TMM may crash while processing IPv6 NAT traffic

Solution Article: K04048104


934941-3 : Platform FIPS power-up self test failures not logged to console

Component: TMOS

Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.

Conditions:
A FIPS failure occurs during the power-up self test.

Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.

Workaround:
None.


934461 : Connection error with server with TLS1.3 single-dh-use.

Component: Local Traffic Manager

Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.

Conditions:
14.1 with TLS1.3 single-dh-use.

Impact:
Connection failure in 14.1 versions.

Workaround:
Disable single-dh-use, or disable tls1.3.

Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.


934393 : APM authentication fails due to delay in sessionDB readiness

Component: Access Policy Manager

Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.

Conditions:
-- APM configured.
-- SAML SP configured.

Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.

Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all

Note: Restarting all services causes temporary traffic disruption.

Fix:
The sessionDB readiness has been corrected so that authentication succeeds.


933777-2 : Context use and syntax changes clarification

Component: Application Visibility and Reporting

Symptoms:
There are two context and syntax-related issues:

-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.

-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.

Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.

Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.

Workaround:
None

Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.


933741-4 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Solution Article: K63497634


933461-3 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.


933409-4 : Tomcat upgrade via Engineering Hotfix causes live-update files removal

Component: TMOS

Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.

Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.

Impact:
Live-update functionality does not work properly.

Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.

Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.


933405-3 : Zonerunner GUI hangs when attempting to list Resource Records

Solution Article: K34257075

Component: Global Traffic Manager (DNS)

Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.

Conditions:
Attempt to list Resource Records in Zonerunner GUI.

Impact:
Zonerunner hangs.

Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.


932937-3 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

Component: Local Traffic Manager

Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.

Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.

Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.

Workaround:
Use an iRule to prevent connections from hanging:

when HTTP_REJECT {
    after 1
}

Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.


932737-1 : DNS & BADOS high-speed logger messages are mixed

Component: Anomaly Detection Services

Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.

Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.

Impact:
Reporting will be confusing.


932697-2 : BIG-IP TMM vulnerability CVE-2021-23000

Solution Article: K34441555


932497-1 : Autoscale groups require multiple syncs of datasync-global-dg

Component: TMOS

Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.

Conditions:
Browser Challenges update image is automatically downloaded.

Impact:
Peers are not synced.

Workaround:
Manually sync datasync-global-db group.

Fix:
Perform full sync for each change when having multiple live update changes in a row.


932485-2 : Incorrect sum(hits_count) value in aggregate tables

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.


932437-4 : Loading SCF file does not restore files from tar file

Component: TMOS

Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.

Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:

01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.

Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles

Impact:
Restoring SCF does not restore contents of file objects.

Workaround:
None.


932213-1 : Local user db not synced to standby device when it is comes online after forced offline state

Component: Access Policy Manager

Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.

Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.

Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.

Workaround:
None

Fix:
Fixed the issue by handling the forced offline scenario.


932137-4 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.


932133-3 : Payloads with large number of elements in XML take a lot of time to process

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None

Fix:
This fix includes performance improvements for large XML payloads.


932065-3 : iControl REST vulnerability CVE-2021-22978

Solution Article: K87502622


932033-1 : Chunked response may have DATA frame with END_STREAM prematurely

Component: Local Traffic Manager

Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, BIG-IP systems may send the END_STREAM flag before transmitting a whole payload.

Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.

Impact:
A browser may not receive the whole payload, or it may not recognize that the payload has been delivered fully (partially prior to the DATA frame with END_STREAM flag, partially after the frame).

Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.

Fix:
BIG-IP systems no longer send a DATA frame with END_STREAM flag prematurely when a connection to a client is congested.


931837-5 : NTP has predictable timestamps

Solution Article: K55376430


931513-2 : TMM vulnerability CVE-2021-22977

Solution Article: K14693346


930905-1 : Management route lost after reboot.

Component: TMOS

Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.

Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).

-- The instance is rebooted.

Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.

Workaround:
Use either of the following workarounds:

-- Delete the route completely and reinstall the route.

-- Restart mcpd:
bigstart restart mcpd


930741-1 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.


930633-1 : Delay in using new route updates by existing connections on BIG-IP.

Component: TMOS

Symptoms:
If routes are updated in BIG-IP by static or dynamic methods, the existing connections will not use the new routes until ~1-8 seconds later.

Conditions:
Routes for existing connections on the BIG-IP are updated.

Impact:
Performance might be degraded when routes are updated for existing connections on BIG-IP.

Fix:
Added DB varible "tmm.inline_route_update". When enabled, packets are checked for new routes before sending out. Its disabled by default.

Behavior Change:
A new db variable has been added, called tmm.inline_route_update. It is disabled by default. When enabled, packets are checked for new routes before sending out.


930385 : SSL filter does not re-initialize when an OCSP object is modified

Component: Local Traffic Manager

Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.

Then, modify the OCSP object to DNS resolver ns2.

After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.

Conditions:
An OCSP object is configured and modified.

Impact:
The wrong nameserver is used after modification to the OCSP object.

Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.


929213-3 : iAppLX packages not rolled forward after BIG-IP upgrade

Component: Device Management

Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.

1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

-> Performing an upgrade

-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX

Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI

Workaround:
The package needs to be uninstalled and installed again for use.

Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again

Fix:
All installed package management LX such as AS3, DO, telemetry, failover extension, service discovery are available after upgrade


929077-1 : Bot Defense allow list does not apply when using default Route Domain and XFF header

Component: Application Security Manager

Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from an IP address that is on the allow list is blocked.

Workaround:
Allow the IP address using an iRule.

Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.


929001-4 : ASM form handling improvements

Solution Article: K48321015

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.


928857-3 : Use of OCSP responder may leak X509 store instances

Component: Local Traffic Manager

Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


928805-3 : Use of OCSP responder may cause memory leakage

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


928789-3 : Use of OCSP responder may leak SSL handshake instances

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.

Workaround:
No workaround.


928717-1 : [ASM - AWS] - ASU fails to sync

Component: Application Security Manager

Symptoms:
Live Update configuration is not updated.

Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.

Impact:
Automatic signature updates (ASU) fail to sync.

Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:

1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.


928685-3 : ASM Brute Force mitigation not triggered as expected

Solution Article: K49549213

Component: Application Security Manager

Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.

Conditions:
- ASM enabled
- Brute Force mitigation enabled

Impact:
Brute Force mitigation is not triggered as expected.

Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:

when ASM_REQUEST_DONE

{
    if { [catch { HTTP::username } ] } {
     
     log local0. "ERROR: bad username";
     
     ASM::raise bad_auth_header_custom_violation 
   
   }
}

Fix:
Brute Force mitigation is now triggered as expected.


928553-1 : LSN64 with hairpinning can lead to a tmm core in rare circumstances

Component: Carrier-Grade NAT

Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.

Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.

Impact:
Tmm cores. Traffic disrupted while tmm restarts.

Workaround:
Disable full proxy config of hairpinning.

Fix:
Tmm does not crash anymore.


928321-3 : K19166530: XSS vulnerability CVE-2020-27719

Solution Article: K19166530


928037-3 : APM Hardening

Solution Article: K15310332


928029 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis

Component: TMOS

Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".

Conditions:
Run "switchboot" command

Impact:
A confusing popup message is displayed.

Workaround:
NA

Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"


927993-4 : Built-in SSL Orchestrator RPM installation failure

Solution Article: K97501254

Component: SSL Orchestrator

Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:

Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.

Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.

Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.

Workaround:
Step 1. Run the following commands in the BIG-IP command line:

# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')

# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')

# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1

# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done

# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99

---

Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.

---

Step 3. Run the following commands in the BIG-IP command line:

# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2

---

Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.

Fix:
Built-in SSL Orchestrator RPM installation failure


927941-3 : IPv6 static route BFD does not come up after OAMD restart

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.


927617-3 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Component: Application Security Manager

Symptoms:
A valid request that should be passed to the backend server is blocked.

Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.

-- The cookie header that contain the valid cookie value is encoded to base64.

Impact:
A request is blocked that should not be.

Workaround:
Disable 'Base64 Decoding' for the desired cookie.

Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.


927033-1 : Installer fails to calculate disk size of destination volume

Component: TMOS

Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:

error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.

Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:

[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map

Impact:
Unable to successfully upgrade.

Workaround:
Create the expected symlink manually:

cd /dev/md
ln -s ../md127 _none_\:0


926929-2 : RFC Compliance Enforcement lacks configuration availability

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that require certain constructions after a header name may not function.

Workaround:
None.

Fix:
A configuration item is introduced to manage any RFC compliance option when enforcement is turned on:

HTTP profile option enforcement.allow-ws-header-name; prior releases Tmm.HTTP.RFC.AllowWSHeaderName DB key (necessarily a global flag, rather than per-profile control).


926593-3 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets


926425 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Component: Advanced Firewall Manager

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection continue to be unsupported until hardware SYN cookies are disabled.

Conditions:
SYN Cookie activated on Neuron-capable platforms:
  + VIPRION B4450N blade
  + BIG-IP iSeries devices (ix800) except the i850, ix2800, and ix4800:
     -- BIG-IP i5800 Series
     -- BIG-IP i7800 Series
     -- BIG-IP i11800 Series
     -- BIG-IP i15800 Series

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options are not taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Workaround:
You can use any of the following to clear the HSB issue:
-- Restart neurond.
-- Restart TMM,
-- Reboot the device.

Fix:
Now, BIG-IP systems differentiate virtual servers regardless of whether they are using the same destination in the same or a different route domain.


925573-3 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted

Component: Access Policy Manager

Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.

Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.

Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue. Traffic disrupted while tmm restarts.

Workaround:
None.


924929-1 : Logging improvements for VDI plugin

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.


924857-4 : Logout URL with parameters resets TCP connection

Component: Access Policy Manager

Symptoms:
TCP connection reset when 'Logout URI Include' configured.

Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
 /logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
 /logoff.html?a=b

Impact:
TCP connection resets, reporting BIG-IP APM error messages.

'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.


Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.

Workaround:
None

Fix:
The system now ignores unsupported query parameters.


924521-1 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.

Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.

Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.

Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server-side connections.


924493-4 : VMware EULA has been updated

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.


924429-3 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.

Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.


924349-1 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

Component: Service Provider

Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.

Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses

Impact:
Unable to see multiple HostIPAddress in CER/CEA

Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.


923301-1 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group

Component: Application Security Manager

Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.

Conditions:
Automatic installation of ASU on manual sync setup.

Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.

Workaround:
Manually sync the device group.

Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.


923125-1 : Huge amount of admd processes caused oom

Component: Anomaly Detection Services

Symptoms:
The top command shows that a large number of admd processes are running.

Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.

Impact:
Memory is exhausted.

Workaround:
Restart admd:
bigstart restart admd

Fix:
This issue no longer occurs.


922785-4 : Live Update scheduled installation is not installing on set schedule

Component: Application Security Manager

Symptoms:
A scheduled live update does not occur at the scheduled time.

Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.

Impact:
Automated installation does not initiate

Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14


922665-1 : The admd process is terminated by watchdog on some heavy load configuration process

Component: Anomaly Detection Services

Symptoms:
The watchdog process in the BIG-IP ASM monitors terminates the admd process.

Conditions:
On some heavy load configuration process, such as version upgrade.

Impact:
Restart of admd daemon. The restarts may be continuous. No stress-based anomaly detection or behavioral statistics aggregation until admd restarts.

Workaround:
For the case of continuous restarts, a partial solution is to disable admd during busy periods such as upgrades. To do so, issue the following two commands, in sequence, after the upgrade is complete:

bigstart stop admd
bigstart start admd


922597-1 : BADOS default sensitivity of 50 creates false positive attack on some sites

Component: Anomaly Detection Services

Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.

Conditions:
This can occur for some requests that have high latency and low TPS.

Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.

Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500

For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.

The results is that the attack is declared later than for the default value, but it is declared and the site is protected.

Fix:
Default sensitivity value 500 now illuminates false positive DoS attacks declaration.


922297-3 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

You see the following log entries in /var/log/tmm:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.

Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).


922261-4 : WebSocket server messages are logged even it is not configured

Component: Application Security Manager

Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.

Impact:
Remote logging server overloaded with unexpected WebSocket messages.

Workaround:
Set response-logging=illegal in all remote logging profiles.

Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.


922185-4 : LDAP referrals not supported for 'cert-ldap system-auth'

Component: TMOS

Symptoms:
Admin users are unable to log in.

Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.

Impact:
The cert-ldap authentication does not work, so login fails.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.


922105-4 : Avrd core when connection to BIG-IQ data collection device is not available

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled

Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.


921881-4 : Use of IPFIX log destination can result in increased CPU utilization

Component: Local Traffic Manager

Symptoms:
-- Increased baseline CPU.

- The memory_usage_stats table shows a continuous increase in mds_* rows.

Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.

Impact:
Increased baseline CPU may result in exhaustion of CPU resources.

Workaround:
Limiting changes to associated configuration can slow the effects of this issue.


921721-2 : FIPS 140-2 SP800-56Arev3 compliance

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.

Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.


921677-4 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.

Component: Application Security Manager

Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:

Bot defense profile <profile full name> error: match-order should be unique.

Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.

2. Delete item with the value: match-order 2 (in tmsh), and save.

3. Switch to the GUI, add new allow list item, and save.

Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.

Workaround:
Drag between two items, and then drag back.

Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.


921625-4 : The certs extend function does not work for GTM/DNS sync group

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.

-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.


921421-1 : iRule support to get/set UDP's Maximum Buffer Packets

Component: Local Traffic Manager

Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.

Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.

Impact:
Unable to dynamically change the max buffer packets setting in an iRule.

Workaround:
None

Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts

Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.


921337-3 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Solution Article: K88230177


920961-3 : Devices incorrectly report 'In Sync' after an incremental sync

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
   # tmsh modify ltm policy <LTM Policy Name> legacy

Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.


920481 : REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase

Component: TMOS

Symptoms:
GET request on REST endpoint /mgmt/tm/sys/file/ssl-key returns the incorrect value for passphrase.

Conditions:
This occurs when getting the ssl-key information, and the key contains a passphrase.
-- Using BIG-IP v14.1.2.5 or v14.1.2.6 to deploy Amazon Machine Image (AMI).

Impact:
Passphrase value is incorrect. Autoscale AWS deployments fail when trying to deploy a BIG-IP v14.1.2.5 or v14.1.2.6 AMI. This is the result of a change in how ssl-key passphrases are being returned in REST calls.

Workaround:
None.

Fix:
Can now deploy from BIG-IP v14.1.2.5 or v14.1.2.6 AMI when using passphrase from a GET request on REST endpoint /mgmt/tm/sys/file/ssl-key.


920361-4 : Standby device name sent in Traffic Statistics syslog/Splunk messages

Component: Advanced Firewall Manager

Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.

Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.

Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.

Workaround:
None.

Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.


920301-2 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy

Component: TMOS

Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.

Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.

Impact:
High CPU Usage.

Workaround:
None.

Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.


920197-2 : Brute force mitigation can stop mitigating without a notification

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.


920149-2 : Live Update default factory file for Server Technologies cannot be reinstalled

Component: Application Security Manager

Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.

Conditions:
This occurs:

-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.

Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.

Workaround:
None.


919841-1 : AVRD may crash while processing Bot Defense traffic

Solution Article: K45143221


919745-4 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.


919553-3 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.


919301-4 : GTP::ie count does not work with -message option

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.

Fix:
'GTP::ie' count is now working with -message option.


919001-1 : Live Update: Update Available notification is shown twice in rare conditions

Component: Application Security Manager

Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.

Conditions:
This can be encountered on the first load of the Live Update page.

Impact:
Notification is shown twice.

Workaround:
None.

Fix:
Notification is shown only once in all cases.


918933-3 : The BIG-IP ASM system may not properly perform signature checks on cookies

Solution Article: K88162221

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221


918597-4 : Under certain conditions, deleting a topology record can result in a crash.

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.


918317-3 : SSL Orchestrator resets subsequent requests when HTTP services are being used.

Component: SSL Orchestrator

Symptoms:
When connections are reused for subsequent requests, the subsequent requests might get aborted with reset cause 'connector service reconnected'.

Conditions:
SSL Orchestrator with HTTP services and multiple requests in a connection.

Impact:
Subsequent requests might get aborted with reset cause 'connector service reconnected'.

Workaround:
None

Fix:
SSL Orchestrator no longer aborts subsequent requests in the same connection.


918209-1 : GUI Network Map icons color scheme is not section 508 compliant

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.

Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.


918169-2 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.


918097-1 : Cookies set in the URI on Safari

Component: Application Security Manager

Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.

Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.

Impact:
A cookie is set on the URL.

Workaround:
None.

Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.

Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.

This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable

Default value is the original behavior (enable), which sets the cookie in the URl.

NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.


917509-5 : BIG-IP ASM vulnerability CVE-2020-27718

Solution Article: K58102101


917469-4 : TMM may crash while processing FPS traffic

Solution Article: K53821711


917005-4 : ISC BIND Vulnerability: CVE-2020-8619

Solution Article: K19807532


916969-2 : Support of Microsoft Identity 2.0 platform

Component: Access Policy Manager

Symptoms:
BIG-IP does not support Template for Microsoft Identity Platform 2.0.

Conditions:
This is encountered if you want to use Template for Microsoft Identity Platform 2.0 as an identity provider.

Impact:
Unable to configure Microsoft Identity Platform 2.0 on BIG-IP.

Workaround:
OAuth provider has a custom template which provides the ability to configure and discover using new endpoints.


916821-4 : iControl REST vulnerability CVE-2021-22974

Solution Article: K68652018


915957 : The wocplugin may get into a restart loop when AAM is provisioned

Component: Local Traffic Manager

Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.

Conditions:
Application Acceleration Manager (AAM) is provisioned

Impact:
AAM is not functional

Workaround:
None

Fix:
The wocplugin is now correctly provisioned and runs without restarts.


915825-4 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.


915773 : Restart of TMM after stale interface reference

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


915689-4 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.


915605-1 : Image install fails if iRulesLX is provisioned and /usr mounted read-write

Solution Article: K56251674

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume as one of the following:

-- Could not access configuration source.
-- Unable to get hosting system product info.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr


915509-3 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true

Component: Access Policy Manager

Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).

Conditions:
RADIUS Auth with 'show-extended-error' enabled.

Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.

Workaround:
None.


915497-3 : New Traffic Class Page shows multiple question marks.

Component: TMOS

Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.

Conditions:
This is encountered when creating a new Traffic Class.

Impact:
Multi-byte characters are displayed incorrectly.

Workaround:
None.

Fix:
Fixed an issue with rendering multi-byte characters on the Traffic Class screen.


915489-1 : LTM Virtual Server Health is not affected by iRule Requests dropped

Component: Anomaly Detection Services

Symptoms:
Virtual Server Health should not take into account deliberate drop requests.

Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.

Impact:
Server Health reflects it is overloading status more precisely.

Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.

Fix:
Virtual Server Health is no longer affected while dropping requests using iRules.


915305-3 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.


915281-1 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.

Fix:
Rearming of TCP Keep Alive timer is improved.


914761-1 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.

Component: TMOS

Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:

Unexpected Error: UCS saving process failed.

Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.

Impact:
UCS file is not successfully saved and backup fails.

Workaround:
None.


914649-2 : Support USB redirection through VVC (VMware virtual channel) with BlastX

Component: Access Policy Manager

Symptoms:
USB is unavailable after opening VMware View Desktop.

Conditions:
1. Secure Tunnel disabled on VCS
2. Launch view virtual desktop via native view client from an APM webtop or from the View client

Impact:
USB is unavailable after opening VMware View Desktop

Workaround:
None.

Fix:
USB is now available after opening VMware View Desktop


914293-1 : TMM SIGSEGV and crash

Component: Anomaly Detection Services

Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.

Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.

Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.

Fix:
Fixed a tmm crash related to iRules and Behavioral DoS policies.


914277-4 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.

Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable

In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.

Fix:
Automatic downloads are quietly synced and do not have an impact on the device group sync status.


914245-1 : Reboot after tmsh load sys config changes sys FPGA firmware-config value

Component: TMOS

Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.

Chmand reports errors:

chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]

Conditions:
Running either of the following commands:

tmsh load sys config
/etc/init.d/fw_update_post reload

Impact:
Firmware update fails.

Workaround:
Use this procedure:

1. Mount /usr:
mount -o rw,remount /usr

2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload

3. Reload systemctl:
systemctl daemon-reload

4. Reload the file:
/etc/init.d/fw_update_post reload

Fix:
Added the reload option in fw_update_post service file.


914081-3 : Engineering Hotfixes missing bug titles

Component: TMOS

Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).

-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.

Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.

Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.

Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).

Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.

For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.

Fix:
BIG-IP Engineering Hotfixes now include the summary titles for fixed bugs that have been published via Bug Tracker.


913849 : Syslog-ng periodically logs nothing for 20 seconds

Component: TMOS

Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.

Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)

Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.

Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.

Workaround:
None.

Fix:
F5 patched syslog-ng to use a lower 1-second, 0-retries timeout back in 13.0.0, but this patch was made ineffective by the upgrade to centos 7 in 14.1.0. This fixes the patch so that it works again.


913829-3 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.

Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.

Behavior Change:
This release introduces a new variable to mitigate this issue:
dagv2.pu.table.size.multiplier.

You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue. dag2.pu.table.size.multiplier.


913453-3 : URL Categorization: wr_urldbd cores while processing urlcat-query

Component: Traffic Classification Engine

Symptoms:
The webroot daemon (wr_urldbd) cores.

Conditions:
This can occur while passing traffic when webroot is enabled.

Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.

Workaround:
None.

Fix:
Fixed a core with wr_urldb.


913433-1 : On blade failure, some trunked egress traffic is dropped.

Component: TMOS

Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.

Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)

Workaround:
None.


913413-4 : 'GTP::header extension count' iRule command returns 0

Component: Service Provider

Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).

Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.

Impact:
The command returns false information.

Workaround:
None

Fix:
'GTP::header extension count' command now returns number of header extension correctly.


913373-3 : No connection error after failover with MRF, and no connection mirroring

Component: Service Provider

Symptoms:
-- Unable to establish MRF connection after failover.
-- Error reports 'no connection'.

Conditions:
- MRF configured.
- Using iRule for routing.
-- Failover occurs.

Impact:
Unable to establish new connection until existing sessions time out. No message is reported explaining the circumstances.

Workaround:
Any of the following:
-- Enable connection mirroring on the virtual server.
-- Disable session mirroring.


913249-4 : Restore missing UDP statistics

Component: Local Traffic Manager

Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

Conditions:
Viewing UDP statistics.

Impact:
Unable to view these UDP statistics.

Workaround:
None.

Fix:
The following UDP statistics are now restored:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes


913085-4 : Avrd core when avrd process is stopped or restarted

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

Fix:
Avrd no longer cores when avrd process is stopped or restarted.


912969-4 : iAppsLX REST vulnerability CVE-2020-27727

Solution Article: K50343630


912945-4 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed

Component: Local Traffic Manager

Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.

Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.

Impact:
The incorrect client SSL profile is selected.

Workaround:
Configure the 'Server Name' option in the client SSL profile.

Fix:
Fixed an issue with client SSL profile selection.


912425-1 : Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash

Component: In-tmm monitors

Symptoms:
Modification of in-TMM monitors may result in TMM crashing, or the changes to the monitor configuration not taking effect, or only taking effect for some monitor instances.

Conditions:
TMM may crash under some of the following conditions:

-- Performing configuration sync
-- Deleting and recreating monitor and SSL profile configurations.

Changes to monitor configuration may not take effect under the following conditions:

-- Modifying the SSL profile assigned to a monitor.
-- A monitor instance is currently in progress.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
Disable in-TMM monitors.

Fix:
This issue is now fixed.


912289-3 : Cannot roll back after upgrading on certain platforms

Component: Local Traffic Manager

Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

- BIG-IP v12.1.6 or later in the v12.x branch of code
- BIG-IP v13.1.4 or later in the v13.x branch of code
- BIG-IP v14.1.4 or later in the v14.x branch of code
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

-- Upgrade the software to one of the following software versions:

  + BIG-IP v12.1.6 or later in the v12.x branch of code
  + BIG-IP v13.1.4 or later in the v13.x branch of code
  + BIG-IP v14.1.4 or later in the v14.x branch of code
  + BIG-IP v15.1.1 or later in the v15.x branch of code
  + BIG-IP v16.0.0 or later

-- Attempt to roll back to a previous version.

Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.

Workaround:
None.

Fix:
Contact F5 Support for the reversion process if this is required.

Behavior Change:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.

The particular platforms are:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

The particular software versions are:
  + BIG-IP v12.1.6 or later in the v12.x branch of code
  + BIG-IP v13.1.4 or later in the v13.x branch of code
  + BIG-IP v14.1.4 or later in the v14.x branch of code
  + BIG-IP v15.1.1 or later in the v15.x branch of code
  + BIG-IP v16.0.0 or later


912221-2 : CVE-2020-12662 & CVE-2020-12663

Solution Article: K37661551


912149-4 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'

Component: Application Security Manager

Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:

/var/log/:

asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.

ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0

Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.

Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.

Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.

-- Security log profile changes are not propagated to other devices.

-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.

-- Policies with learning enabled do not generate learning suggestions.

Workaround:
Restart asm_config_server on the units in the device group.

# pkill -f asm_config_server


912089-3 : Some roles are missing necessary permission to perform Live Update

Component: Application Security Manager

Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.

Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.

Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.

Workaround:
None.

Fix:
The following roles can now perform live-update:
- Administrator
- Web Application Security Administrator
- Resource Administrator
- Application Security Operations Administrator


912001-4 : TMM cores on secondary blades of the Chassis system.

Component: Global Traffic Manager (DNS)

Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:

tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307

Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.

Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.

Workaround:
1) Create another virtual server with a DNS profile to use configured to use the local bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.


911809-1 : TMM might crash when sending out oversize packets.

Component: TMOS

Symptoms:
TMM crashes with an assert; Drop assertion similar to the following:
notice panic: ../dev/ndal/ndal.c:758: Assertion "pkt length cannot be greater than MAX_PKT_LEN" failed.

Conditions:
-- Xnet driver is used in BIG-IP Virtual Edition (VE).
-- TMM tries to send oversize packets.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


911761-4 : F5 TMUI XSS vulnerability CVE-2020-5948

Solution Article: K42696541


911729-1 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value

Component: Application Security Manager

Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.

Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.

Impact:
Redundant learning suggestion is issued.

Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.

Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.


911629 : Manual upload of LiveUpdate image file results in NULL response

Component: Application Security Manager

Symptoms:
When uploading a LiveUpdate image file from the GUI, the upload fails.

In /var/log/restjavad.0.log you see the following error:

[SEVERE][768][25 May 2020 05:38:20 UTC][com.f5.rest.workers.liveupdate.LiveUpdateFileTransferWorker] null

Conditions:
LiveUpdate images are uploaded manually.

Impact:
LiveUpdate images fail to upload.

Workaround:
1. Upload the file to LiveUpdate files directory '/var/lib/hsqldb/live-update/update-files' on the host.

2. Send a POST request with the filename for inserting the file to the LiveUpdate
 database:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/update-files
* payload - json:
{ "filename": "<FILE_NAME>",
  "fileLocationReference": {"link": "<FILE_NAME>"}}

3. Get the file link reference:
   https://{{big_ip1}}/mgmt/tm/live-update/asm-attack-signatures/update-files?$filter=filename eq '<FILE_NAME>'

4. From the response copy the "selfLink" part :
   "selfLink": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"

5. Create a POST request with the value above for creating a new installation record:
* url : https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations
* payload - json:
{ "updateFileReference": {
        "link": "https://localhost/mgmt/tm/live-update/asm-attack-signatures/update-files/<UPDATE_FILE_ID>"}
}

6. Now the file is available to install it from the GUI.

7. Another option is to install it via the PATCH request and the installation_id from the response received at step 5:
* url: https://<HOST>/mgmt/tm/live-update/<UPDATE-CONFIGURATION>/installations/<INSTALLATION_ID>
* payload: { "status" : "install" }


911141-4 : GTP v1 APN is not decoded/encoded properly

Component: Service Provider

Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.

Conditions:
- GTP version 1.
- APN element.

Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.

Workaround:
Use iRules to convert between octetstring and dotted style domain name values.

Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.

Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.


911041-2 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash

Component: Local Traffic Manager

Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.

Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.

Fix:
Suspending the iRule FLOW_INIT on a virtual-to-virtual flow no longer leads to a crash.


910905-2 : Unexpected tmm core

Component: Local Traffic Manager

Symptoms:
A tmm core occurs unexpectedly and causes a failover event.

Conditions:
This can occur while tmm is in normal operation. An internal error occurs when deleting an old SSL session during SSL handshake.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed incorrect internal deletion of expired SSL sessions.


910653-3 : iRule parking in clientside/serverside command may cause tmm restart

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.

Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.

For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.

Fix:
iRule parking in clientside/serverside command no longer causes tmm to restart.


910517 : TMM may crash while processing HTTP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing HTTP traffic

Conditions:
- Client HTTP profile
- Server SSL profile
- Server HTTP/2 profile
- Undisclosed request conditions

Impact:
TMM may crash, leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes HTTP traffic as expected


910417-3 : TMM core may be seen when reattaching a vector to a DoS profile

Component: Advanced Firewall Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the tracker when deleting to ensure delete of the same tracker that was created, so there is no error.


910201-1 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.


910097-3 : Changing per-request policy while tmm is under traffic load may drop heartbeats

Component: Access Policy Manager

Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash

Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.


910017-4 : Security hardening for the TMUI Interface page

Solution Article: K21540525


909837-2 : TMM may consume excessive resources when AFM is provisioned

Solution Article: K05204103


909237-4 : CVE-2020-8617: BIND Vulnerability

Solution Article: K05544642


909233-4 : DNS Hardening

Solution Article: K97810133


909197-5 : The mcpd process may become unresponsive

Component: TMOS

Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.

Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.

Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.

Workaround:
None.

Fix:
Fixed handling of malformed messages by mcpd, so the problem should no longer occur.


909161-4 : A core file is generated upon avrd process restart or stop

Component: Application Visibility and Reporting

Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.

Conditions:
Avrd process is stopped or restarted.

Impact:
Avrd creates a core file but there is no other negative impact to the system.

Workaround:
None


908673-3 : TMM may crash while processing DNS traffic

Solution Article: K43850230


908621-3 : Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
-- Virtual server has HTTP and HTTP Router profiles attached to it.
-- Certain scenarios where the proxy goes into passthrough mode.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now correctly manages proxy handling of passthrough mode in specific scenarios, so the tmm crash no longer occurs.


908601-4 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option

Component: TMOS

Symptoms:
When the BIG-IP system boots, mcpd continually restarts.

Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.

Impact:
The BIG-IP system is unable to complete the boot process and become active.

Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.

Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.

You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.


If the system is already in the defective state, use this shell command, and then reboot:

touch /.tmos.platform.init

The problem should be resolved.

Fix:
Running 'diskinit' from MOS with the '--style=volumes' option no longer causes continuous mcpd restarts.


908517-1 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'

Component: TMOS

Symptoms:
LDAP authentication fails with an error message:

err nslcd[2867]: accept() failed: Too many open files

Conditions:
This problem occurs when user-template is used instead of Bind DN.

Impact:
You cannot logon to the system using LDAP authentication.

Workaround:
None.

Fix:
LDAP authentication now succeeds when user-template is used.


908065-4 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.

Fix:
Fixed an issue with logrotate failing when files ending with .1 exist in the log directory.


908021-2 : Management and VLAN MAC addresses are identical

Component: TMOS

Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.

Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.

Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.

Workaround:
None.

Fix:
The issue has been fixed for hardware platforms. That is, MAC addresses in the MAC address pool have been reserved for the management port. Due to the small MAC pool size for a few platforms (see K14513: MAC address assignment for interfaces, trunks, and VLANs :: https://support.f5.com/csp/article/K14513#vlans), entries cannot be reserved for VCMP guest management interfaces.


907337-4 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.

Fix:
This BD crash no longer occurs.


907245-3 : AFM UI Hardening

Solution Article: K94255403


907201-1 : TMM may crash when processing IPSec traffic

Solution Article: K66782293


907025-1 : Live update error" 'Try to reload page'

Component: Application Security Manager

Symptoms:
When trying to update Attack Signatures. the following error message is shown:

Could not communicate with system. Try to reload page.

Conditions:
Insufficient disk space to update the Attack Signature.

Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.

Workaround:
This following procedure restores the database to its default, initial state:

1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.

2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script

3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.

4. Add the following lines to create the live update database schema and set the SA user as expected:

 CREATE SCHEMA PUBLIC AUTHORIZATION DBA
 CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
 CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
 CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
 CREATE USER SA PASSWORD ""
 GRANT DBA TO SA
 SET WRITE_DELAY 20
 SET SCHEMA PUBLIC

5. Restart the tomcat process:
bigstart restart tomcat


906889-1 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Component: TMOS

Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:

  Packets In 2 shows as 016 in the GUI
  Packets Out 0 shows as 8 in the GUI

Workaround:
View statistics in tmsh.


906885 : Spelling mistake on AFM GUI Flow Inspector screen

Component: Advanced Firewall Manager

Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.

Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).

Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.

Workaround:
None.


906377-4 : iRulesLX hardening

Solution Article: K61643620


905905-3 : TMUI CSRF vulnerability CVE-2020-5904

Solution Article: K31301245


905849 : FastL4 UDP flows might not get offloaded to hardware

Component: TMOS

Symptoms:
In some cases one side - client or server - of a fastL4 UDP flow might not get offloaded to hardware.

Conditions:
FastL4 UDP virtual server

Impact:
One side of the UDP flow is not accelerated by hardware.

Workaround:
None

Fix:
Both sides of the fastL4 UDP flow are now offloaded correctly.


905557-6 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure

Component: Global Traffic Manager (DNS)

Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.

Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure HSL with only a single log destination.


905125-3 : Security hardening for APM Webtop

Solution Article: K30343902


904937-4 : Excessive resource consumption in zxfrd

Solution Article: K25595031


904845-3 : VMware guest OS customization works only partially in a dual stack environment.

Component: TMOS

Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).

By default, DHCP is enabled on the management interface.

During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.

Conditions:
Applying a customization profile to VMware VM in a dual stack environment.

Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.

Workaround:
Configure the mgmt interface addresses using the config script.

Fix:
VMware customization works only partially in a dual stack environment. To avoid misconfiguration, set the desired mgmt interface addresses using the config script.


904785-3 : Remotely authenticated users may experience difficulty logging in over the serial console

Component: TMOS

Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user

Conditions:
-- Remote authentication (e.g., RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.

Impact:
Remotely authenticated users cannot log in over the serial console.

Workaround:
Using either of the following workaround:

-- Log in over SSH instead

-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.


904705-3 : Cannot clone Azure marketplace instances.

Component: TMOS

Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.

Conditions:
Applies to any Azure marketplace instance.

Impact:
Cannot clone Azure marketplace instances.

Workaround:
None.

Fix:
Updated the version of the API used to get data from the metadata service. Cloned instances now properly retrieve the publisher and product code from the metadata service.


904593-2 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the primary device, before the primary has a chance to sync the configuration to the new device, causing the configuration in the primary device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.

Impact:
Configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable


904373-1 : MRF GenericMessage: Implement limit to message queues size

Component: Service Provider

Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.

Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.

Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.

Workaround:
None.

Fix:
The existing max_pending_messages attribute of the message router profile is used to limit the size of the queues.


904165-3 : BIG-IP APM vulnerability CVE-2020-27716

Solution Article: K51574311


904133-2 : Creating a user-defined signature via iControl REST occasionally fails with a 400 response code

Component: Application Security Manager

Symptoms:
Creating user-defined signature via iControl REST occasionally fails with a 400 response code.

Conditions:
You create a user-defined signature via iControl REST via this endpoint:

POST https://<BIG-IP>/mgmt/tm/asm/signatures

Impact:
Signature creation fails with 400 response code:

{
    "code": 400,
    "message": "remoteSender:10.10.10.10, method:POST ",
    "originalRequestBody": "{...}",
    "referer": "10.10.10.10",
    "restOperationId": 6716673,
    "kind": ":resterrorresponse"
}

Fix:
Creating user-defined signatures via REST works correctly.


904053-4 : Unable to set ASM Main Cookie/Domain Cookie hashing to Never

Component: Application Security Manager

Symptoms:
Disabling ASM Main Cookie/Domain Cookie hashing in a Policy's Learning and Blocking Setting with 'Never (wildcard only)' does not stop the ASM Main Cookie from continuing to hash server-provided cookies.

Conditions:
-- ASM enabled.
-- Learning mode enabled for Policy.
-- Learn New Cookies set to 'Never (wildcard only)' instead of default 'Selective'.

Impact:
A sufficient number of ASM Main Cookies and/or a sufficiently large number of cookies for each ASM Main cookie to hash can result in the HTTP header becoming prohibitively large, causing traffic to be refused by the server.

Workaround:
Disable Learning mode for the Policy disables Cookie hashing.

Note: This affects all learning, not just Cookie hashing.

Fix:
Cookie hashing can now be disabled at the policy level in the Cookie subsection of an ASM Policy's Learning and Blocking Settings by setting Learn New Cookies to "Never (wildcard only)".


904041-4 : Ephemeral pool members may be incorrect when modified via various actions

Component: Local Traffic Manager

Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.

For example:

A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.

B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.

Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"

Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.

Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.

Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.

For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.

Fix:
FQDN ephemeral pool members now better reflect expected states after the corresponding FQDN template pool member is modified by one of several actions such as config load, config sync and BIG-IP restart.


903889 : BIG-IP HTTP/2 vulnerability CVE-2021-22999

Solution Article: K02333782


903561-2 : Autodosd returns small bad destination detection value when the actual traffic is high

Component: Advanced Firewall Manager

Symptoms:
Bad destination detection threshold cannot accurately reflect the actual traffic pattern.

Conditions:
-- Enable bad destination and fully automatic mode.
-- Actual traffic is high.

Impact:
A small bad destination detection value is returned.

Workaround:
None.

Fix:
Fixed the threshold update algorithm.


903357-3 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers

Component: Application Security Manager

Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.

Workaround:
None.


902485-2 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)

Fix:
Changed the calculation formula of 'server-concurrent-conns' so it reports the correct statistics.


902417-4 : Configuration error caused by Drafts folder in a deleted custom partition

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.


902401-3 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.

Fix:
OSPF no longer cores when running 'clear ip ospf' on remote.


901929-4 : GARPs not sent on virtual server creation

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.

Fix:
GARPs are now sent when a virtual server is created.


901061-4 : Safari browser might be blocked when using Bot Defense profile and related domains.

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.

Fix:
Set the cookie so all requests in the target domain will contain it.


900933-2 : IPsec interoperability problem with ECP PFS

Component: TMOS

Symptoms:
IPsec tunnels fails to remain established after initially working.
 
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.

This may also immediately present as a problem when trying to establish a second tunnel to the same peer.

Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).

Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.

Workaround:
Do not use ECP for PFS.

Fix:
The ECP PFS state is now correctly maintained and will interoperate with other vendor IPsec products.


900905-1 : TMM may crash while processing SIP data

Solution Article: K42830212


900797-4 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A

Fix:
Mitigated entries are kept in the hash table.


900793-2 : APM Brute Force Protection resources do not scale automatically

Solution Article: K32055534

Component: Application Security Manager

Symptoms:
Under certain conditions, resources for Brute Force Protection must be manually scaled by administrators to provide full protection.

Conditions:
-- Many virtual server (hundreds) that have web application protection with brute force protection enabled.
-- Numerous failed login requests coming to all virtual servers all the time.

Impact:
Administrators must manually change the hash size upon need instead of relying on the automatic configuration.

Workaround:
Set the internal parameter external_entity_hash_size to 0 to allow automatic recalculation of the correct value.

Fix:
Brute Force Protection resources are now scaled automatically based on available system resources.


900789-4 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.

Fix:
Alert/Warning is now announced in ASM logs, describing the status of the hash table.


900757-4 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


898997-4 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted

Fix:
GTP profile and GTP::parse iRules now support IE larger than 2048 bytes


898949-3 : APM may consume excessive resources while processing VPN traffic

Solution Article: K04518313


898929-2 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.


898825-4 : Attack signatures are enforced on excluded headers under some conditions

Component: Application Security Manager

Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).

Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.

Impact:
False positive enforcement for header signature.

Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.


898741-4 : Missing critical files causes FIPS-140 system to halt upon boot

Component: Application Security Manager

Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.

Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing

Impact:
System halts during boot because of sys-eicheck.py failure.

Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.

If the missing files are due to missing signature update files:

- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.


898705-3 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.


898461-4 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.

Fix:
These iRule commands are now available within these iRule events.


898441-4 : Enable logging of IKE keys

Component: TMOS

Symptoms:
IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.

Conditions:
-- The BIG-IP system has an IPsec IKEv2 tunnel configured.
-- debug level logging is enabled.

Impact:
Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.

Workaround:
None, although the remote peer may log this information.

Fix:
Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.


897229 : TLS session ticket resumption SNI check

Component: Local Traffic Manager

Symptoms:
A TLS session ticket might be used for session resumption if the SNI does not match the original session ticket.

Conditions:
-- TLS 1.2 or 1.3.
-- Session ticket resumption.
-- SNI does not match the original session ticket.

Impact:
Session resumption might occur when the current session ticket extension SNI does not match session ticket SNI.

Workaround:
None.

Fix:
Session resumption with session ticket is now resumed only when the SNI matches the original session ticket.


896817-4 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb

Component: TMOS

Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:

01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.

Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.

Impact:
Unable to replace configuration using TMSH's 'replace' verb.

Workaround:
None.

Fix:
When merging a configuration that modifies the list of iRules a virtual server uses using the TMSH 'replace' verb, no error is encountered.


896709-2 : Add support for Restart Desktop for webtop in VMware VDI

Component: Access Policy Manager

Symptoms:
VMware has a restart desktop option to reboot the Horizon Agents, but APM does not support this feature on the webtop.

Conditions:
You wish to use the VMware Restart desktop feature for the Horizon Agents that are managed by the vCenter Server.

Impact:
Cannot restart the desktop (Horizon Agent) from the webtop by clicking the restart icon.

Workaround:
None.

Fix:
APM now supports restart desktop option on webtop for VMware VDI.


896553-2 : On blade failure, some trunked egress traffic is dropped.

Component: TMOS

Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.

Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.

Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)

Workaround:
Attach interfaces to all blades.

Fix:
Failed blades are detected within a second.


896285-4 : No parent entity in suggestion to add predefined-filetype as allowed filetype

Component: Application Security Manager

Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.

Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.

Impact:
No parent entity appears in the sugestion.

Workaround:
None.

Fix:
Suggestions to add filetypes to the allowed-filetypes list in the policy now contain parent entity.


896217-4 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat


895993-4 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895981-4 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895881-3 : BIG-IP TMUI XSS vulnerability CVE-2020-5903

Solution Article: K43638305


895837-1 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified

Component: TMOS

Symptoms:
Virtual server configured with:

-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0

-- The configuration uses a destination port list.

Conditions:
Modify the virtual server's port-list to a different one.

Impact:
Mcpd generates a core, and causes services to restart and failover.

Workaround:
None.

Fix:
Mcpd no longer crashes when modifying a traffic-matching-criteria's destination port list.


895557-1 : NTLM profile logs error when used with profiles that do redirect

Component: Local Traffic Manager

Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).

When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.

Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).

Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.

For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"


895525-4 : TMUI RCE vulnerability CVE-2020-5902

Solution Article: K52145254


895313 : Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2

Component: Access Policy Manager

Symptoms:
Clicking to change the Enable Manage Config setting may fail after upgrade, and reports an error message:
transaction failed:01020036:3: The requested AAA OAuth Provider (/Common/test.app/test_oauthProvider_test) was not found.

Conditions:
This issue occurs in the following scenario:
-- Run BIG-IP software 14.1.0 or 14.1.2.
-- Upgrade AGC to version 7.0.
-- A configuration such as SAML SP is created and deployed.
-- Click the Disable Manage Config lock icon to set it to Enable Manage Config; This enables editing the configuration using the GUI or tmsh.
-- Use the GUI or tmsh to edit a configuration option related to that SAML SP instance.
-- Navigate to the AGC-created instance of the configuration, and click the Enable Manage Config lock icon.

Impact:
Attempting to Enable Manage Config fails. The changes you made using the GUI or tmsh are lost. The associated instance becomes unusable from AGC.

Note: You can still use the instance outside of AGC.

Workaround:
To prevent the issue from happening, do not edit AGC-created configurations using the GUI or tmsh; only modify the configuration using AGC.

Fix:
Clicking Enable Manage Config in AGC now retains changes made outside the AGC use case.


895153-2 : HTTP::has_responded returns incorrect values when using HTTP/2

Component: Local Traffic Manager

Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always return the value 'false'.

Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.

Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.

Workaround:
None.

Fix:
HTTP::has_responded is now properly detected in iRules where HTTP/2 is used.


895141 : HTTP::has_responded returns incorrect values when using HTTP/2

Component: Local Traffic Manager

Symptoms:
HTTP::has_responded is not detected in an iRule when the request comes across via HTTP/2. Instead, HTTP::has_responded always returns the value 'false'.

Conditions:
-- HTTP/2 profile.
-- iRule containing the command HTTP::has_responded.

Impact:
Calls to HTTP::respond or HTTP::redirect are not correctly identified by HTTP::has_responded when using HTTP/2.

Workaround:
None.

Fix:
HTTP::has_responded is properly detected in iRules where HTTP/2 is used.


894885 : [SAML] SSO crash while processing client SSL request

Component: Access Policy Manager

Symptoms:
-- Tmm crashes while processing a client SSO request.
-- Graphs show a high SWAP consumption and there are also some OOM events, although the process being terminated is avrd.

Log messages:
-- notice sod[4759]: 01140045:5: HA reports tmm NOT ready.
-- notice sod[4759]: 010c0050:5: Sod requests links down.

Conditions:
SAML SSO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a crash that occurred while handling SSL Orchestrator traffic.


894565-2 : Autodosd.default crash with SIGFPE

Component: Access Policy Manager

Symptoms:
The autodosd process crashes occasionally due to the division by zero.

Conditions:
It happens when the autodosd process receives zero value from tmm.

Impact:
Autodosd is rebooted.

Fix:
The autodosd process does not crash with SIGFPE.


893949 : Support TCP directional offload for hardware-accelerated connections

Component: TMOS

Symptoms:
TCP connections are hardware accelerated for both client- and server-side traffic, but there is no way to specify the TCP hardware acceleration for only client-side or only server-side traffic.

Conditions:
The BIG-IP device has TCP hardware accelerated flows.

Impact:
This change allows you to specify TCP hardware acceleration for only client-side traffic, only server-side traffic, or both. Both is the default behavior.

Note that setting TCP directional offload based on this change is global. There is no per-Fast L4 profile setting.

For more information, see K03799525: Overview of the ePVA offload priority features, available at https://support.f5.com/csp/article/K03799525.

Workaround:
None.


893885 : The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation

Component: TMOS

Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.

Conditions:
-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on Trusted Platform Module (TPM)-supported BIG-IP platforms.

Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status.


893721-1 : PEM-provisioned systems may suffer random tmm crashes after upgrading

Component: Traffic Classification Engine

Symptoms:
TMM crashes with SIGSEGV and a core file is written to /var/core/

Conditions:
This affects systems where PEM is provisioned and where the classification engine is running.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
None


893281-1 : Possible ssl stall on closed client handshake

Component: Local Traffic Manager

Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.

Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.

Impact:
Some ssl client connection remain until idle timeout.

Fix:
Allow transmit of any pending crypto during ssl shutdown.


893061-1 : Out of memory for restjavad

Component: Application Security Manager

Symptoms:
REST framework not available due to Out of memory error

Conditions:
Long list of Live Update installations

Impact:
Live Update GUI is not responding.

Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)

# tmsh modify sys db provision.extramb value 1000

2) Allow restjavad to access the extra memory:

# tmsh modify sys db restjavad.useextramb value true

3) Save the config:

# tmsh save sys config

4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.

5) Increase the restjavad maxMessageBodySize property:

# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
  "maxMessageBodySize": 134217728,
  "localhostRestnodedConnectionLimit": 8,
  "defaultEventHandlerTimeoutInSeconds": 60,
  "minEventHandlerTimeoutInSeconds": 15,
  "maxEventHandlerTimeoutInSeconds": 60,
  "maxActiveLoginTokensPerUser": 100,
  "generation": 6,
  "lastUpdateMicros": 1558012004824502,
  "kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
  "selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}

Ensure the command returns output showing the limit has been increased (as shown above).

6) Reboot the unit.


892941-4 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Solution Article: K20105555

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555


892937-4 : F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat)

Solution Article: K20105555

Component: Access Policy Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Impact:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K20105555

Fix:
For more information, please see:
https://support.f5.com/csp/article/K20105555


892677-4 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted


892653-2 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html

Fix:
Maximum Query String Size and Maximum Request Size fields will be shown in the GUI in case the Splunk Logging Format is selected.


892621-2 : Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software

Component: Advanced Firewall Manager

Symptoms:
BDoS Signature mitigated in software.

Conditions:
IP packets size metric in BDoS signature.

Impact:
BDoS Signature with IP packet size metric mitigated only in software for IPv6 packets.

Workaround:
None.

Fix:
IP packets size metric bin calculation algorithm for IPv6 packets in software now matches hardware version.


892385-2 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.

Fix:
HTTP processes WebSocket payload without delay when payload is received with server HTTP response.


891849-2 : Running iRule commands while suspending iRule commands that are running can lead to a crash

Component: Local Traffic Manager

Symptoms:
Running iRule commands while suspending iRule commands that are running can lead to a crash.

Conditions:
-- Running iRule commands.
-- iRule commands that suspend iRules are running.

For more information on the conditions that trigger iRule suspend, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running iRule commands while suspending iRule commands are running no longer results in a tmm crash.


891729-4 : Errors in datasyncd.log

Component: Fraud Protection Services

Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM

Conditions:
Upgrades from version 13.x to 14.0.0 or higher.

Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.

Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.

If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.

Fix:
Now the max rows number is 1001 when upgrading from any version prior to 14.0.0.


891721-1 : Anti-Fraud Profile URLs with query strings do not load successfully

Component: TMOS

Symptoms:
When a URL containing a query string is added to an anti-fraud profile, the BIG-IP config load fails:

010719d8:3: Anti-Fraud URL '/url\?query=string' is invalid. Every protected URL should be a valid non-empty relative path specified in lower case in the case insensitive Anti-Fraud profile '/Common/antifraud'.
Unexpected Error: Loading configuration process failed.

Conditions:
Adding a query string to a URL for an anti-fraud profile.

Impact:
After a BIG-IP config save, loading of new bigip.conf fails.

Workaround:
Follow this procedure:

1. Remove the escaping characters \ (backslash) for ? (question mark) in the bigip.conf file.
2. Load the configuration.

Fix:
The issue has been fixed: Now Anti-fraud profile URLs support query strings such as /uri?query=data, and they can be successfully loaded.


891505-1 : TMM might leak memory when OAuth agent is used in APM per-request policy subroutine.

Component: Access Policy Manager

Symptoms:
TMM leaks memory and eventually crashes when it cannot allocate any more memory.

Conditions:
OAuth agent is used in APM per-request policy subroutine and authentication fails.

Impact:
Over a period of time, TMM crashes, as it is unable to allocate any more memory. Traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
When fixed, TMM works as expected and no longer leaks memory.


891477 : No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server

Component: TMOS

Symptoms:
When a bandwidth control policy is applied on a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Both static bandwidth control policies and dynamic bandwidth control policies can cause the problem.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a bandwidth control policy.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None.


891457-4 : NIC driver may fail while transmitting data

Solution Article: K75111593


891385-4 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.

Fix:
Added support for the urn URI protocol type.


891337-3 : 'save_master_key(master): Not ready to save yet' errors in the logs

Component: TMOS

Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.

Conditions:
UCS load or configuration synchronization that includes encrypted objects.

Impact:
Many errors seen in the logs.

Workaround:
None.

Fix:
Fixed an issue causing 'save_master_key(master): Not ready to save yet' errors.


891093-3 : iqsyncer does not handle stale pidfile

Component: Global Traffic Manager (DNS)

Symptoms:
Stale /var/run/iqsyncer.pid file is causing a new iqsyncer application to exit immediately after start.

Conditions:
iqsyncer applications is killed by Linux kernel or any other reason causing a stale iqsyncer pid file

Impact:
Gtm config changes and gtm_add operations are blocked

Workaround:
Remove iqsyncer pid file manually or reboot

Fix:
Stale iqsyncer pid file condition handled in iqsyncer application


890881-3 : ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address

Component: Local Traffic Manager

Symptoms:
Traffic drop occurs.

Conditions:
Source MAC in the ARP header and the Ethernet header do not match.

Impact:
The BIG-IP system drops these packets.

Workaround:
None.


890277-2 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.


890229-3 : Source port preserve setting is not honored

Component: Local Traffic Manager

Symptoms:
The source port is always changed in source-port preserve mode even if the original source port with the other parameters would hash to the same TMM.

Conditions:
This issue occurs when both of the following conditions are met:

-- The virtual server is configured with source-port preserve (the default).
-- The system uses one of the following hash configurations including IP addresses.
    - Using RSS DAG as a default hash on BIG-IP Virtual Edition (VE) (Z100) or on 2000- and 4000-series devices.
    - Configuring a VLAN's 'CMP Hash' setting to a non-default value.
    - Using a special variable such as non-default udp.hash or tcp.hash.

Impact:
Applications relying on a specific, fixed source port might not work as expected.

Workaround:
Set source-port to preserve-strict.

Fix:
Now source-port preserve setting does best effort to preserve the source port.

Behavior Change:
Beginning with v16.0.0, the TM.PortFind.Src_Preserve BigDB variable introduced in v15.1.0 is no longer supported.

The source-port preserve setting now does best effort to preserve the source port.


889813-1 : Show net bwc policy prints bytes-per-second instead of bits-per-second

Component: TMOS

Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.

Conditions:
Running the tmsh command:
tmsh show net bwc policy

Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.

Workaround:
None.


889601-1 : OCSP revocation not properly checked

Solution Article: K14903688

Component: Local Traffic Manager

Symptoms:
The revocation status of un-trusted intermediate CA certs are not checked when ocsp object is configured.

Conditions:
When OCSP object revocation checking is configured in client and server SSL profiles

Impact:
The SSL handshake continues eve if a certificate is revoked.

Fix:
OCSP revocation checking now working properly.


889557-2 : jQuery Vulnerability CVE-2019-11358

Solution Article: K20455158


889209-1 : Sflow receiver configuration may lead to egress traffic dropped after TMM starts.

Component: Local Traffic Manager

Symptoms:
Active Sflow receiver configuration may lead to all egress traffic getting dropped after TMM starts.

Conditions:
Enabled sflow receiver is configured.

Impact:
Egress traffic is dropped.

Workaround:
Disable Sflow receiver, save configuration, reboot. (You should not re-enable the sflow receiver in versions where this bug is present)


889165-1 : "http_process_state_cx_wait" errors in log and connection reset

Component: Local Traffic Manager

Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:

err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside

Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server

Impact:
Possible connection failure.

Fix:
Fixed incorrect early release of HUDEVT_ACCEPTED during ssl handshake irules.


889041-1 : Failover scripts fail to access resolv.conf due to permission issues

Component: TMOS

Symptoms:
When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors:

/var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file

Conditions:
-- A failover event occurs.
-- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.

Impact:
Failover does not complete. Floating IP addresses do not move to the active device.

Workaround:
Run two commands:
tmsh modify sys db failover.selinuxallowscripts enable
setenforce 0

Impact of workaround: these commands disable SELinux policy enforcement.


889029-4 : Unable to login if LDAP user does not have search permissions

Component: TMOS

Symptoms:
A user is unable to log in using remote LDAP.

Conditions:
-- BIG-IP systems are configured to use LDAP authentication.
-- Remote user has no search permissions on directory

Impact:
Authentication does not work.

Workaround:
Grant search permissions to the user in LDAP.


888625-2 : CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks

Component: Carrier-Grade NAT

Symptoms:
There is a difference in active port block counter between statistics collected in TMM and actual allocations in 'lsndb list pba'.

Conditions:
The issue happens when the port block allocation process fails after incrementing the active port blocks counter.

Impact:
No functional impact. But the stats counters will be incorrect.

Fix:
Update the active port block counter correctly when port block allocation fails.


888517-3 : Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.

Component: Local Traffic Manager

Symptoms:
Tmm is running at 100% CPU even under light network load. The 'tmctl tmm/ndal_tx_stats' command shows a high number of packet drops. The 'tmctl tmm/ndal_tx_stats' indicates a large number of queue full events.

Conditions:
-- BIG-IP Virtual Edition.
-- There are underlying network performance issues causing the transmit queue to be full (e.g., a non-SR-IOV virtual machine environment).
-- Upgrading from BIG-IP v12.x to BIG-IP v14.x.

Impact:
NDAL's busy polling runs the tmm CPU usage to 100%.

Workaround:
Correct the underlying networking/virtualization issue.

Fix:
NDAL needs to provide visible information, for example, a log entry, when busy polling over a period of time.


888497-4 : Cacheable HTTP Response

Component: TMOS

Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.

Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.

Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.

Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.

Workaround:
Disable caching in browsers.


888493-4 : ASM GUI Hardening

Solution Article: K40843345


888489-4 : ASM UI hardening

Solution Article: K55873574


888417-4 : Apache Vulnerability: CVE-2020-8840

Solution Article: K15320518


888341-5 : HA Group failover may fail to complete Active/Standby state transition

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:

-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
HA Group failover configured.

Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:

 o VLAN failsafe failover.
 o Gateway failsafe failover.
 o Failover triggered by loss of network failover heartbeat packets.
 o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.


888289-3 : Add option to skip percent characters during normalization

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).


888285-3 : Sensitive positional parameter not masked in 'Referer' header value

Solution Article: K18304067

Component: Application Security Manager

Symptoms:
When the URI and 'Referer' header share the same positional parameter, the 'Referer' positional parameter is not masked in logs.

Conditions:
Sending a request with positional parameter in URI and 'Referer' header.

Impact:
'Referer' header positional parameter value is not masked in logs.

Workaround:
None.

Fix:
'Referer' positional parameter value is masked as expected.


887965-3 : Virtual server may stop responding while processing TCP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, a virtual server may stop responding while processing TCP traffic.

Conditions:
- TCP virtual server with FastL4 and L7 (e.g., HTTP) profiles.
- Undisclosed conditions

Impact:
Affected virtual server becomes unavailable until conditions resolve. Other virtual servers on the system are not impacted.

Workaround:
None.

Fix:
TCP traffic is now processed as expected


887637-1 : Systemd-journald Vulnerability: CVE-2019-3815

Solution Article: K22040951


887089-3 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.


887017-2 : The dwbld daemon consumes a large amount of memory

Component: Advanced Firewall Manager

Symptoms:
The dwbld daemon shows very large memory consumption after adding addresses to the shun-list.

Conditions:
-- Adding a large number of IP addresses to the shun-list (millions of IP addresses).
-- Viewing dwbl memory usage using:
config # top -p $(pidof dwbld)

Impact:
Excessive memory consumption. If memory is exhausted, enforcement does not occur.

Workaround:
None.

Fix:
Improvements to dwbld memory handling have been implemented.


886865-2 : P3P header is added for all browsers, but required only for Internet Explorer

Component: Application Security Manager

Symptoms:
The Bot Defense profile adds P3P headers to every response when a cookie is set, even if the client browser is something other than Microsoft Internet Explorer.

Conditions:
Bot Defense Profile is attached to a virtual server.

Impact:
Deprecated P3P header is inserted in all responses, even though it is only required for Internet Explorer.

Workaround:
The value of the P3P header is globally configurable in the DB variable dosl7.p3p_header.

It is also possible to set the value to '<null>' and thus prevent the P3P header from appearing, but this may cause legitimate Internet Explorer browsers to be be blocked from accessing the web application.

Fix:
The profile now adds the P3P header only to Internet Explorer browsers. There is still the option to add the header to all browsers (i.e., keep the old behavior, in case there is another browser that requires this) by setting a db variable:
tmsh modify sys db botdefense.always_add_p3p_header value enable


886713-3 : Error log seen in case of SSL Orchestrator configured with http service during connection close.

Component: SSL Orchestrator

Symptoms:
An error is logged:

tmm2[24575]: 01c50003:3: Service : encountered error: ERR_UNKNOWN File: ../modules/hudfilter/service/service.c Function: hud_service_handler, Line: 778

Conditions:
SSL Orchestrator is configured with a http service and a connection closes.

Impact:
An error is logged, but it can be safely ignored.

Workaround:
None

Fix:
Error log is no longer seen in case of SSL Orchestrator configured with http service.


886693-2 : System may become unresponsive after upgrading

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration loads in the previous release, but does not load successfully on the first boot into the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown and could be varied. In the environment in which it occurs, a datagroup is deleted, but an iRule still references it, see: https://cdn.f5.com/product/bugtracker/ID688629.html

Impact:
-- System down, too busy to process traffic.
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a BIG-IP Virtual Edition (VE) from an applicable management panel, and then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch.

For more information, see:
-- K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296
-- K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658
-- K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.

Fix:
The system should now remain responsive if the configuration fails to load during an upgrade on the following platforms:

-- BIG-IP 2000s / 2200s
-- BIG-IP 4000s / 4200v
-- BIG-IP i850 / i2600 / i2800
-- BIG-IP Virtual Edition (VE)


886689-4 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.

Fix:
Generic Message profile can be used in SCTP virtual


886085-3 : BIG-IP TMM vulnerability CVE-2020-5925

Solution Article: K45421311


885869-4 : Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime

Component: Global Traffic Manager (DNS)

Symptoms:
iQuery incorrectly interprets iQuery SSL certificate times when they are using GenericTime instead of UTCTime.

Conditions:
An iQuery certificate using GenericTime instead of UTCTime.

Note that this would only occur with a date beyond the year 2049.

Impact:
Internal years are interpreted to be much later than they should be.

Workaround:
Use SSL certificates with UTCTime instead of GenericTime.

Fix:
Fixed an issue in iQuery SSL where GenericTime-formatted years interpreted incorrectly.


885765-4 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.

Conditions:
When processing a large number of configuration updates.

Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None


885201-3 : BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log

Component: Global Traffic Manager (DNS)

Symptoms:
Err (error) level messages in /var/log/gtm log when DNS (GTM) SSL monitors such as https are used and are unable to connect to the monitored target IP address:

err big3d[4658]: 01330014:3: CSSLSocket:: Unable to get the session.

These messages do not indicate the IP address or port of the target that failed to connect, and this ambiguity may cause concern.

Conditions:
-- SSL-based DNS (GTM) monitor assigned to a target, for example https
-- TCP fails to connect due to a layer 2-4 issue, for example:
   - No route to host.
   - Received a TCP RST.
   - TCP handshake timeout.

Impact:
The system reports unnecessary messages; the fact that the monitor failed is already detailed by the pool/virtual status change message, and the target changing to a red/down status.

These messages can be safely ignored.

Workaround:
If you want to suppress these messages, you can configure a syslog filter.

For more information, see K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.

Fix:
Added debug messages for SSL probing with attached DB variable


884797-2 : Portal Access: in some cases data is not delivered via WebSocket connection

Component: Access Policy Manager

Symptoms:
If a client browser opens a WebSocket connection, Portal Access may not send data to the client if the first message in the new connection comes from the server.

Conditions:
- Web application with WebSocket connection
- First data in WebSocket connection is sent from server to client

Impact:
Data is not delivered to the client browser via the WebSocket connection.

Fix:
Now Portal Access can deliver data to the client browser via the WebSocket connection when the first data is sent from the server.


884425-1 : Creation of new allowed HTTP URL is not possible

Component: Application Security Manager

Symptoms:
When pressing 'Create' button in
Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs page, the requested page is not loaded.

Conditions:
Policy with about 5000 and more parameters causes long loading time, which results in loading failure.

Impact:
The requested page (New Allowed HTTP URL...) is not loaded.

Workaround:
Use fewer parameters (less than 5000) per policy.


884165-2 : Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG

Component: TMOS

Symptoms:
Frequent config syncs and spamming of logs are occurring on BIG-IP devices in a high availability (HA) configuration.

Conditions:
Datasync CAPTCHA table is re-generated while CAPTCHA is being consumed by users.

Impact:
Sync to the datasync groups cause the sync status of the devices to fluctuate.


883889-1 : Tmm might crash when under memory pressure

Component: Access Policy Manager

Symptoms:
Tmm might crash and restart when under memory pressure

Conditions:
SSL Orchestrator with service chaining (Security policy uses services).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
A condition where high tmm memory utilization results in memory corruption has been resolved.


883853-1 : Bot Defense Profile with staged signatures prevents signature update

Component: Application Security Manager

Symptoms:
When a trying to install a new bot defense signature, the installation fails with the following log message:

com.f5.liveupdate.update.dosbotsignatures.file.Update.applyChanges.pl|INFO|Feb 10 13:22:12.924|7347|F5::Dos::BotSignatures::load_from_xml,,Cannot send updated objects to mcp: 01070265:3: The Bot Defense Signature (/Common/Headless Chromium, Chrome) cannot be deleted because it is in use by a Bot Defense Profile Signature Staging.

Conditions:
-- A Bot Defense Profile has a staged signature.
-- The staged signature points to something that does not exist in the update file.

Impact:
The new file cannot be installed.

Workaround:
Enforce the staged signature.

Fix:
Before deleting the signature, the installation process checks to see whether the signature is staged, and if it is, the process unstages it.


883717-3 : BD crash on specific server cookie scenario

Solution Article: K37466356


883673-1 : BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool

Component: Application Security Manager

Symptoms:
Browser Verification JavaScript (type=11), can cause low score on Google Lighthouse tool on some cases.

Type=11 appears as the suggestion for 'Reduce JavaScript execution time'.

Conditions:
-- Bot Defense profile is attached to a virtual server, with 'Verify After Access' Browser Verification.
-- Using specific backend server.
-- Using Google Lighthouse tool for performance test.

Impact:
Low performance score on Google Lighthouse tool.

Workaround:
None.

Fix:
Adding bigdb for running the script with 'async' or 'defer'.


883577-2 : ACCESS::session irule command does not work in HTTP_RESPONSE event

Component: Access Policy Manager

Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm

No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)

Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.

Impact:
Cannot create APM session using the ACCESS::session irule command.

Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.


882769-3 : Request Log: wrong filter applied when searching by Response contains or Response does not contain

Component: Application Security Manager

Symptoms:
When searching by "Response contains" or "Response does not contain", an incorrect filter is applied and displayed

Conditions:
This occurs in the GUI when selecting "Response contains" or "Response does not contain" filter

Impact:
You are unable to search by response in the GUI

Workaround:
There is no way to search in GUI, but you can search using REST API

Fix:
Correct filter applied and displayed for Response contains or Response does not contain filters


882713-1 : BGP SNMP trap has the wrong sysUpTime value

Component: TMOS

Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.

Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition

Impact:
The sysUpTime in the trap generated by BGP is incorrect.

Workaround:
None.

Fix:
Fixed an incorrect calculation of sysUpTime.


882633-4 : Active Directory authentication does not follow current best practices

Solution Article: K51213246


882557-4 : TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher)

Component: TMOS

Symptoms:
If the underlying virtio platform specifies RX and/or TX queue sizes that are 4096 or larger, the BIG-IP system cannot allocate enough contiguous memory space to accommodate this. Errors similar to these are seen in the tmm log files:

ndal Error: Failed to allocate 2232336 (2228224 + 4096 + 16) bytes
virtio[0:7.0]: Error: Failed to allocate descriptor chain
virtio[0:7.0]: Error: Failed allocate indirect rx buffers

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with virtio drivers.
-- The underlying platform specifies RX and/or TX queue sizes of 4096 or larger.

Impact:
TMM continually restarts.

Workaround:
Use the sock driver instead of virtio.

In your BIG-IP VE VM execute the lspci command to determine which virtio driver is present:

# lspci -nn | grep -i eth | grep -i virtio
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:0b.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]

Configure a socket driver:

echo "device driver vendor_dev 1af4:1000 sock" > /config/tmm_init.tcl

Reboot the instance


882549-3 : Sock driver does not use multiple queues in unsupported environments

Component: Local Traffic Manager

Symptoms:
In some unsupported environments, the underlying sock driver uses only only 1 queue. You can confirm whether it does so by executing the tmctl command to check the rxq column (which shows 0):
tmctl -d blade -i tmm/ndal_rx_stats' and

You can verify this on the tx side as well.

Conditions:
This occurs in certain unsupported environments.

Note: When you run 'ethtool -l', you can see: 'command not supported'.

Impact:
When multi-q is present, the use of single queue can impact performance when using the sock driver.

Workaround:
Use other available drivers.

You can check the available drivers by executing the tmctl command:
tmctl -d blade -i tmm/device_probed

Fix:
Fixed an issue with the sock driver.


882377-1 : ASM Application Security Editor Role User can update/install ASU

Component: Application Security Manager

Symptoms:
Live Update modifications are allowed for Application Security Editor Role.

Conditions:
Login as Application Security Editor user and try to install ASU.

Impact:
Application Security Editor Role role is permitted to update Attack Signatures when it shouldn't be.


882273 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow

Component: Service Provider

Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.

Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.

Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When server is down BIG-IP keeps creating new connection to it. there is memory leak need to be fixed.


882189-5 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5897

Solution Article: K20346072


882185-5 : BIG-IP Edge Client Windows ActiveX

Solution Article: K20346072


882157-2 : One thread of pkcs11d consumes 100% without any traffic.

Component: Local Traffic Manager

Symptoms:
One thread of pkcs11d consumes 100% without any traffic.

Conditions:
-- The BIG-IP system is licensed with NetHSM, and service pkcs11d is running.
-- The MCDP service is restarted.

Impact:
NetHSM configurations and statistics updates are not updated.

Workaround:
Restart the pkcs11d service:
tmsh restart sys service pkcs11d

Fix:
The system now watches for errors and prevents this error from occurring.


881757-2 : Unnecessary HTML response parsing and response payload is not compressed

Component: Application Security Manager

Symptoms:
When either DoS Application Profile or Bot Defense profiles are used, or a complex LTM policy is used, the Accept-Encoding request header is removed by the BIG-IP system, which causes the backend server to respond with uncompressed payload.

Second effect is that the Bot Defense Profile and L7 DoS profile are always, not conditionally, considered internally as a profile that modifies a body that satisfies HTTP profile chunking configuration 'sustain' (default mode) triggering client-side chunking. This causes a response in the server-side that is unchunked to be always chunked in client-side with the mode set to 'sustain'.

Conditions:
One of these options:
-- Bot Defense Profile is associated with the Virtual Server.
-- DoS Profile is associated with the Virtual Server and has Application (L7) enabled.
-- Policy is associated with the Virtual Server and has complex LTM Policy: multiple Policies, or additional rules.

Impact:
-- Response payload sent by the backend server is uncompressed.
-- Performance impact caused by response parsing.

Workaround:
For version 15.1.0 and later, you can use the following workaround:

Disable the option for modification of Referer header:
tmsh modify sys db asm.inject_referrer_hook value false

Note: Using this brings back the impact of ID792341 (see https://cdn.f5.com/product/bugtracker/ID792341.html).

For versions earlier than 15.1.0, there is no workaround.

Fix:
The system no longer removes the Accept-Encoding header and no longer parses response payload if not needed based on configuration.


881445-5 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898

Solution Article: K69154630


881317-4 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


881293-5 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5896

Solution Article: K15478554


881085-1 : Intermittent auth failures with remote LDAP auth for BIG-IP managment

Component: TMOS

Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.

Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).

Impact:
There might be intermittent remote-auth failures.

Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299


880789-1 : ASMConfig Handler undergoes frequent restarts

Component: Application Security Manager

Symptoms:
Under some settings and load, the RPC handler for the botd process restarts frequently, causing unnecessary churn and message-cluttered logs.

Conditions:
-- Bot protection is enabled.
-- A high volume of bot attacks are handled.

Impact:
The RPC handler for the botd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None.

Fix:
The botd handler is now restored to a more robust process lifecycle.


880753-1 : Possible issues when using DoSL7 and Bot Defense profile on the same virtual server

Solution Article: K38157961

Component: Application Security Manager

Symptoms:
When DoSL7 and Bot Defense profiles are configured together on the same Virtual Server, some requests might not be handled by the Bot Defense profile.

Conditions:
-- DoSL7 profile is attached to the virtual server (with Application).
-- Bot Defense profile is attached to the virtual server.
-- Another security module is attached to the virtual server (WebSafe, MobileSafe, ASM).

Impact:
Some requests might not be processed by the Bot Defense profile.

Workaround:
Disable dosl7.idle_fast_path:
tmsh modify sys db dosl7.idle_fast_path value disable

Fix:
The mechanism which caused this issue is now correctly enabled.


880625-2 : Check-host-attr enabled in LDAP system-auth creates unusable config

Component: TMOS

Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.

Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.

Impact:
LDAP-based auth does not function.

Workaround:
None.


880361-3 : iRules LX vulnerability CVE-2021-22973

Solution Article: K13323323


880165-1 : Auto classification signature update fails

Component: TMOS

Symptoms:
During classification update, you get an error:

"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"

An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".

Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.

It can occur when something goes wrong during license activation, but license activation ultimately succeeds.

Impact:
When this issue occurs, auto classification signature update will fail.

Workaround:
You may be able to recover by re-activating the BIG-IP license via tmsh.


879841-3 : Domain cookie same-site option is missing the "None" as value in GUI and rest

Component: Application Security Manager

Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.

Conditions:
You want to have SameSite=none attribute added to a domain cookie.

Impact:
You are unable to set SameSite=None

Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM


879829-3 : HA daemon sod cannot bind to ports numbered lower than 1024

Component: TMOS

Symptoms:
If the network high availability (HA) daemon sod is configured to use a port number that is lower than 1024, the binding fails with a permission-denied error. This affects binding to ports on both management and self IP addresses.

Example log messages:
/var/log/ltm
err sod[2922]: 010c003b:3: bind fails on recv_sock_fd addr 1.2.3.4 port 1023 error Permission denied.
notice sod[2992]: 010c0078:5: Not listening for unicast failover packets on address 1.2.3.4 port 1023.

/var/log/auditd/audit.log
type=AVC msg=audit(1578067041.047:17108): avc: denied { net_bind_service } for pid=2922 comm="sod" capability=10 scontext=system_u:system_r:f5sod_t:s0 tcontext=system_u:system_r:f5sod_t:s0 tclass=capability

Conditions:
-- high availability (HA) daemon sod is configured to use a port lower than 1024 for network high availability (HA) operations.

-- Version 13.1.0 or later.

Impact:
A network high availability (HA) connection configured to use a port number lower than 1024 on an affected version does not function.

Workaround:
Change the port number to 1024 or higher.

Note: UDP port 1026 is the default.


879777 : Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Component: Application Security Manager

Symptoms:
After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Conditions:
-- Bot Defense profile is enabled
-- "Cross Domain Request":"validate upon request" option is enabled
-- A browser navigates to a qualified (HTML) page from a related domain.

Impact:
Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Workaround:
Use "validate in a bulk" option.

Fix:
Retrieving the cookie from the related domain even if the page is qualified.


879745-1 : TMM may crash while processing Diameter traffic

Solution Article: K82530456


879413-3 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done

Fix:
The system now detects corrupt *.info files and deletes and recreates them.


879409-2 : TMM core with mirroring traffic due to unexpected interface name length

Component: Local Traffic Manager

Symptoms:
TMM cores.

Conditions:
-- Platform: B4400 Blade (BIG-IP VPR-B4450N).
-- High availability (HA) mirroring is set up.
-- Provisioned modules: LTM, AFM.
-- HA mirroring messages are received with unexpected interface name length.

Impact:
Processing of invalid length can cause memory corruption. The tmm process generates a core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now validates the length of the interface name before processing the HA message at the receiver side and ignores the HA message if the interface name length is wrong.


879401-3 : Memory corruption during APM SAML SSO

Solution Article: K90423190

Component: Access Policy Manager

Symptoms:
During processing of SAML SSO single logout (SLO) requests, a block of tmm memory may become corrupted. You might experience several types of unexpected actions, including a TMM restart and core-file generation.

Conditions:
-- BIG-IP system is configured as SAML SP.
-- External SAML IdP sends SLO request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
BIG-IP systems configured as SAML SP no longer cause memory corruption when handling certain traffic.


879189-3 : Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section

Component: TMOS

Symptoms:
Network map shows error message: One or more profiles are inactive due to unprovisioned modules.

Conditions:
-- ASM provisioned.
-- A profile is attached to a virtual server, but the module supporting the profile is not provisioned.

Impact:
The Network Map shows an error message.

Workaround:
Provision the module that supports the profile.

Fix:
The button text has been modified to be more informative.


879025-4 : When processing TLS traffic, LTM may not enforce certificate chain restrictions

Solution Article: K72752002


878925-3 : SSL connection mirroring failover at end of TLS handshake

Component: Local Traffic Manager

Symptoms:
In some cases, HTTP requests may fail if system failover occurs immediately after the TLS handshake finishes.

Conditions:
-- System failover to standby device with SSL connection mirroring.
-- Failover occurs immediately after the TLS handshake completes but before the HTTP request.

Impact:
Connection might fail the HTTP request; in some cases, the server may reset HTTP 1.0 requests.

Workaround:
None.

Fix:
System now updates the high availability (HA) state at end of the TLS handshake to prevent this issue if failover occurs at end of the handshake but before client/server data.


877109-3 : Unspecified input can break intended functionality in iHealth proxy

Solution Article: K04234247


876957-2 : Reboot after tmsh load sys config changes sys FPGA firmware-config value

Component: TMOS

Symptoms:
As a part of FPGA firmware update, "tmsh load sys config" fails.

Chmand reports errors:

chmand[19052]: FPGA firmware mismatch - auto update, No Interruption!
chmand[19052]: 012a0006:6: FPGA HSB firmware uploading now...use caution!
Reloading fw_update_post configuration (via systemctl): [FAILED]

Conditions:
Running either of the following commands:

tmsh load sys config
/etc/init.d/fw_update_post reload

Impact:
Firmware update fails.

Workaround:
Use this procedure:

1. Mount /usr:
mount -o rw,remount /usr

2. Add the following line to the '/usr/lib/systemd/system/fw_update_post.service' file:
ExecReload=/etc/init.d/fw_update_post reload

3. Reload systemctl:
systemctl daemon-reload

4. Reload the file:
/etc/init.d/fw_update_post reload

Fix:
Added the reload option in fw_update_post service file.


876937-1 : DNS Cache not functioning

Component: TMOS

Symptoms:
DNS queries are not being cached on the BIG-IP device.

Conditions:
-- DNS cache is enabled (System :: Configuration : Device : DNS Cache).
-- Device receives DNS queries.

Impact:
DNS queries are forwarded, but the BIG-IP system does not cache them.

Workaround:
None.

Fix:
DNS queries are now cached when DNS Cache is enabled.

Behavior Change:
Full DNS cache functionality has been restored. This results in performance degradation. You might notice it in OCSP performance, when compared to releases in which full DNS cache functionality is not present.

By default, DNS cache is disabled. To recapture performance, enable DNS cache.


876805-1 : Modifying address-list resets the route advertisement on virtual servers.

Component: TMOS

Symptoms:
If you modify an address list associated with a virtual server, any modifications done to virtual addresses are lost when the address list is modified.

This issue has also been shown to cause inconsistent ICMP response behavior when 'selective' mode is used.

Conditions:
This occurs in the following scenario:
-- Create an address list.
-- Assign it to a Virtual Server.
-- Modify some or all virtual addresses.
-- Modify the address list.

Impact:
-- Modifications made to virtual addresses are lost.
-- Possible ICMP response issues when 'selective' mode is used (e.g., responses when all pool members are disabled, or no responses when pool members are enabled).

Workaround:
None

Fix:
Virtual address properties are now preserved when an address list is modified.


876801-3 : Tmm crash: invalid route type

Component: Local Traffic Manager

Symptoms:
Tmm crashes. /var/log/tmm contains the log entries:

tmm1: notice panic: invalid route type
tmm1: notice ** SIGFPE **

Conditions:
The issue is intermittent.

1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. A new routing entry for child route domain is added.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no way to workaround a problem, but there is a safe way to add and delete routes without putting a BIG-IP into a state where it could encounter this issue.

Safe way to add/delete a route.
1) Add routes to child route domains first, then to parent route domain.
2) Delete routes from parent route domain first, then from child route domain.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table and it's not causing a TMM crash anymore.


876581-4 : JavaScript engine file is empty if the original HTML page cached for too long

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).

Fix:
FPS now also removes ETag headers from protected HTML pages.


876077-3 : MRF DIAMETER: stale pending retransmission entries may not be cleaned up

Component: Service Provider

Symptoms:
DIAMETER router messages queued for retransmission may not be deleted until the connection closes.

Conditions:
-- Diameter transmission setting is enabled and a DIAMETER message is queued for retransmission.
-- The retransmission for the message is not triggered

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
Stale pending retransmission entries are cleaned up properly.


875401-3 : PEM subcriber lookup can fail for internet side new connections

Component: Policy Enforcement Manager

Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.

Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm

Impact:
PEM subscriber lookup can fail on the internet side

Workaround:
No workaround.

Fix:
PEM subcriber lookup now always succeeds for internet side new connections,


874753-1 : Filtering by Bot Categories on Bot Requests Log shows 0 events

Component: Application Security Manager

Symptoms:
A log that has 'Browser Automation’ as the ‘Bot Category’ exists.

When filtering for only Bot Category: Browser Automation, nothing Shows up.

Conditions:
-- ASM provisioned.
-- Filtering by Bot Categories on Bot Requests Log

Impact:
Legitimate requests being blocked but cannot filter on the category to narrow down their focus.

Workaround:
None.

Fix:
Filtering by Bot Categories on Bot Requests Log is now fixed on the GUI page.


874677 : Traffic Classification auto signature update fails from GUI

Component: Traffic Classification Engine

Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.

The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.

Conditions:
Performing Traffic Classification auto signature update using the GUI.

Impact:
Fails to update the classification signature automatically.

Workaround:
You can use either of the following:

-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.

Fix:
Fixed the hitless upgrade script to download the IM packages from the EDSM server for point releases.


873877 : Kernel page allocation failure seen on VIPRION blades

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file:

warning kernel: : [7673174.106142] swapper/6: page allocation failure: order:2, mode:0x104020

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades).
-- 48 MB (49152 KB for B4300 blades).
-- 128 MB (131072 KB for 4450 blades).

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.


-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"


-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.


Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.


-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


873545-1 : SSL Orchestrator Configuration GUI freezes after management IP change.

Component: SSL Orchestrator

Symptoms:
Changing the management IP address of the SSL Orchestrator BIG-IP device can result in an unresponsive SSL Orchestrator configuration interface in the TMUI. All other menus continue to work fine.

Conditions:
Change the management IP address of the SSL Orchestrator BIG-IP device.

Impact:
The SSL Orchestrator configuration interface in the TMUI becomes unresponsive and the BIG-IP SSL Orchestrator device administrator is not able to perform SSL Orchestrator management and configuration tasks.

Workaround:
After the SSL Orchestrator BIG-IP device management IP address change, use the following steps to get the SSL Orchestrator user interface to render correctly:

1. Wait for the management IP address change to become effective: (That is, the BIG-IP admin/user can log in to the BIG-IP console using the new management IP address).
2. In the BIG-IP terminal run the following commands:
   restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
   restcurl -X POST -d '{}' tm/shared/bigip-failover-state
3. The SSL Orchestrator UI/topology should become available in approximately 30 - 60 seconds (subject to topology size, etc.)

Fix:
SSL Orchestrator Configuration GUI freezes after management IP change.


873469-1 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506


872673-3 : TMM can crash when processing SCTP traffic

Solution Article: K26464312


872645 : Protected Object Aggregate stats are causing elevated CPU usage

Component: Advanced Firewall Manager

Symptoms:
Due to a large number of tables containing 'Protected Object Aggregate stats', the merged daemon might cause elevated CPU usage on odd-numbered CPU cores.

Conditions:
AFM, ASM, or DoS features are provisioned.

Impact:
Elevated CPU usage on odd-numbered cores caused by merged daemon.

Workaround:
None.

Fix:
Protected Object Aggregate stats no longer cause elevated CPU usage.


871905-1 : Incorrect masking of parameters in event log

Solution Article: K02705117

Component: Application Security Manager

Symptoms:
When using CSRF protection, sensitive parameters values can be masked incorrectly in the event log.

Conditions:
The request contains a CSRF token and sensitive parameters.

Impact:
Sensitive parameters values can be masked incorrectly in the event log.

Workaround:
None.

Fix:
Sensitive parameters values are now correctly masked in the event log when request contains CSRF token.


871761-4 : Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS

Component: Access Policy Manager

Symptoms:
APM virtual server user's GUI (e.g., 'Logon page') cannot be rendered by browsers.

Conditions:
This issue is encountered when an XML profile is configured for the APM virtual server.

Impact:
APM end users are unable to get a logon page.

Workaround:
Disable the XML profile for the APM virtual server.

Fix:
There is no unexpected traffic interruption from the APM virtual server when the XML profile is configured for the virtual server.


871657-2 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S

Component: TMOS

Symptoms:
Mcpd restarts and produces a core file.

Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.

Impact:
Mcpd crash and restart results in high availability (HA) failover.

Workaround:
Use a lowercase 'a' or 's' as the flag value.

Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.


871561-3 : Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'

Component: TMOS

Symptoms:
Software upgrades to an Engineering Hotfix on a vCMP guest might fail with one of the following messages:

failed (Software compatibility tests failed.)
failed (The requested product/version/build is not in the media.)

The failed installation is also indicated by log messages in /var/log/ltm similar to:

-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)
-- info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (The requested product/version/build is not in the media.)

Conditions:
This may occur when performing a software upgrade to an engineering hotfix on a vCMP guest running affected versions of BIG-IP software, when the software images are present on the vCMP host.

This can be accomplished by running the following command from the vCMP guest console:

tmsh install sys software block-device-hotfix <hotfix-image-name> volume <volume.name>

Impact:
Unable to perform software installations on vCMP guests using installation media located on the vCMP host.

Workaround:
Option 1:
===========
Make sure that the .iso files for both base image and engineering hotfix are copied to the vCMP guest (under /shared/images) before starting the installation. If installing the software from the command line, use syntax similar to the following:

tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>

Option 2:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. You can restart the vCMP guest and perform a hotfix installation on top of already installed base image, using syntax similar to the following:

tmsh install sys software hotfix <hotfix-image-name> volume <volume.name>

Option 3:
===========
Even if the engineering hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the engineering hotfix image locally within the vCMP Guest.

Then restart the lind service on the vCMP Guest:
  tmsh restart sys service lind

If running the vCMP Guest on multiple slots, you may need to restart lind on all slots. From the primary slot on the vCMP Guest, run:
  clsh tmsh restart sys service lind

The hotfix installation should begin again, this time using the hotfix from within the /shared/images/ location on the vCMP Guest.

Option 4:
===========
Manually eject the CD from the vCMP guest's virtual CD drive, and then restart lind. On the vCMP Guest:

1. Confirm the wrong ISO image is still locked (inserted in the CD drive):
  isoinfo -d -i /dev/cdrom

Note: Pay attention to the volume ID in the output from within the vCMP guest.

2. Unlock (eject) the image:
  eject -r -F /dev/cdrom && vcmphc_tool -e

3. Verify the CD drive is now empty:
  isoinfo -d -i /dev/cdrom

The output should report an error that includes:
<...> Sense Code: 0x3A Qual 0x00 (medium not present) Fru 0x0 <…>

4. Restart lind:
  tmsh restart sys service lind

If running the vCMP Guest on multiple slots, you may need to restart lind on all vCMP Guest slots. From the primary slot on the vCMP Guest, run:
  clsh tmsh restart sys service lind

Fix:
Software upgrades on a vCMP guest complete successfully even when the software images are present on the vCMP hypervisor.


870957-1 : "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage

Component: Application Visibility and Reporting

Symptoms:
TMM CPU utilization around 100 percent under Security ›› Reporting : ASM Resources : CPU Utilization.

Conditions:
No special conditions. Only viewing at the stats of TMM CPU in 'Security ›› Reporting : ASM Resources : CPU Utilization'. They will always be in wrong scale, but when the TMM has ~1% CPU usage, it will be presented as 100% CPU usage.

Impact:
Wrong scale is presented and might cause machine's state to be interpreted wrongly.

Workaround:
1. Backup /etc/avr/monpd/monp_asm_cpu_info_measures.cfg file.
2. Run the following:
    $ sed -i 's|tmm_avg_cpu_util)/(count(distinct time_stamp)|tmm_avg_cpu_util)/(count(distinct time_stamp)*100|g' /etc/avr/monpd/monp_asm_cpu_info_measures.cfg
3. Compare the backup file to /etc/avr/monpd/monp_asm_cpu_info_measures.cfg:
    Make sure that there are two lines modified, and that the modification is multiplying with 100 the denominator (i.e., actually dividing the TMM value with 100).
4. To make those changes take affect, run the following command:
    $ bigstart restart monpd

Fix:
Dividing the TMM value with 100 to fit correct scale.


870389-1 : Increase size of /var logical volume to 1.5 GiB for LTM-only VE images

Component: TMOS

Symptoms:
The /var logical volume size of 950 MiB for LTM-only BIG-IP Virtual Edition (VE) images may be too small for some deployments. This can result in result in loss of SSH access.

Conditions:
This applies to deployments that use declarative onboarding for configuration.

Impact:
Complex declarative onboarding configurations may fill the /var logical volume. You are locked out because of the too-small volume.

Workaround:
The workaround is to manually extend the /var logical volume.

For more information, see K14952: Extending disk space on BIG-IP VE :: https://support.f5.com/csp/article/K14952.

Fix:
The size of the /var logical volume was increased from 950 MiB to 1.5 GiB for LTM-only VE images.

Behavior Change:
The size of the /var logical volume was increased from 950MiB to 1.5GiB for LTM-only Virtual Edition images.


870385-3 : TMM may restart under very heavy traffic load

Component: Advanced Firewall Manager

Symptoms:
TMM occasionally restarts when running heavy workloads. The crash is a timing-related issue between different tmm threads, and thus happens only occasionally.

Conditions:
-- AFM is provisioned with DoS functionality.
-- The BIG-IP system is under heavy workload.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts under these conditions.


870273-3 : TMM may consume excessive resources when processing SSL traffic

Solution Article: K44020030


869049-2 : Charts discrepancy in AVR reports

Component: Application Visibility and Reporting

Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.

Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).

Impact:
Stats on DB get corrupted and incorrect.

Workaround:
None.

Fix:
Aggregation store-procedure is now fixed.


868889 : BIG-IP may reset a stream with an empty DATA frame as END_STREAM

Component: Local Traffic Manager

Symptoms:
HTTP/2 defines END_STREAM flag in a frame as an end of a stream. A peer can send an empty (with no payload) DATA frame to designate a last one in a stream. When BIG-IP receives an empty DATA frame, it handles it incorrectly, sending RST_STREAM to a client.

Conditions:
-- The BIG-IP system has a virtual server configured with an HTTP/2 profile on the client side.
-- The client sends a request containing a payload over a stream, ending the stream with empty DATA frame.

Impact:
The BIG-IP system may reset the stream.

Workaround:
A client should resend the request handling more data.

Fix:
When empty DATA frame with END_STREAM flag is handled by the BIG-IP system, it terminates the stream accordingly.


868781-2 : TMM crashes while processing MRF traffic

Component: Service Provider

Symptoms:
TMM panic occurs when processing overflowed the MPI messages due to incorrectly calculated master key length:

../dev/mpi/mpi_mem.c:1129: Assertion "tail not past head" failed.

Conditions:
-- Message Routing Framework (MRF) traffic of type Diameter and SIP.

-- Auto-initialization enabled on peer, but can happen without auto-initialization enabled, just at a less-predictable rate.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM crash no longer occurs under these conditions.


868721-3 : Transactions are held for a long time on specific server related conditions

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.

Fix:
Add a check for this scenario so transactions will be released correctly.


868641-1 : Possible TMM crash when disabling bot profile for the entire connection

Component: Application Security Manager

Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.

Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.

Fix:
TMM no longer crashes when disabling bot defense profile for the entire connection.


868381-3 : MRF DIAMETER: Retransmission queue unable to delete stale entries

Component: Service Provider

Symptoms:
DIAMETER messages queued for retransmission that do not receive answer responses may be missed by the sweeper logic and not be deleted until the connection closes.

Conditions:
-- A DIAMETER message is queued for retransmission without a timeout to tigger retransmission.
-- No answer response is received.

Impact:
The memory used to hold the copy of the message in the retransmission queue is leaked.

Workaround:
None.

Fix:
The retransmission queue has been fixes so all stale messages are deleted as expected.


868349-3 : TMM may crash while processing iRules with MQTT commands

Solution Article: K62830532


868209-1 : Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with transparent vlan-group and traffic is matching a standard or fastl4 virtual-server and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - traffic will be L2 forwarded and pool member selection will not happen.

This defect will also cause active FTP data connections over vlan-group to fail.

Conditions:
All conditions must be met:
- Traffic over transparent vlan-group.
- Standard or fastl4 virtual-server.
- Traffic has a destination MAC address that does not belong to BIG-IP.

OR

- Standard virtual server with FTP profile is configured.
- Active FTP session is in use.
- Traffic flows over vlan-group.

Impact:
Server-side connections will fail.

Workaround:
Use opaque vlan-group instead.
OR
disable db variable connection.vgl2transparent (15.0+)


868097-1 : TMM may crash while processing HTTP/2 traffic

Solution Article: K58494243


868053-1 : Live Update service indicates update available when the latest update was already installed

Component: Application Security Manager

Symptoms:
When downloading and installing the latest ASU file manually the Live Update indicator located at the top left of the screen still indicates that there is a new update available.

Conditions:
-- The Live Update scheduler is not in auto mode (System :: Software Management :: Live Update :: Installation of Automatically Downloaded Updates = Disabled).
-- Upload and update the latest ASU file manually.

Impact:
The Live Update indicator continues to indicate on a new update though the latest file was installed.

Workaround:
None.

Fix:
The Live Update service no longer displays a false message regarding updates available.


867825-2 : Export/Import on a parent policy leaves children in an inconsistent state

Component: Application Security Manager

Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.

Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.

Impact:
The children on the different devices are left unexpectedly in different states.

Fix:
Import/Replace for a parent policy for sections that remain inherited will now delete elements that were removed from the parent policy instead of disinheriting them.


867793-3 : BIG-IP sending the wrong trap code for BGP peer state

Component: TMOS

Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.

Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.

Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.

Workaround:
None.

Fix:
BIG-IP now sends the correct trap code for BGP peer state.

Behavior Change:
The bgpPeerState for bgpBackwardTransNotification now reports the state after the state machine transition, i.e., the state into which the system is transitioning. In earlier releases, it reported the state prior to the state machine transition, which would always report idle because all backwards state transitions are into idle.


867413-2 : The allow-only-in-enterprise LAN feature on Mac OS not working after reboot

Component: Access Policy Manager

Symptoms:
Firewall feature on Mac devices does not work after reboot, if the device connects to a hotspot network immediately after reboot

Conditions:
-- End user client is using a Mac device.
-- Edge Client is in 'Always Connected' mode.
-- allow-only-in-enterprise LAN is enabled.
-- The Mac device is rebooted.

Impact:
The device is able to connect to the Internet after reboot, but not to the internal network.

Workaround:
None.

Fix:
The allow-only-in-enterprise LAN feature now works correctly on a Mac device after a reboot.


867373-2 : Methods Missing From ASM Policy

Component: Application Security Manager

Symptoms:
If the ASM http-methods are missing from the MCP configuration, importing an XML ASM policy creates a policy that has no allowed methods and will block all traffic.

Conditions:
-- BIG-IP system configuration is loaded without the required asm_base.conf.
-- An XML ASM policy is loaded.

Impact:
All traffic is blocked for the policy.

Workaround:
Recreate the required methods (GET, POST, etc.) in the policy.

Fix:
Lack of defined ASM http-methods in MCP no longer affects policy loading.


867181-3 : ixlv: double tagging is not working

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.

Fix:
Both VLAN tags are now present in packets.


867013-1 : Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there are a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.

Workaround:
None.

Fix:
Modified REST query to get only fullPath to display the list of policies, so the timeout no longer occurs.


866925-3 : The TMM pages used and available can be viewed in the F5 system stats MIB

Component: TMOS

Symptoms:
The memory pages available and in use are tracked with system statistics. Previously those statistics were available only with the tmctl command in the shell.

Conditions:
When system resource decisions are being made, the information about memory usage is important.

Impact:
It is not feasible to query each BIG-IP device separately.

Workaround:
None.

Fix:
You can query these statistics with SNMP through the F5-BIGIP-SYSTEM-MIB::sysTmmPagesStat table.


866685-3 : Empty HSTS headers when HSTS mode for HTTP profile is disabled

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers have an empty value for some APM Access Policy-generated responses.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS mode=disabled (which it is by default).
-- HTTP requests for APM renderer content, including CSS, JS, and image files from the webtop.

Impact:
Some audit scanners can consider the empty value of Strict-Transport-Security headers as a vulnerability. For browsers, the empty HSTS value equals no HSTS in response.

Workaround:
1. Enable HSTS mode for the HTTP profile.
2. Use an iRule to remove the empty HSTS header from responses:

when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header value "Strict-Transport-Security"] eq "" } {
        HTTP::header remove "Strict-Transport-Security"
    }
}

Fix:
When the HTTP profile is configured with HSTS mode=disabled, responses from APM renderer content are now sent without an HSTS header.


866613-1 : Missing MaxMemory Attribute

Component: Application Visibility and Reporting

Symptoms:
The MaxMemory Attribute is not reported in the System Monitor statistics report.

Conditions:
This is encountered when viewing the System Monitor report.

Impact:
No 'MaxMemory' value label appears in System Monitor statistics. Instead, there are duplicate AvgMemory fields, for example:
...(AvgMemory='3818',AvgMemory='3818').

Workaround:
Use the AvgMemory value that is the higher of the two to represent MaxMemory.

Note: Sometimes, the AvgMemory and MaxMemory values are the same. In that case, use the second value.

Fix:
The MaxMemory attribute is now reported in System Monitor statistics.


866161-3 : Client port reuse causes RST when the security service attempts server connection reuse.

Component: Access Policy Manager

Symptoms:
If the security service attempts server connection reuse, client port reuse causes RST on new connections.

Conditions:
-- Service profile is attached to virtual server.
   or
-- SSL Orchestrator (SSLO) is licensed and provisioned and Service chain is added in the security policy.
-- Security service reuses server-side connection.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSLO rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSLO no longer rejects the client connection when the service tries to the reuse server connection and the client reuses the port.


866109-1 : JWK keys frequency does not support fewer than 60 minutes

Component: Access Policy Manager

Symptoms:
When configuring the OAuth provider and trying to set the task frequency to fewer than 60 minutes, the BIG-IP reports an error:

01b70003:3: Discovery interval (10) for OAuth provider must be greater than (60) minutes.

Conditions:
This occurs when configuring the frequency interval of an OAuth provider to a value lower than 60 minutes.

Impact:
You are unable to create a provider with a frequency interval of fewer than 60 minutes.

Workaround:
Use a value of 60 minutes or higher.

Fix:
Auto discovery frequency now supported values lower than 60 minutes.


866073-1 : Add option to exclude stats collection in qkview to avoid very large data files

Component: TMOS

Symptoms:
Statistics collection may cause qkview files to be too large for the iHealth service to parse, or may cause memory allocation errors:

qkview: tmstat_map_file: mmap: Cannot allocate memory
qkview: tmstat_subscribe: /var/tmstat/blade/tmm5: Cannot allocate memory at 0xa08a938

Conditions:
Qkview is executed on an appliance or chassis that has a very large configuration.

Impact:
Qkview files may not be able to be parsed by the iHealth service.

Also, memory allocation error messages may be displayed when generating qkview.

Workaround:
None.

Fix:
Qkview now has a -x option that can be used to exclude statistics collection in the stat_module.xml file.

Behavior Change:
Qkview now has a -x option that can be used to exclude statistics collection.


866021-3 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.

Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.


866013 : Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479

Solution Article: K78234183


865461-3 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.


865241-3 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"

Component: TMOS

Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.

Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.

The conditions that cause this to occur are unknown.

Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.

Workaround:
None.


865177-2 : Cert-LDAP returning only first entry in the sequence that matches san-other oid

Component: TMOS

Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists

Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids

Impact:
Only the first matching oid is returned.


865053-1 : AVRD core due to a try to load vip lookup when AVRD is down

Component: Application Visibility and Reporting

Symptoms:
AVRD cores during startup.

Conditions:
Avrd receives a SIGTERM while it is starting.

Impact:
This can lead to an AVRD core.

Fix:
Added some more checks while loading new configuration. Suppose to reduce the frequent of these occurrences. Still can happen in very rare occasions.


864797-1 : Cached results for a record are sent following region modification

Component: Global Traffic Manager (DNS)

Symptoms:
Changing the contents of a topology region record may result in DNS queries temporarily being directed as if the change had not happened for queries from the IP address of the last end user client to use topology load balancing.

Conditions:
-- A client at a single IP address makes multiple queries that are load balanced using topology, both before and after a change to a topology region record, where that change also modifies the result the single client receives.

-- If a query from a different client IP address is received and load balanced using topology, then the issue is corrected until the next change to a topology region record.

Impact:
After changing the contents of a topology region record, the last end user client to send a query before the change may receive the wrong load balancing decision if the change affected that decision. Queries from other end user clients are load balanced correctly and cause the issue to go away until the next topology region record change.

Workaround:
This issue can be temporarily corrected by sending a DNS query that is load balanced using topology after making changes to region records.

Fix:
The system now handles regions item changes as expected, so this issue no longer occurs.


864757-2 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.


864677-3 : ASM causes high mcpd CPU usage

Component: Application Security Manager

Symptoms:
-- CPU utilization is high on the odd-numbered cores.

-- Messages appear at 60-second intervals in /var/log/ts/asm_start.log:
update_GTM_score

Conditions:
-- One or more virtual servers have FTP/SMTP/WEBSEC profiles attached to it.
-- ASM configured.

Impact:
Elevated CPU usage.

Workaround:
-- On the BIG-IP system, edit the file /etc/ts/tools/nwd.cfg to change the value EnforcerCpuReportTimeInterval from 60 to a higher value, e.g., 3600 for once an hour, or even larger.

-- Restart ASM:
bigstart restart asm

Fix:
This issue has been resolved so that CPU usage is no longer elevated under these conditions.


864513-3 : ASM policies may not load after upgrading to 14.x or later from a previous major version

Solution Article: K48234609

Component: TMOS

Symptoms:
ASM policies may not load immediately after upgrade due to SELinux policies issues relating to the upgrade process.

Conditions:
1. ASM is provisioned.
2. One or more ASM Security Policies is attached to one or more virtual servers.
3. Upgrade from v12.x or v13.x to v14.x or later.

Impact:
Traffic is not processed properly after upgrade due to failure to load ASM policies.

Workaround:
You can use either of the following workarounds.

-- Remove ASM Policies while upgrading:
  1. Prior to upgrade, remove all ASM Security Policies from all virtual servers.
  2. Upgrade.
  3. Reassociate each ASM Security Policy with its original virtual server.

-- Restore the UCS on a new boot location after upgrade:
  1. Prior to upgrade, create a UCS.
  2. Upgrade or create a new instance of the software version at the target location.
  3. Restore the UCS at the new location.

Fix:
ASM policies now load as expected after upgrading to 14.x or later from a previous major version.


864329-1 : Client port reuse causes RST when the backend server-side connection is open

Component: SSL Orchestrator

Symptoms:
The BIG-IP system or SSL Orchestrator does not close server-side connections when the security service closes the connection with the BIG-IP or SSL Orchestrator. So if client reuses the port, SSL Orchestrator rejects new connections by sending RST.

Conditions:
-- Service profile is attached to virtual server.
   or
-- SSL Orchestrator is licensed and provisioned and Service chain is added in the security policy.
-- Security service closes the server-side connection with SSL Orchestrator.
-- Client reuses the source port.

Impact:
The BIG-IP system or SSL Orchestrator rejects new connection from clients when a client reuses the port.

Workaround:
None.

Fix:
The BIG-IP system or SSL Orchestrator no longer rejects the client connection when the client reuses the port.


864109-3 : APM Portal Access: Base URL may be set to incorrectly

Solution Article: K24415506


863917-3 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.

Component: Global Traffic Manager (DNS)

Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:

The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.

This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.

Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.

Impact:
Messages are logged that imply the system is overloaded when it is not.

Workaround:
Create a log filter to suppress the messages

sys log-config filter gtm-warn {
    level warn
    message-id 011ae116
    source gtmd
}


863609-2 : Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies

Component: Application Security Manager

Symptoms:
After changing a parent policy's learning mode or other learning attributes in policy-builder settings, deploying the policy will result in differences in the child policies.

Conditions:
On BIG-IP and BIG-IQ:
1. Parent policy has a policy-building section that is inherited.
2. Child policy has wildcard default (*) elements such as urls.
On BIG-IQ:
3. Change parent learning mode from manual to disabled or vice versa
4. Deploy changes

Impact:
There are differences after deploy.

Workaround:
Discover and deploy again from BIG-IQ

Fix:
Changes are deployed from BIG-IQ without causing unexpected changes.


863161-3 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.

Fix:
The automatic TLS connection was introduced via udate of the phpmailer module. The current fix disables automatic behaviour such that encryption will be used according to BIG-IP configuration.


863069-3 : Avrmail timeout is too small

Component: Application Visibility and Reporting

Symptoms:
AVR report mailer times out prematurely and reports errors:

AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.

Conditions:
Configure reports, which will be sent to e-mail

Impact:
Error response from SMTP server, and the report is not sent

Workaround:
Increase timeout in avrmail.php via bash commands

Fix:
The timeout was increased in avrmail.php


862937-2 : Running cpcfg after first boot can result in daemons stuck in restart loop

Component: TMOS

Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.

Conditions:
Running cpcfg on a volume that has already been booted into.

Impact:
Services do not come up.

Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:

# touch /.autorelabel
# reboot


862885-1 : Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error

Component: Local Traffic Manager

Symptoms:
A configuration with a virtual server-to-virtual server flow established, for example by the 'virtual' iRule command, and using a TCP stack with 'Tail Loss Probe' enabled, might encounter a race between the delayed ACK and the tail loss probe, which can lead to a tmm_panic or an OOPs message:
no trailing data.

Conditions:
-- Virtual server-to-virtual server flow established.
-- TCP profile with 'Tail Loss Probe' enabled.
-- Certain timing related traffic scenario.

Impact:
TMM generates a core and reports an OOPs message:
no trailing data.

Workaround:
Do not use a TCP stack with 'Tail Loss Probe' enabled in conjunction with a virtual server-to-virtual server flow configuration.

Fix:
Virtual server-to-virtual server with 'Tail Loss Probe' enabled can now be used without error.


862597-5 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.

Fix:
MPTCP's SYN/ACK retransmission handling is improved.


860881-1 : TMM can crash when handling a compressed response from HTTP server

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.


860617-2 : Radius sever pool without attaching the load balancing algorithm will result into core

Component: Access Policy Manager

Symptoms:
Tmm crashes after configuring a radius server pool.

Conditions:
-- Radius server pool exists
-- Radius server pool does not have a designated load balancing algorithm.

Impact:
TMM will core while radius accounting stops. Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Pool selection counter gets incremented and message will be freed.


860517-3 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.

Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.


860349-1 : Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication

Component: TMOS

Symptoms:
After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail .

The /var/log/secure will show :

/secure:
Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory
Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback
Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown
Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145

/var/log/daemon.log will show ;

/daemon:
Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed.
Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE
Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state.
Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed.


> Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon..
> Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon....
> Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments
> ===================== > This is the hint that user-template is at fault

Conditions:
LDAP/nslcd config , remote authentication , user-template used

The values within user-template include white spaces :

example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org

Impact:
LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.

Workaround:
Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon


860317-1 : JavaScript Obfuscator can hang indefinitely

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process

Fix:
Datasyncd daemon kills hanging obfuscator processes if they stop responding.


860005-3 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.


859721-3 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using GENERICMESSAGE create together with reject inside periodic after no longer cause core


859717-3 : ICMP-limit-related warning messages in /var/log/ltm

Component: Local Traffic Manager

Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:

warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.

Conditions:
Viewing /var/log/ltm.

Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.

Workaround:
None.

Fix:
The system better tracks what kind of traffic triggers the 'ICMP error limit reached' logs so the issue can be mitigated.


859113-3 : Using "reject" iRules command inside "after" may causes core

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event

Fix:
Using "reject" iRules command inside "after" no longer cause core.


859089-5 : TMSH allows SFTP utility access

Solution Article: K00091341


858973-3 : DNS request matches less specific WideIP when adding new wildcard wideips

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm


858701-3 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x

Component: Local Traffic Manager

Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.

-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.

Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:

Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:

  Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.

  You can check this value with the guishell command:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

    Example:
      guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
        -----------------------------------------------------------
        | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
        -----------------------------------------------------------
        | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
        | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
        | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
        | /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
        | /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

      Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.

------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:

1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality.

2. Fail over Active system to Standby status:
  tmsh run sys failover standby

3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration.

4. Save the config to disk:
  tmsh save sys config

5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
  tmsh load sys config

6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
  tmsh load sys config

7. Verify it worked:
  guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

  Example of a fixed config:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
      -----------------------------------------------------------
      | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
      -----------------------------------------------------------
      | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
      | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
      | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
      | /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
      | /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective':

tmsh load sys config


858537-3 : CVE-2019-1010204: Binutilis Vulnerability

Solution Article: K05032915


858429 : BIG-IP system sending ICMP packets on both virtual wire interface

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.


858349-1 : TMM may crash while processing SAML SLO traffic

Solution Article: K44808538


858301-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858297-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858289-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858285-3 : The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Solution Article: K27551003

Component: Local Traffic Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Impact:
For more information, please see:
https://support.f5.com/csp/article/K27551003

Workaround:
None.

Fix:
For more information, please see:
https://support.f5.com/csp/article/K27551003


858229-3 : XML with sensitive data gets to the ICAP server

Solution Article: K22493037

Component: Application Security Manager

Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.

Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.

Impact:
Sensitive data will reach the ICAP server.

Workaround:
No immediate workaround except policy related changes

Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.

Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.

When this is changed to 0 (using this command):
 /usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.


858197-1 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system

Fix:
Remove function call to drop row from table on error path where row was not successfully added.


858189-1 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.

Component: Device Management

Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.

Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.

Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.

Workaround:
None.

Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.

Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:

restnoded.timeout
restjavad.timeout
icrd.timeout

The default value is 60 seconds for each of these.

A restart of restjavad and restnoded is required for the change to take effect.

tmsh restart /sys service restjavad
tmsh restart /sys service restnoded


858025-3 : BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984

Solution Article: K33440533


857953-3 : Non-functional disable/enable buttons present in GTM wide IP members page

Component: Global Traffic Manager (DNS)

Symptoms:
Enable/disable buttons do not perform any action against the selected members when pressed.

Conditions:
-- GTM wide IP has members.
-- Navigate to the GTM wide IP members page.
-- Attempt to enable or disable a selected member./

Impact:
No action against the selected members occurs when the buttons are pressed.

Workaround:
None.


857845-6 : TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule

Component: Local Traffic Manager

Symptoms:
Whenever the server or client side data have not been drained, 'server drained' or 'client drained' appear in /var/log/tmm as errors.

Conditions:
-- Using iRule configuration with LB::detach or LB::connect.
-- Server- or client-side data has not been drained before those statements are triggered.

Impact:
TMM crashes and can cause an outage on standalone system or failover in a DSC. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes and the 'server not drained' or 'client not drained' message is logged instead. If tmm.oops is set to 'log', the OOPS messages is reported in /var/log/tmm.


857725 : Anti-Fraud/DataSafe Logging Settings page not found

Component: Fraud Protection Services

Symptoms:
When navigating to Security :: Fraud Protection Service : Anti-Fraud Logging Settings, a 404 error is shown instead of the actual page.

Conditions:
- Provision Fraud Protection Service.
- License DataSafe or Fraud Protection Service.
- Enable the 'antifraud.riskengine.reportlogins' database variable.

Impact:
'Anti-Fraud Logging Settings' page is not found.

Workaround:
Configure logging setting using the Traffic Management Shell (tmsh) utility.

Fix:
'Anti-Fraud Logging Settings' page is shown correctly.


857633-2 : Attack Type (SSRF) appears incorrectly in REST result

Component: Application Security Manager

Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.

Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.

Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.

Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:

DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";


856961-2 : INTEL-SA-00201 MCE vulnerability CVE-2018-12207

Solution Article: K17269881


856953-2 : IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1

Component: TMOS

Symptoms:
In rare circumstances, TMM may core when changing the ike-peer configuration from IKEv2 to IKEv1.

Conditions:
- The BIG-IP system is attempting to establish an IKEv2 tunnel.
- The related ike-peer config is changed from IKEv2 to IKEv1.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not reconfigure the ike-peer configuration while the related IPsec tunnel is attempting to establish.

Fix:
TMM no longer cores.


856713-1 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec-related tmm crash has been fixed.


854493-3 : Kernel page allocation failures messages in kern.log

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures.


854177-3 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.

Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.


854001-4 : TMM might crash in case of trusted bot signature and API protected url

Component: Application Security Manager

Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.

Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.

Fix:
An issue where tmm could crash when processing a request sent to a protected API URL with a trusted bot signature has been fixed.


853613-2 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.

Fix:
This release provides improved interaction between TCP's Verified Accept and Timestamps options and the tm.tcpsendrandomtimestamp setting.


853585-2 : REST Wide IP object presents an inconsistent lastResortPool value

Component: Global Traffic Manager (DNS)

Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:

...
"lastResortPool": "aaaa \"\""
...

Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:

tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>

Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.

Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.

Fix:
The tmsh interpreter now enforces the structure 'tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind> <pool_name>'.


853545-3 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.

Fix:
Usage of GENERICMESSAGE::message drop iRule command no longer leaks memory.


853329-4 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to