Supplemental Document : BIG-IP 14.1.4.6 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.4

BIG-IP APM

  • 14.1.4

BIG-IP Analytics

  • 14.1.4

BIG-IP Link Controller

  • 14.1.4

BIG-IP LTM

  • 14.1.4

BIG-IP PEM

  • 14.1.4

BIG-IP AFM

  • 14.1.4

BIG-IP DNS

  • 14.1.4

BIG-IP FPS

  • 14.1.4

BIG-IP ASM

  • 14.1.4
Original Publication Date: 04/13/2022
Updated Date: 05/28/2022

BIG-IP Release Information

Version: 14.1.4.6
Build: 8.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x

Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
830361-4 CVE-2012-6711 K05122252 CVE-2012-6711 Bash Vulnerability 14.1.4.6
1087201-4 CVE-2022-0778 K31323265 OpenSSL Vulnerability: CVE-2022-0778 14.1.4.6
1002565-4 CVE-2021-23840 K24624116 OpenSSL vulnerability CVE-2021-23840 14.1.4.6


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
818169-3 2-Critical   TMM may consume excessive resources when processing DNS profiles with DNS queing enabled 14.1.4.6, 15.1.0.2
1050537-3 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 14.1.4.6
1046669-3 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 14.1.4.6
982697-4 4-Minor   ICMP hardening 14.1.4.6
1033837-3 4-Minor   REST authentication tokens persist on reboot 14.1.4.6


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
976669-3 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade 14.1.4.6
957897-2 2-Critical BT957897 Unable to modify gateway-ICMP monitor fields in the GUI 14.1.4.6
944513-1 2-Critical BT944513 Apache configuration file hardening 14.1.4.6, 15.1.4
915981-2 2-Critical   BIG-IP in Appliance Mode does not follow best practices 14.1.4.6
1059185-3 2-Critical   iControl REST Hardening 14.1.4.6
1057801-4 2-Critical   TMUI does not follow current best practices 14.1.4.6
1051561-3 2-Critical   iControl REST request hardening 14.1.4.6
1048141-1 2-Critical BT1048141 Sorting pool members by 'Member' causes 'General database error' 14.1.4.6
999125-3 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 14.1.4.6
982341-4 3-Major   iControl REST endpoint hardening 14.1.4.6
956589-2 3-Major BT956589 The tmrouted daemon restarts and produces a core file 14.1.4.6, 15.1.2.1
943577-3 3-Major BT943577 Full sync failure for traffic-matching-criteria with port list under certain conditions 14.1.4.6
919317-3 3-Major BT919317 NSM consumes 100% CPU processing nexthops for recursive ECMP routes 14.1.4.6
918409-4 3-Major BT918409 BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures 14.1.4.6
901669-2 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. 14.1.4.6
755976-3 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 14.1.4.6
405329-2 3-Major   The imish utility cores while checking help strings for OSPF6 vertex-threshold 14.1.4.6, 15.1.0.5
1066285-1 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 14.1.4.6
1057809-4 3-Major   Saved dashboard hardening 14.1.4.6
1056993-4 3-Major   404 error is raised on GUI when clicking "App IQ." 14.1.4.6
1047169-3 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 14.1.4.6
1042009-3 3-Major BT1042009 Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes 14.1.4.6
1022637-3 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 14.1.4.6, 15.1.5
1020789-2 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use. 14.1.4.6
1019085-2 3-Major BT1019085 Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file. 14.1.4.6
1008269-4 3-Major BT1008269 Error: out of stack space 14.1.4.6
713614-4 4-Minor BT713614 Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) 14.1.4.6, 15.1.0.5
528894-7 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 14.1.4.6, 15.1.5
1071365-3 4-Minor   iControl SOAP WSDL hardening 14.1.4.6
1058677-3 4-Minor BT1058677 Not all SCTP connections are mirrored on the standby device when auto-init is enabled. 14.1.4.6
1051797-3 4-Minor   Linux kernel vulnerability: CVE-2018-18281 14.1.4.6
1046693-2 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 14.1.4.6
1045549-2 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 14.1.4.6
1040821-2 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 14.1.4.6
1034589-3 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 14.1.4.6
1031425-1 4-Minor BT1031425 Provide a configuration flag to disable BGP peer-id check. 14.1.4.6
1030645-2 4-Minor BT1030645 BGP session resets during traffic-group failover 14.1.4.6
1024621-2 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 14.1.4.6
1002809-2 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 14.1.4.6


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
946481-3 2-Critical BT946481 Virtual Edition FIPS not compatible with TLS 1.3 14.1.4.6
931677-4 2-Critical   IPv6 hardening 14.1.4.6
910213-4 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 14.1.4.6
757407-1 2-Critical BT757407 Error reading RRD file may induce processes to mutually wait for each other forever 14.1.4.6
1064617-3 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 14.1.4.6
1047089-4 2-Critical   TMM may terminate while processing TLS/DTLS traffic 14.1.4.6, 15.1.5
1016657-4 2-Critical   TMM may crash while processing LSN traffic 14.1.4.6
1000021-4 2-Critical   TMM may consume excessive resources while processing packet filters 14.1.4.6, 15.1.5
999901-4 3-Major   Certain LTM policies may not execute correctly after a system reboot or TMM restart. 14.1.4.6
993981-4 3-Major   TMM may crash when ePVA is enabled 14.1.4.6
987077-4 3-Major BT987077 TLS1.3 with client authentication handshake failure 14.1.4.6
967101-3 3-Major BT967101 When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. 14.1.4.6
955617-6 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 14.1.4.6
951257-1 3-Major   FTP active data channels are not established 14.1.4.6
939085-1 3-Major BT939085 /config/ssl/ssl.csr directory disappears after creating certificate archive 14.1.4.6
919249-3 3-Major   NETHSM installation script hardening 14.1.4.6
912517-4 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 14.1.4.6
892485-1 3-Major BT892485 A wrong OCSP status cache may be looked up and re-used during SSL handshake. 14.1.4.6
892073-1 3-Major BT892073 TLS1.3 LTM policy rule based on SSL SNI is not triggered 14.1.4.6
838353-3 3-Major BT838353 MQTT monitor is not working in route domain. 14.1.4.6
826349-2 3-Major BT826349 VXLAN tunnel might fail due to misbehaving NIC checksum offload 14.1.4.6
825245-2 3-Major BT825245 SSL::enable does not work for server side ssl 14.1.4.6
803109-2 3-Major BT803109 Certain configuration may result in zombie forwarding flows 14.1.4.6
793929-1 3-Major BT793929 In-TMM monitor agent might crash during TMM shutdown 14.1.4.6
793669-1 3-Major BT793669 FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. 14.1.4.6
672963-3 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 14.1.4.6
1058469-3 3-Major BT1058469 Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. 14.1.4.6
1052929-2 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 14.1.4.6
1043357-2 3-Major BT1043357 SSL handshake may fail when using remote crypto client 14.1.4.6
1043017-2 3-Major BT1043017 Virtual-wire with standard-virtual fragmentation 14.1.4.6
1029897-3 3-Major K63312282, BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 14.1.4.6
1023341-3 3-Major   HSM hardening 14.1.4.6, 16.1.1
1017533-1 3-Major BT1017533 Using TMC might cause virtual server vlans-enabled configuration to be ignored 14.1.4.6
1016449-1 3-Major BT1016449 After certain configuration tasks are performed, TMM may run with stale Self IP parameters. 14.1.4.6
1016049-3 3-Major BT1016049 EDNS query with CSUBNET dropped by protocol inspection 14.1.4.6
1008501-4 3-Major BT1008501 TMM core 14.1.4.6
838305-4 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow. 14.1.4.6
717806-3 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 14.1.4.6
1026605-3 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 14.1.4.6
1016441-2 4-Minor   RFC Enforcement Hardening 14.1.4.6
873249-3 5-Cosmetic BT873249 Switching from fast_merge to slow_merge can result in incorrect tmm stats 14.1.4.6


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
741862-1 2-Critical BT741862 DNS GUI may generate error or display names with special characters incorrectly. 14.1.4.6
1062513-2 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 14.1.4.6
1044425-4 3-Major   NSEC3 record improvements for NXDOMAIN 14.1.4.6
1039205-1 3-Major BT1039205 DNSSEC key stored on netHSM fails to generate if the key name length is > 24 14.1.4.6
1018613-4 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 14.1.4.6
1011285-3 3-Major BT1011285 The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. 14.1.4.6, 15.1.5
753821-3 4-Minor BT753821 Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned 14.1.4.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1069449-3 2-Critical   ASM attack signatures may not match cookies as expected 14.1.4.6
965785-3 3-Major BT965785 Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine 14.1.4.6
961509-4 3-Major BT961509 ASM blocks WebSocket frames with signature matched but Transparent policy 14.1.4.6
926845-4 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 14.1.4.6
921697-4 3-Major BT921697 Attack signature updates fail to install with Installation Error. 14.1.4.6, 16.1.2.1
871881-1 3-Major BT871881 Apply Policy action is not synchronized after making bulk signature changes 14.1.4.6
818889-3 3-Major BT818889 False positive malformed json or xml violation. 14.1.4.6
1072197-3 3-Major   Issue with input normalization in WebSocket. 14.1.4.6
1067285-3 3-Major   Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 14.1.4.6
1060933-3 3-Major   Issue with input normalization. 14.1.4.6
1051213-3 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 14.1.4.6
1051209-3 3-Major   BD may not process certain HTTP payloads as expected 14.1.4.6
1047389-1 3-Major   Bot Defense challenge hardening 14.1.4.6
1045101-2 3-Major   Bd may crash while processing ASM traffic 14.1.4.6, 15.1.5, 16.1.2.1
1043385-2 3-Major   No Signature detected If Authorization header is missing padding. 14.1.4.6
1038733-2 3-Major   Attack signature not detected for unsupported authorization types. 14.1.4.6
1037457-3 3-Major   High CPU during specific dos mitigation 14.1.4.6
1030853-3 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 14.1.4.6
1023993-2 3-Major   Brute Force is not blocking requests, even when auth failure happens multiple times 14.1.4.6
1012221-3 3-Major BT1012221 Message: childInheritanceStatus is not compatible with parentInheritanceStatus 14.1.4.6
1011069-4 3-Major   Group/User R/W permissions should be changed for .pid and .cfg files. 14.1.4.6
973661 4-Minor BT973661 Two different 'Attack Signature' updates shown as 'Currently Installed' 14.1.4.6
844045-2 4-Minor   ASM Response event logging for "Illegal response" violations. 14.1.4.6
1055453 4-Minor BT1055453 Blocking page trims the last digit of the Support ID. 14.1.4.6
1050697-2 4-Minor   Traffic learning page counts Disabled signatures when they are ready to be enforced 14.1.4.6
1038741-2 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 14.1.4.6
1036521-4 4-Minor BT1036521 TMM crash in certain cases 14.1.4.6
1034941-3 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 14.1.4.6
1020717-2 4-Minor   Policy versions cleanup process sometimes removes newer versions 14.1.4.6
1002385-4 4-Minor   Fixing issue with input normalization 14.1.4.6, 15.1.5, 16.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038913-2 3-Major   The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 14.1.4.6


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
992073-1 3-Major   APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 14.1.4.6
868557-3 3-Major   Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity. 14.1.4.6
423519-2 3-Major   Bypass disabling the redirection controls configuration of APM RDP Resource. 14.1.4.6
1067993-6 3-Major   APM Windows Client installer hardening 14.1.4.6
1019161-5 3-Major   Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files 14.1.4.6
1009049-6 3-Major   browser based vpn did not follow best practices while logging. 14.1.4.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1047053-1 2-Critical   TMM may consume excessive resources while processing RTSP traffic 14.1.4.6, 15.1.5
1029397-2 2-Critical BT1029397 Tmm may crash with SIP-ALG deployment in a particular race condition 14.1.4.6, 15.1.5
1007109-4 2-Critical BT1007109 Flowmap entry is deleted before updating its timeout to INDEFINITE 14.1.4.6
957905-3 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 14.1.4.6
1078721-4 3-Major   TMM may consume excessive resources while processing ICAP traffic 14.1.4.6
1056933-2 3-Major   TMM may crash while processing SIP traffic 14.1.4.6, 15.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1058645-3 2-Critical BT1058645 ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. 14.1.4.6
808893-2 3-Major BT808893 DNS DoS profile vectors do not function correctly 14.1.4.6
808889-2 3-Major BT808889 DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold 14.1.4.6
1070033 3-Major BT1070033 Virtual server may not fully enter hardware SYN Cookie mode. 14.1.4.6
1008265-4 3-Major   DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond 14.1.4.6
756457-2 4-Minor BT756457 tmsh command 'show security' returning a parsing error 14.1.4.6
1072057-3 4-Minor BT1072057 "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. 14.1.4.6
1069745 4-Minor   GUI issues in Security->NetworkFirewall->Active Rules, rule movement to 101, 201 position. 14.1.4.6


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
756595-1 1-Blocking BT756595 Traffic redirection to an internal virtual server may fail. 14.1.4.6
946325-3 3-Major   PEM subscriber GUI hardening 14.1.4.6


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019613-2 2-Critical BT1019613 Unknown subscriber in PBA deployment may cause CPU spike 14.1.4.6


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
873617-3 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 14.1.4.6


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1060409-4 4-Minor   Behavioral DoS enable checkbox is wrong. 14.1.4.6


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1052153-1 3-Major   Signature downloads for traffic classification updates via proxy fail 14.1.4.6


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
965853-1 3-Major   IM package file hardening 14.1.4.6
964489-3 3-Major   Protocol Inspection IM package hardening 14.1.4.6
940261-2 4-Minor   Support IPS package downloads via HTTP proxy. 14.1.4.6


Guided Configuration Fixes

ID Number Severity Links to More Info Description Fixed Versions
982757-6 3-Major   APM Access Guided Configuration hardening 14.1.4.6


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121-3 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 14.1.4.6



Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
999933-4 CVE-2022-23017 K28042514, BT999933 TMM may crash while processing DNS traffic on certain platforms 14.1.4.5, 15.1.4.1
989701-4 CVE-2020-25212 K42355373, BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 14.1.4.5, 15.1.4.1, 16.1.2
989637-4 CVE-2022-23015 K08476614, BT989637 TMM may crash while processing SSL traffic 14.1.4.5, 15.1.4.1
988549-4 CVE-2020-29573 K27238230, BT988549 CVE-2020-29573: glibc vulnerability 14.1.4.5, 15.1.4.1, 16.1.2
910517 CVE-2022-23012 K26310765, BT910517 TMM may crash while processing HTTP traffic 14.1.4.5, 15.1.4.1
1032405-4 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 14.1.4.5, 15.1.4.1, 16.1.2
1028669-4 CVE-2019-9948 K28622040, BT1028669 Python vulnerability: CVE-2019-9948 14.1.4.5, 15.1.4.1, 16.1.2
1028573-4 CVE-2020-10878 K40508224, BT1028573 Perl vulnerability: CVE-2020-10878 14.1.4.5, 15.1.4.1, 16.1.2
1028497-4 CVE-2019-15903 K05295469, BT1028497 libexpat vulnerability: CVE-2019-15903 14.1.4.5, 15.1.4.1, 16.1.2
1012365-3 CVE-2021-20305 K33101555, BT1012365 Nettle cryptography library vulnerability CVE-2021-20305 14.1.4.5, 15.1.4.1, 16.1.2
1007489-4 CVE-2022-23018 K24358905, BT1007489 TMM may crash while handling specific HTTP requests 14.1.4.5, 15.1.4.1, 16.1.2
997193-2 CVE-2022-23028 K16101409, BT997193 TCP connections may fail when AFM global syncookies are in operation. 14.1.4.5, 15.1.5
974341-3 CVE-2022-23026 K08402414, BT974341 REST API: File upload 14.1.4.5, 15.1.4.1, 16.1.2
941649-4 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 14.1.4.5, 15.1.4.1, 16.1.2
940185-3 CVE-2022-23023 K11742742, BT940185 icrd_child may consume excessive resources while processing REST requests 14.1.4.5, 15.1.5, 16.1.2.1
823877-2 CVE-2019-10098
CVE-2020-1927
K25126370, BT823877 CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability 14.1.4.5
803965-2 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 14.1.4.5, 15.1.4, 16.1.2
1009725-4 CVE-2022-23030 K53442005, BT1009725 Excessive resource usage when ixlv drivers are enabled 14.1.4.5, 15.1.4.1, 16.1.2
713754-1 CVE-2017-15715 K27757011 Apache vulnerability: CVE-2017-15715 14.1.4.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
930633-1 3-Major BT930633 Delay in using new route updates by existing connections on BIG-IP. 14.1.4.5
1015133-2 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 14.1.4.5, 15.1.5, 16.1.2.1
985953-2 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 14.1.4.5, 15.1.4.1, 16.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1042993-1 1-Blocking K19272127, BT1042993 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 14.1.4.5, 15.1.4.1
1039049-1 1-Blocking BT1039049 Installing EHF on particular platforms fails with error "RPM transaction failure" 14.1.4.5, 15.1.4.1, 16.1.2
831821-3 2-Critical BT831821 Corrupted DAG packets causes bcm56xxd core on VCMP host 14.1.4.5, 15.1.4.1
1043277-2 2-Critical K06520200, BT1043277 'No access' error page displays for APM policy export and apply options. 14.1.4.5, 15.1.4.1
1004929-4 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 14.1.4.5, 15.1.5
996001-2 3-Major BT996001 AVR Inspection Dashboard 'Last Month' does not show all data points 14.1.4.5, 15.1.5, 16.1.2.1
958093-2 3-Major BT958093 IPv6 routes missing after BGP graceful restart 14.1.4.5, 15.1.4.1
935801-3 3-Major BT935801 HSB diagnostics are not provided under certain types of failures 14.1.4.5, 15.1.2
922185-4 3-Major BT922185 LDAP referrals not supported for 'cert-ldap system-auth' 14.1.4.5, 15.1.4.1, 16.1.2
900933-2 3-Major BT900933 IPsec interoperability problem with ECP PFS 14.1.4.5, 15.1.4.1, 16.0.1.2
881085-1 3-Major BT881085 Intermittent auth failures with remote LDAP auth for BIG-IP managment 14.1.4.5, 15.1.4.1, 16.1.2
1045421-3 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 14.1.4.5, 15.1.4.1, 16.1.2
1032077-3 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 14.1.4.5, 15.1.4.1, 16.1.2
1026549-4 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 14.1.4.5, 15.1.4.1, 16.1.2
1015093-4 3-Major BT1015093 The "iq" column is missing from the ndal_tx_stats table 14.1.4.5, 15.1.4.1
1003257-3 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 14.1.4.5, 15.1.4.1, 16.1.2
988533-3 4-Minor BT988533 GRE-encapsulated MPLS packet support 14.1.4.5, 15.1.4.1
889813-1 4-Minor BT889813 Show net bwc policy prints bytes-per-second instead of bits-per-second 14.1.4.5
1030845-3 4-Minor BT1030845 Time change from TMSH not logged in /var/log/audit. 14.1.4.5, 15.1.4.1, 16.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1005433 1-Blocking BT1005433 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured 14.1.4.5
862885-1 2-Critical BT862885 Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error 14.1.4.5, 15.1.4.1
788813-1 2-Critical BT788813 TMM crash when deleting virtual-wire config 14.1.4.5
750702-1 2-Critical BT750702 TMM crashes while making changes to virtual wire configuration 14.1.4.5
1040361-3 2-Critical BT1040361 TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. 14.1.4.5, 15.1.5, 16.1.2
1019081-2 2-Critical K97045220, BT1019081 HTTP/2 hardening 14.1.4.5, 15.1.3.1
1009161 2-Critical BT1009161 SSL mirroring protect for null sessions 14.1.4.5
999097-4 3-Major BT999097 SSL::profile may select profile with outdated configuration 14.1.4.5, 15.1.5, 16.1.2.1
963705-2 3-Major BT963705 Proxy ssl server response not forwarded 14.1.4.5, 15.1.4.1
904041-4 3-Major BT904041 Ephemeral pool members may be incorrect when modified via various actions 14.1.4.5, 15.1.4.1
872721-1 3-Major BT872721 SSL connection mirroring intermittent failure with TLS1.3 14.1.4.5
803629-2 3-Major BT803629 SQL monitor fails with 'Analyze Response failure' message even if recv string is correct 14.1.4.5, 15.1.4.1, 16.0.1.1
761477-7 3-Major BT761477 Client authentication performance when large CRL is used 14.1.4.5
1038629-3 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 14.1.4.5, 15.1.5, 16.1.2.1
1034365-1 3-Major BT1034365 DTLS handshake fails with DTLS1.2 client version 14.1.4.5, 15.1.5
1020941-3 3-Major BT1020941 HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags 14.1.4.5, 15.1.4
1018577-2 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 14.1.4.5, 15.1.4.1, 16.1.2
1017513-2 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier 14.1.4.5, 16.1.2.1
1015161-3 3-Major BT1015161 Ephemeral pool member may not be created when FQDN resolves to address that matches static node 14.1.4.5
1008017-1 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 14.1.4.5, 15.1.4.1, 16.1.2
936557-3 4-Minor BT936557 Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. 14.1.4.5, 15.1.4.1
890881-3 4-Minor BT890881 ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address 14.1.4.5, 15.1.4.1
1045913-4 4-Minor BT1045913 COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression 14.1.4.5
1018493-3 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 14.1.4.5, 15.1.4, 16.1.2
1005109-1 4-Minor BT1005109 TMM crashes when changing traffic-group on IPv6 link-local address 14.1.4.5, 15.1.5, 16.1.2.1
1002945-1 4-Minor BT1002945 Some connections are dropped on chained IPv6 to IPv4 virtual servers. 14.1.4.5, 15.1.4.1, 16.1.2
898929-2 5-Cosmetic BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 14.1.4.5, 15.1.5, 16.1.2.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1035853-4 2-Critical K41415626, BT1035853 Transparent DNS Cache can consume excessive resources. 14.1.4.5, 15.1.5, 16.1.2
1009037-4 2-Critical BT1009037 Tcl resume on invalid connection flow can cause tmm crash 14.1.4.5, 15.1.4.1, 16.1.2
863917-3 3-Major BT863917 The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2
756470-5 3-Major BT756470 Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. 13.1.3.4, 14.1.4.5
1024553-3 3-Major BT1024553 GTM Pool member set to monitor type "none" results in big3d: timed out 14.1.4.5, 15.1.5
1021417-4 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 14.1.4.5, 15.1.4.1, 16.1.2
1021061-2 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 14.1.4.5, 15.1.5, 16.1.2.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
993613-4 2-Critical BT993613 Device fails to request full sync 14.1.4.5, 15.1.5, 16.1.2.1
912149-4 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 14.1.4.5, 15.1.4.1, 16.1.2
879841-3 2-Critical BT879841 Domain cookie same-site option is missing the "None" as value in GUI and rest 14.1.4.5, 15.1.4.1
1019853-3 2-Critical K30911244, BT1019853 Some signatures are not matched under specific conditions 14.1.4.5, 15.1.4.1, 16.1.2
1011061-1 2-Critical   Certain attack signatures may not match in multipart content 14.1.4.5, 15.1.4.1, 16.1.2
984593-3 3-Major BT984593 BD crash 14.1.4.5, 15.1.5, 16.1.2.1
948805-3 3-Major BT948805 False positive "Null in Request" 14.1.4.5, 15.1.4.1
907025-1 3-Major BT907025 Live update error" 'Try to reload page' 14.1.4.5, 15.1.5, 16.1.2.1
886865-2 3-Major BT886865 P3P header is added for all browsers, but required only for Internet Explorer 14.1.4.5, 15.1.5
885765-4 3-Major BT885765 ASMConfig Handler undergoes frequent restarts 14.1.4.5, 15.1.5, 16.1.2.1
857633-2 3-Major BT857633 Attack Type (SSRF) appears incorrectly in REST result 14.1.4.5, 15.1.4.1
842013-4 3-Major BT842013 ASM Configuration is Lost on License Reactivation 14.1.4.5, 15.1.4.1, 16.1.2
785873-2 3-Major BT785873 ASM should treat 'Authorization: Negotiate TlR' as NTLM 14.1.4.5
731168-1 3-Major BT731168 BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash. 14.1.4.5
1042069-3 3-Major   Some signatures are not matched under specific conditions. 14.1.4.5, 15.1.4.1, 16.1.2.1
1017153-1 3-Major BT1017153 Asmlogd suddenly deletes all request log protobuf files and records from the database. 14.1.4.5, 15.1.4.1, 16.1.2
1005105-4 3-Major BT1005105 Requests are missing on traffic event logging 14.1.4.5, 15.1.4, 16.1.1
1004069-2 3-Major BT1004069 Brute force attack is detected too soon 14.1.4.5, 15.1.5, 16.1.2
883673-1 4-Minor   BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool 14.1.4.5
1031029 4-Minor BT1031029 "Use of uninitialized value" warning observed during UCS restore. 14.1.4.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
832805-1 3-Major BT832805 AVR should make sure file permissions are correct (tmstat_tables.xml) 14.1.4.5, 15.1.4.1
787677-3 3-Major BT787677 AVRD stays at 100% CPU constantly on some systems 14.1.4.5, 15.1.4.1
1035133-2 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 14.1.4.5, 15.1.4.1, 16.1.2
948113-4 4-Minor BT948113 User-defined report scheduling fails 14.1.4.5, 15.1.4.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883889-1 2-Critical BT883889 Tmm might crash when under memory pressure 14.1.4.5, 15.1.5
860617-2 2-Critical BT860617 Radius sever pool without attaching the load balancing algorithm will result into core 14.1.4.5, 15.1.4.1
1006893-1 2-Critical BT1006893 Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 14.1.4.5, 15.1.4.1, 16.1.2
993457-3 3-Major BT993457 TMM core with ACCESS::policy evaluate iRule 14.1.4.5, 15.1.4.1, 16.1.2
969317-2 3-Major BT969317 "Restrict to Single Client IP" option is ignored for vmware VDI 14.1.4.5, 15.1.4.1, 16.1.2.1
956645-1 3-Major BT956645 Per-request policy execution may timeout. 14.1.4.5
941393 3-Major BT941393 Memory leak in SWG 14.1.4.5
932213-1 3-Major BT932213 Local user db not synced to standby device when it is comes online after forced offline state 14.1.4.5, 15.1.4.1
924857-4 3-Major BT924857 Logout URL with parameters resets TCP connection 14.1.4.5, 15.1.2, 16.0.1.2
915509-3 3-Major BT915509 RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true 14.1.4.5, 15.1.4.1
853325-3 3-Major BT853325 TMM Crash while parsing form parameters by SSO. 14.1.4.5, 15.0.1.3, 15.1.0.2
828761-3 3-Major BT828761 APM OAuth - Auth Server attached iRule works inconsistently 14.1.4.5, 15.1.5, 16.1.2.1
827393-1 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 14.1.4.5, 16.1.2.1
802381-2 3-Major BT802381 Localdb authentication fails 14.1.4.5, 15.0.1.3
738593-1 3-Major BT738593 Vmware Horizon session collaboration (shadow session) feature does not work through APM. 14.1.4.5, 15.1.5, 16.1.2.1
712857-3 3-Major BT712857 SWG-Explicit rejects large POST bodies during policy evaluation 12.1.3.6, 14.1.4.5
1045229-3 3-Major BT1045229 APMD leaks Tcl_Objs as part of the fix made for ID 1002557 14.1.4.5
1044121-1 3-Major BT1044121 APM logon page is not rendered if db variable "ipv6.enabled" is set to false 14.1.4.5
1021485-1 3-Major BT1021485 VDI desktops and apps freeze with Vmware and Citrix intermittently 14.1.4.5, 15.1.4.1, 16.1.2
1001337 3-Major BT1001337 Cannot read single sign-on configuration from GUI when logged in as guest 14.1.4.5, 15.1.4.1
942965-1 4-Minor BT942965 Local users database can sometimes take more than 5 minutes to sync to the standby device 14.1.4.5, 15.1.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1007113-4 2-Critical BT1007113 Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 14.1.4.5, 15.1.4.1, 16.1.2
1039329-3 3-Major BT1039329 MRF per peer mode is not working in vCMP guest. 14.1.4.5, 15.1.5, 16.1.2.1
1025529-3 3-Major BT1025529 TMM generates core when iRule executes a nexthop command and SIP traffic is sent 14.1.4.5, 15.1.4.1, 16.1.2.1
1003633-4 4-Minor BT1003633 There might be wrong memory handling when message routing feature is used 14.1.4.5, 15.1.4.1, 16.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1049229-3 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 14.1.4.5, 15.1.4.1, 16.1.2
995433-4 3-Major BT995433 IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT 14.1.4.5, 15.1.4.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956013 3-Major BT956013 System reports{{validation_errors}} 14.1.4.5, 15.1.5, 16.1.2.1


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
975593-2 3-Major   TMM may crash while processing IPSec traffic 14.1.4.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
922665-1 3-Major BT922665 The admd process is terminated by watchdog on some heavy load configuration process 14.1.4.5, 15.1.5
1023437-4 3-Major   Buffer overflow during attack with large HTTP Headers 14.1.4.5, 15.1.5, 16.1.2.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1033829 2-Critical BT1033829 Unable to load Traffic Classification package 14.1.4.5
686783-3 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 14.1.4.5, 15.1.4.1, 16.1.2
1032689-4 4-Minor BT1032689 UlrCat Custom db feedlist does not work for some URLs 14.1.4.5, 15.1.4.1, 16.1.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
873545-1 3-Major BT873545 SSL Orchestrator Configuration GUI freezes after management IP change. 14.1.4.5
761314-2 3-Major BT761314 OSPF Hello does not work for L2 wire 14.1.4.5



Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
981461-3 CVE-2021-23032 K45407662, BT981461 Unspecified DNS responses cause TMM crash 14.1.4.4, 15.1.3.1
966901-3 CVE-2020-14364 K09081535, BT966901 CVE-2020-14364: Qemu Vulnerability 14.1.4.4, 15.1.4.1
940317-3 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 14.1.4.4, 15.1.4.1, 16.1.2
937333-4 CVE-2022-23013 K29500533, BT937333 Incomplete validation of input in unspecified forms 14.1.4.4, 15.1.4
550928-4 CVE-2022-23010 K34360320, BT550928 TMM may crash when processing HTTP traffic with a FastL4 virtual server 14.1.4.4, 15.1.4.1
1030689-3 CVE-2022-23019 K82793463, BT1030689 TMM may consume excessive resources while processing Diameter traffic 14.1.4.4, 15.1.4.1, 16.1.2
1017973-3 CVE-2021-25215 K96223611, BT1017973 BIND Vulnerability CVE-2021-25215 14.1.4.4, 15.1.4, 16.0.1.2
1017965-3 CVE-2021-25214 K11426315, BT1017965 BIND Vulnerability CVE-2021-25214 14.1.4.4, 15.1.4, 16.0.1.2
1009029 CVE-2021-23035 K70415522, BT1009029 TMM may crash while processing HTTP requests 14.1.4.4
975589-2 CVE-2020-8277 K07944249, BT975589 CVE-2020-8277 Node.js vulnerability 14.1.4.4, 15.1.4.1
973409-4 CVE-2020-1971 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference 14.1.4.4, 15.1.4.1, 16.1.2
962069-1 CVE-2021-23047 K79428827, BT962069 Excessive resource consumption while processing OSCP requests via APM 14.1.4.4, 15.1.3.1
954425-3 CVE-2022-23031 K61112120, BT954425 Hardening of Live-Update 14.1.4.4, 15.1.4, 16.1.1
887965-3 CVE-2022-23027 K30573026, BT887965 Virtual server may stop responding while processing TCP traffic 14.1.4.4, 15.1.4
1013145-3 CVE-2021-23052 K32734107 APM Hardening 14.1.4.4
1008561-5 CVE-2022-23025 K44110411, BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 14.1.4.4, 15.1.4, 16.1.1
1008077-4 CVE-2022-23029 K50343028, BT1008077 TMM may crash while processing TCP traffic with a FastL4 VS 14.1.4.4, 15.1.4.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
741869-1 2-Critical BT741869 Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups. 14.1.4.4
923301-1 3-Major BT923301 ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group 14.1.4.4, 15.1.4, 16.0.1.2
911141-4 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 14.1.4.4, 15.1.4, 16.1.1
866073-1 3-Major BT866073 Add option to exclude stats collection in qkview to avoid very large data files 14.1.4.4, 15.1.4, 16.0.1.2
754335-1 3-Major BT754335 Install ISO does not boot on BIG-IP VE 14.1.4.4, 15.1.4.1
752542-4 3-Major BT752542 Automatic eviction of PEM URLCAT cloud cache 14.1.4.4
751032-3 4-Minor BT751032 TCP receive window may open too slowly after zero-window 14.1.4.4, 15.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1002109-4 1-Blocking BT1002109 Xen binaries do not follow security best practices 14.1.4.4, 15.1.4
998729 2-Critical BT998729 Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries 14.1.4.4
980325-4 2-Critical BT980325 Chmand core due to memory leak from dossier requests. 14.1.4.4, 15.1.4
942549-3 2-Critical BT942549 Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 14.1.4.4, 15.1.4.1
831549-1 2-Critical BT831549 Marketing name does not display properly for BIG-IP i10010 (C127) 13.1.3.2, 14.1.4.4
767013-3 2-Critical BT767013 Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.4.4
749332-3 2-Critical BT749332 Client-SSL Object's description can be updated using CLI and with REST PATCH operation 14.1.4.4, 15.1.5, 16.1.2.1
730852-3 2-Critical BT730852 The tmrouted repeatedly crashes and produces core when new peer device is added 14.1.4.4
718573-1 2-Critical BT718573 Internal SessionDB invalid state 14.1.4.4
1034449 2-Critical BT1034449 Excessive CPU consumption by platform_agent. 14.1.4.4
969105-1 3-Major BT969105 HA failover connections via the management address do not work on vCMP guests running on VIPRION 14.1.4.4, 15.1.4
965205-3 3-Major BT965205 BIG-IP dashboard downloads unused widgets 14.1.4.4, 15.1.4.1
958465-3 3-Major BT958465 in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization 14.1.4.4, 15.1.3.1, 16.0.1.2
956293-1 3-Major BT956293 High CPU from analytics-related REST calls - Dashboard TMUI 14.1.4.4, 15.1.4
950849-2 3-Major BT950849 B4450N blades report page allocation failure. 14.1.4.4, 15.1.3.1
947529-1 3-Major BT947529 Security tab in virtual server menu renders slowly 14.1.4.4, 15.1.4.1
940885-3 3-Major BT940885 Add embedded SR-IOV support for Mellanox CX5 Ex adapter 14.1.4.4, 15.1.4.1
850193-2 3-Major BT850193 Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues 14.1.4.4, 15.1.4
827033-3 3-Major BT827033 Boot marker is being logged before shutdown logs 14.1.4.4, 15.1.4
809657-2 3-Major BT809657 HA Group score not computed correctly for an unmonitored pool when mcpd starts 14.1.4.4, 15.1.4.1
787881-2 3-Major BT787881 TMSH displays TSIG keys 14.1.4.4
755027-1 3-Major BT755027 Timer processing taking too long 14.1.4.4
741702-3 3-Major BT741702 TMM crash 14.1.4.4
1024877-1 3-Major BT1024877 Systemd[]: systemd-ask-password-serial.service failed. 14.1.4.4, 15.1.4.1
1010393-3 3-Major BT1010393 Unable to relax AS-path attribute in multi-path selection 14.1.4.4, 15.1.4, 16.0.1.2
1009949-1 3-Major BT1009949 High CPU usage when upgrading from previous version 14.1.4.4, 15.1.4.1, 16.1.2
1008837-3 3-Major BT1008837 Control plane is sluggish when mcpd processes a query for virtual server and address statistics 14.1.4.4, 15.1.4
898441-4 4-Minor BT898441 Enable logging of IKE keys 14.1.4.4, 15.1.4
884165-2 4-Minor BT884165 Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG 14.1.4.4, 15.1.4.1
851393-3 4-Minor BT851393 Tmipsecd leaves a zombie rm process running after starting up 14.1.4.4, 15.1.0.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
846217-1 2-Critical BT846217 Translucent vlan-groups set local bit in destination MAC address 14.1.4.4, 15.1.2.1
837617-3 2-Critical BT837617 Tmm may crash while processing a compression context 14.1.4.4, 15.1.0.2
745589-6 2-Critical BT745589 In very rare situations, some filters may cause data-corruption. 14.1.4.4
997929-4 3-Major BT997929 Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic 14.1.4.4, 15.1.4, 16.0.1.2
978833-3 3-Major BT978833 Use of CRL-based Certificate Monitoring Causes Memory Leak 14.1.4.4, 15.1.4.1
969637-3 3-Major BT969637 Config may fail to load with "FIPS 140 operations not available on this system" after upgrade 14.1.4.4, 15.1.4
956133-4 3-Major BT956133 MAC address might be displayed as 'none' after upgrading. 14.1.4.4, 15.1.4
941481-3 3-Major BT941481 iRules LX - nodejs processes consuming excessive memory 14.1.4.4, 15.1.4
941257-2 3-Major BT941257 Occasional Nitrox3 ZIP engine hang 14.1.4.4, 15.1.4
915773 3-Major BT915773 Restart of TMM after stale interface reference 14.1.4.4, 15.1.4.1, 16.1.2
912945-4 3-Major BT912945 A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed 14.1.4.4, 15.1.4, 16.1.1
910905-2 3-Major BT910905 TMM crash when processing virtual server traffic with TLS/SSL session cache enabled 14.1.4.4
818833-3 3-Major BT818833 TCP re-transmission during SYN Cookie activation results in high latency 14.1.4.4, 15.1.4
778841-2 3-Major BT778841 Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother 14.1.4.4
749608-2 3-Major BT749608 HTTP Persistence cookies erroneously sent when cookie persistence turned off 14.1.4.4
723112-5 3-Major BT723112 LTM policies does not work if a condition has more than 127 matches 14.1.4.4, 15.1.4.1
714372-3 3-Major BT714372 Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari 14.1.4.4, 15.0.1.1, 15.1.0.2
1015209-1 3-Major BT1015209 Memory may be leaked when handling chunked responses 14.1.4.4
1015201-1 3-Major BT1015201 HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. 14.1.4.4, 15.1.5
1004897-3 3-Major BT1004897 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason 14.1.4.4
936773-1 4-Minor BT936773 Improve logging for "double flow removal" TMM Oops 14.1.4.4, 15.1.4.1
753925-1 4-Minor BT753925 CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections 14.1.4.4


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
1030665 2-Critical BT1030665 Apmd crashes during shutdown under certain conditions 14.1.4.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
995853-3 2-Critical BT995853 Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. 14.1.4.4, 15.1.4
850509-3 2-Critical BT850509 Zone Trusted Signature inadequately maintained, following change of master key 14.1.4.4, 15.1.2
993489-4 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
864797-1 3-Major BT864797 Cached results for a record are sent following region modification 14.1.4.4, 15.1.4
847105-3 3-Major BT847105 The bigip_gtm.conf is reverted to default after rebooting with license expired 14.1.4.4, 15.1.4.1
816277-2 4-Minor BT816277 Extremely long nameserver name causes GUI Error 14.1.4.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
997137-4 2-Critical   CSRF token modification may allow WAF bypass on GET requests 14.1.4.4, 15.1.4.1
996381-4 2-Critical K41503304, BT996381 ASM attack signature may not match as expected 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
970329-4 2-Critical   ASM hardening 14.1.4.4, 15.1.4, 16.1.1
965229-3 2-Critical BT965229 ASM Load hangs after upgrade 14.1.4.4, 15.1.4, 16.1.1
920197-2 2-Critical BT920197 Brute force mitigation can stop mitigating without a notification 14.1.4.4, 15.1.4, 16.0.1.2
964245-3 3-Major BT964245 ASM reports and enforces username always 14.1.4.4, 15.1.4
962589-1 3-Major BT962589 Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 14.1.4.4, 15.1.4, 16.1.1
962497-4 3-Major BT962497 BD crash after ICAP response 14.1.4.4, 15.1.4, 16.0.1.2
955017-4 3-Major BT955017 Excessive CPU consumption by asm_config_event_handler 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
951133-1 3-Major BT951133 Live Update does not work properly after upgrade 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
946081-3 3-Major BT946081 Getcrc tool help displays directory structure instead of version 14.1.4.4, 15.1.4, 16.0.1.2
932133-3 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 14.1.4.4, 15.1.4.1, 16.1.2
928717-1 3-Major BT928717 [ASM - AWS] - ASU fails to sync 14.1.4.4, 15.1.4
920149-2 3-Major BT920149 Live Update default factory file for Server Technologies cannot be reinstalled 14.1.4.4, 15.1.4.1, 16.1.1
914277-4 3-Major BT914277 [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU 14.1.4.4, 15.1.4.1, 16.0.1.2
904133-2 3-Major BT904133 Creating a user-defined signature via iControl REST occasionally fails with a 400 response code 14.1.4.4, 15.1.4.1
867825-2 3-Major BT867825 Export/Import on a parent policy leaves children in an inconsistent state 14.1.4.4, 15.1.4
767057-2 3-Major BT767057 In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server 14.1.4.4
753715-1 3-Major BT753715 False positive JSON max array length violation 14.1.4.4, 15.1.4.1
712336-1 3-Major BT712336 bd daemon restart loop 12.1.5.3, 14.1.4.4
1022269-3 3-Major BT1022269 False positive RFC compliant violation 14.1.4.4, 15.1.4, 16.1.2
1000741-4 3-Major   Fixing issue with input normalization 14.1.4.4, 15.1.4, 16.1.1
952509-1 4-Minor BT952509 Cross origin AJAX requests are blocked in case there is no Origin header 14.1.4.4, 15.1.4, 16.0.1.2
944441-3 4-Minor BT944441 BD_XML logs memory usage at TS_DEBUG level 14.1.4.4, 15.1.4, 16.0.1.2
941249-4 4-Minor BT941249 Improvement to getcrc tool to print cookie names when cookie attributes are involved 14.1.4.4, 15.1.4, 16.0.1.2
746167-1 4-Minor BT746167 Memory pressure from nsyncd 14.1.4.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-4 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 14.1.4.4, 15.1.4.1, 16.1.2
922105-4 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 14.1.4.4, 15.1.4.1, 16.1.2
909161-4 3-Major BT909161 A core file is generated upon avrd process restart or stop 14.1.4.4, 15.1.4, 16.1.1
1020705-3 4-Minor BT1020705 tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 14.1.4.4, 15.1.3.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
789085-2 2-Critical BT789085 When executing the ACCESS::session iRule command under a serverside event, tmm may crash 14.1.4.4
766921-1 2-Critical BT766921 Localdbmgr process crashes and generates a core 14.1.4.4
1020349-1 2-Critical BT1020349 APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL 14.1.4.4
984765-4 3-Major BT984765 APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) 14.1.4.4, 15.1.4
949477-2 3-Major BT949477 NTLM RPC exception: Failed to verify checksum of the packet 14.1.4.4, 15.1.4.1
946125-1 3-Major BT946125 Tmm restart adds 'Revoked' tokens to 'Active' token count 14.1.4.4, 15.1.4
849029-3 3-Major BT849029 No configurable setting for maximum entries in CRLDP cache 14.1.4.4
844781-1 3-Major BT844781 [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection 14.1.4.4, 15.0.1.3, 15.1.0.2
844281-1 3-Major BT844281 [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. 14.1.4.4, 15.0.1.3, 15.1.0.2
803825-3 3-Major BT803825 WebSSO does not support large NTLM target info length 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
744407-3 3-Major BT744407 While the client has been closed, iRule function should not try to check on a closed session 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
1007629-2 3-Major BT1007629 APM policy configured with many ACL policies can create APM memory pressure 14.1.4.4, 15.1.4.1
1002557-3 3-Major BT1002557 Tcl free object list growth 14.1.4.4, 15.1.4.1
1001041-2 3-Major BT1001041 Reset cause 'Illegal argument' 14.1.4.4, 15.1.4
939877-2 4-Minor BT939877 OAuth refresh token not found 14.1.4.4, 15.1.4, 16.1.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
993913-1 2-Critical BT993913 TMM SIGSEGV core in Message Routing Framework 14.1.4.4, 15.1.4, 16.1.1
1012721-2 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 14.1.4.4, 15.1.4.1, 16.1.1
996113-4 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 14.1.4.4, 15.1.4, 16.1.1
805821-4 3-Major BT805821 GTP log message contains no useful information 14.1.4.4, 15.1.4, 16.1.1
919301-4 4-Minor BT919301 GTP::ie count does not work with -message option 14.1.4.4, 15.1.4, 16.1.1
913413-4 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 14.1.4.4, 15.1.4, 16.1.1
913409-4 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 14.1.4.4, 15.1.4, 16.1.1
913393-4 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 14.1.4.4, 15.1.4, 16.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
990461-2 3-Major BT990461 Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade 14.1.4.4
744204-1 3-Major BT744204 PCCD may exhaust system memory when compiling 14.1.4.4
1012521-4 3-Major BT1012521 BIG-IP UI file permissions 14.1.4.4, 15.1.4, 16.0.1.2
926425 4-Minor BT926425 Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts 14.1.4.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
913453-3 2-Critical BT913453 URL Categorization: wr_urldbd cores while processing urlcat-query 14.1.4.4, 15.1.4
760961-3 2-Critical BT760961 TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts 13.1.1.5, 14.1.4.4
958085-2 3-Major BT958085 IM installation fails with error: Spec file not found 14.1.4.4, 15.1.4
785605-2 3-Major BT785605 Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group 14.1.4.4
974205-2 4-Minor BT974205 Unconstrained wr_urldbd size causing box to OOM 12.1.6, 14.1.4.4, 15.1.4


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
970829-4 2-Critical K03310534, BT970829 iSeries LCD incorrectly displays secure mode 14.1.4.4, 15.1.4, 16.0.1.2
929213-3 3-Major BT929213 iAppLX packages not rolled forward after BIG-IP upgrade 14.1.4.4, 15.1.4.1, 16.1.2


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
946185-4 3-Major BT946185 Unable to view iApp component due to error 'An error has occurred while trying to process your request.' 14.1.4.4, 15.1.4.1, 16.1.2


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
822245-5 4-Minor BT822245 Large number of in-TMM monitors results in some monitors being marked down 14.1.4.4, 15.1.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
918317-3 3-Major BT918317 SSL Orchestrator resets subsequent requests when HTTP services are being used. 14.1.4.4, 15.1.4



Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
989009-4 CVE-2021-23033 K05314769, BT989009 BD daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
980125-4 CVE-2021-23030 K42051445, BT980125 BD Daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
946377-3 CVE-2021-23027 K24301698, BT946377 HSM WebUI Hardening 14.1.4.3, 15.1.3.1, 16.0.1.2
968349-1 CVE-2021-23048 K19012930, BT968349 TMM crashes with unspecified message 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
950017-3 CVE-2021-23045 K94941221, BT950017 TMM may crash while processing SCTP traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
797797-3 CVE-2019-11811 K01512680, BT797797 CVE-2019-11811 kernel: use-after-free in drivers 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.1
968733-5 CVE-2018-1120 K42202505, BT968733 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
939421-4 CVE-2020-10029 K38481791, BT939421 CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow 14.1.4.3, 15.1.4, 16.0.1.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
876937-1 3-Major BT876937 DNS Cache not functioning 14.1.4.3, 15.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
967905-3 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004517-3 2-Critical BT1004517 BIG-IP tenants on VELOS cannot install EHFs 14.1.4.3
1000973-2 2-Critical BT1000973 Unanticipated restart of TMM due to heartbeat failure 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
998221-4 3-Major BT998221 Accessing pool members from configuration utility is slow with large config 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2
996593-3 3-Major BT996593 Password change through REST or GUI not allowed if the password is expired 14.1.4.3, 15.1.4, 16.0.1.2
994801-4 3-Major   SCP file transfer system 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
908601-4 3-Major BT908601 System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option 14.1.4.3, 15.1.4, 16.0.1.2
841277-5 3-Major BT841277 C4800 LCD fails to load after annunciator hot-swap 14.1.4.3, 15.1.4
804477-4 3-Major BT804477 Add HSB register logging when parts of the device becomes unresponsive 13.1.3.4, 14.1.4.3
819053-2 4-Minor   CVE-2019-13232 unzip: overlapping of files in ZIP container 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004417-1 4-Minor BT1004417 Provisioning error message during boot up 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1007505 2-Critical BT1007505 TLS handshake times out if intermediate CA cert status cannot be determined 14.1.4.3
1001509-1 2-Critical K11162395, BT1001509 Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates 14.1.4.3, 15.1.3
882549-3 3-Major BT882549 Sock driver does not use multiple queues in unsupported environments 14.1.4.3, 15.1.4, 16.0.1.2
962433-3 4-Minor BT962433 HTTP::retry for a HEAD request fails to create new connection 13.1.4.1, 14.1.4.3, 15.1.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1017645-3 2-Critical BT1017645 False positive HTTP compliance violation 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
981785-2 3-Major BT981785 Incorrect incident severity in Event Correlation statistics 14.1.4.3, 15.1.4, 16.0.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
833113-3 3-Major BT833113 Avrd core when sending large messages via https 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
660913-3 2-Critical BT660913 For ActiveSync client type, browscap info provided is incorrect. 12.1.4.1, 13.1.3.4, 14.1.4.3
924521-1 3-Major BT924521 OneConnect does not work when WEBSSO is enabled/configured. 14.1.4.3, 15.1.4
470346-2 3-Major BT470346 Some IPv6 client connections get RST when connecting to APM virtual 14.1.4.3, 15.1.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
991037-1 3-Major BT991037 MR::message can cause tmm crash 14.1.4.3
788625-3 3-Major BT788625 A pool member is not marked up by the inband monitor even after successful connection to the pool member 14.1.4.3, 15.1.4, 16.0.1.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
874677 2-Critical BT874677 Traffic Classification auto signature update fails from GUI 14.1.4.3, 15.1.3, 16.0.1.1
976365-1 3-Major BT976365 Traffic Classification hardening 14.1.4.3, 15.1.3.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
795329-2 3-Major BT795329 IM installation fails if 'auto-add-new-inspections' enabled on profile 14.1.4.3, 15.0.1.1


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
947925-4 3-Major BT947925 TMM may crash when executing L7 Protocol Lookup per-request policy agent 14.1.4.3, 15.1.4



Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
962341-4 CVE-2021-23028 K00602225, BT962341 BD crash while processing JSON content 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2
935433-4 CVE-2021-23026 K53854428, BT935433 iControl SOAP 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
981693-2 CVE-2022-23024 K54892865, BT981693 TMM may consume excessive resources while processing IPSec ALG traffic 14.1.4.2, 15.1.4.1
965485-2 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
949889-2 CVE-2019-3900 K04107324, BT949889 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
942701-3 CVE-2021-23044 K35408374, BT942701 TMM may consume excessive resources while processing HTTP traffic 13.1.4.1, 14.1.4.2, 15.1.3.1
937365-4 CVE-2021-23041 K42526507, BT937365 LTM UI does not follow best practices 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907245-3 CVE-2021-23040 K94255403, BT907245 AFM UI Hardening 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
906377-4 CVE-2021-23038 K61643620, BT906377 iRulesLX hardening 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
803933-2 CVE-2018-20843 K51011533, BT803933 Expat XML parser vulnerability CVE-2018-20843 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
1003557-4 CVE-2021-23015 K74151369, BT1003557 Not following best practices in Guided Configuration Bundle Install worker 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1004833-1 1-Blocking BT1004833 NIST SP800-90B compliance 14.1.4.2, 15.1.4
976505-1 3-Major BT976505 Rotated restnoded logs will fail logintegrity verification. 14.1.4.2, 15.1.4, 16.0.1.2
975809-2 3-Major BT975809 Rotated restjavad logs fail logintegrity verification. 14.1.4.2, 15.1.4, 16.0.1.2
959629-3 3-Major BT959629 Logintegrity script for restjavad/restnoded fails 14.1.4.2, 15.1.4, 16.0.1.2
958353-3 3-Major BT958353 Restarting the mcpd messaging service renders the PAYG VE license invalid. 14.1.4.2, 15.1.4, 16.0.1.2
946089-1 3-Major BT946089 BIG-IP might send excessive multicast/broadcast traffic. 14.1.4.2, 15.1.4, 16.0.1.2
932497-1 3-Major BT932497 Autoscale groups require multiple syncs of datasync-global-dg 14.1.4.2, 15.1.4, 16.0.1.2
913849 3-Major BT913849 Syslog-ng periodically logs nothing for 20 seconds 14.1.4.2, 15.1.4, 16.0.1.2
764873-2 3-Major BT764873 An accelerated flow may transmit packets to an unavailable pool member. 13.1.3.2, 14.1.4.2, 15.0.1.3
1009133 3-Major BT1009133 BIG-IP vCMP guests that have HA Groups configured to include trunk scoring may fail to upgrade properly 14.1.4.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
945997-3 2-Critical BT945997 LTM policy applied to HTTP/2 traffic may crash TMM 14.1.4.2, 15.1.4, 16.0.1.2
980821-1 3-Major BT980821 Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. 14.1.4.2, 15.1.3.1, 16.0.1.2
895557-1 4-Minor BT895557 NTLM profile logs error when used with profiles that do redirect 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2
773253-3 4-Minor BT773253 The BIG-IP may send VLAN failsafe probes from a disabled blade 13.1.4, 14.1.4.2, 15.1.2.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918597-4 2-Critical BT918597 Under certain conditions, deleting a topology record can result in a crash. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
717306-1 2-Critical BT717306 Added ability to use Vip-targeting-Vip with DNS Cache server-side connections 14.1.4.2
973261-4 3-Major BT973261 GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
912001-4 3-Major BT912001 TMM cores on secondary blades of the Chassis system. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
835209-1 3-Major BT835209 External monitors mark objects down 14.1.4.2, 15.1.3
746719-1 3-Major BT746719 SERVFAIL when attempting to view or edit NS resource records in zonerunner 14.1.4.2
857953-3 4-Minor BT857953 Non-functional disable/enable buttons present in GTM wide IP members page 14.1.4.2, 15.1.4, 16.0.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968421-4 2-Critical K30291321, BT968421 ASM attack signature doesn't matched 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
943913-4 2-Critical K30150004, BT943913 ASM attack signature does not match 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
854001-4 2-Critical BT854001 TMM might crash in case of trusted bot signature and API protected url 14.1.4.2, 15.1.4, 16.0.1.2
810497-2 2-Critical BT810497 Pabnagd cores during device group settings changes 14.1.4.2
950917-2 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 13.1.4.1, 14.1.4.2, 15.1.4
928685-3 3-Major K49549213, BT928685 ASM Brute Force mitigation not triggered as expected 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
922261-4 3-Major BT922261 WebSocket server messages are logged even it is not configured 14.1.4.2, 15.1.4, 16.0.1.2
912089-3 3-Major BT912089 Some roles are missing necessary permission to perform Live Update 14.1.4.2, 15.1.4, 16.0.1.2
907337-4 3-Major BT907337 BD crash on specific scenario 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
888289-3 3-Major BT888289 Add option to skip percent characters during normalization 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
883853-1 3-Major BT883853 Bot Defense Profile with staged signatures prevents signature update 14.1.4.2, 15.1.4
881757-2 3-Major BT881757 Unnecessary HTML response parsing and response payload is not compressed 14.1.4.2, 15.1.1, 16.0.1.2
846181-1 3-Major BT846181 Request samples for some of the learning suggestions are not visible 14.1.4.2, 15.1.4
830341-1 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1
792341-2 3-Major BT792341 Google Analytics shows incorrect stats. 13.1.4.1, 14.1.4.2
673272-4 3-Major BT673272 Search by "Signature ID is" does not return results for some signature IDs 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2
941929-1 4-Minor BT941929 Google Analytics shows incorrect stats, when Google link is redirected. 14.1.4.2, 15.1.4, 16.0.1.2
911729-1 4-Minor BT911729 Redundant learning suggestion to set a Maximum Length when parameter is already at that value 14.1.4.2, 15.1.4, 16.0.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
981385-4 3-Major BT981385 AVRD does not send HTTP events to BIG-IQ DCD 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
932485-2 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
913085-4 3-Major BT913085 Avrd core when avrd process is stopped or restarted 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
995029 2-Critical BT995029 Configuration is not updated during auto-discovery 14.1.4.2, 15.1.4
783233-2 2-Critical BT783233 OAuth puts quotation marks around claim values that are not string type 14.1.4.2
894885 3-Major BT894885 [SAML] SSO crash while processing client SSL request 14.1.4.2, 15.1.4
866109-1 3-Major BT866109 JWK keys frequency does not support fewer than 60 minutes 13.1.4.1, 14.1.4.2, 15.1.4
757781-3 3-Major BT757781 Portal Access: cookie exchange may be broken sometimes 13.1.1.5, 14.0.0.5, 14.1.4.2, 15.0.1.1
738865-3 3-Major BT738865 MCPD might enter into loop during APM config validation 14.1.4.2, 15.1.4
828773-1 4-Minor BT828773 Incomplete response to an internal request by Portal Access 14.1.4.2
766017-1 4-Minor BT766017 [APM][LocalDB] Local user database instance name length check inconsistencies 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1
747234-5 4-Minor BT747234 Macro policy does not find corresponding access-profile directly 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
974881-1 2-Critical BT974881 Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic 14.1.4.2, 15.1.4, 16.0.1.2
868781-2 2-Critical BT868781 TMM crashes while processing MRF traffic 13.1.4.1, 14.1.4.2, 15.1.1
989753-3 3-Major BT989753 In HA setup, standby fails to establish connection to server 14.1.4.2, 15.1.4, 16.0.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
992213-1 3-Major BT992213 Protocol Any displayed as HOPTOPT in AFM policy view 14.1.4.2, 15.1.4, 16.1.1
988005-3 3-Major BT988005 Zero active rules counters in GUI 14.1.4.2, 15.1.4, 16.0.1.2
783217-1 3-Major BT783217 Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks 14.1.4.2
751116-1 3-Major BT751116 DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring 13.1.3.4, 14.1.4.2
716746-1 3-Major BT716746 Possible tmm restart when disabling single endpoint vector while attack is ongoing 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2
685904-2 3-Major BT685904 Firewall Rule hit counts are not auto-updated after a Reset is done 14.1.4.2, 15.1.4
977005-2 4-Minor BT977005 Network Firewall Policy rules-list showing incorrect 'Any' for source column 14.1.4.2, 15.1.4


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
981689-1 2-Critical BT981689 TMM memory leak with IPsec ALG 14.1.4.2, 15.1.4.1
994985-1 3-Major BT994985 CGNAT GUI shows blank page when applying SIP profile 14.1.4.2, 15.1.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
893721-1 2-Critical BT893721 PEM-provisioned systems may suffer random tmm crashes after upgrading 14.1.4.2, 15.1.4
948573-2 3-Major BT948573 Wr_urldbd list of valid TLDs needs to be updated 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
846601-3 3-Major BT846601 Traffic classification does not update when an inactive slot becomes active after upgrade 14.1.4.2, 15.1.4, 16.0.1.2


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
912425-1 3-Major BT912425 Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash 14.1.4.2, 15.1.4, 16.0.1.2



Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
980809-3 CVE-2021-23031 K41351250, BT980809 ASM REST Signature Rule Keywords Tool Hardening 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
990333-4 CVE-2021-23016 K75540265, BT990333 APM may return unexpected content when processing HTTP requests 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
945109-4 CVE-2015-9382 K46641512, BT945109 Freetype Parser Skip Token Vulnerability CVE-2015-9382 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
1002561-1 CVE-2021-23007 K37451543, BT1002561 TMM vulnerability CVE-2021-23007 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
933777-2 3-Major BT933777 Context use and syntax changes clarification 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
704552-2 3-Major BT704552 Support for ONAP site licensing 13.1.0.7, 14.0.0.2, 14.1.4.1
918097-1 4-Minor BT918097 Cookies set in the URI on Safari 14.1.4.1, 15.1.3, 16.0.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
995629-2 2-Critical BT995629 Loading UCS files may hang if ASM is provisioned 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
876957-2 2-Critical BT876957 Reboot after tmsh load sys config changes sys FPGA firmware-config value 14.1.4.1, 15.1.1
978393 3-Major BT978393 GUI screen shows blank screen while importing a certificate 14.1.4.1
969213-2 3-Major BT969213 VMware: management IP cannot be customized via net.mgmt.addr property 14.1.4.1, 15.1.3, 16.0.1.2
922297-3 3-Major BT922297 TMM does not start when using more than 11 interfaces with more than 11 vCPUs 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
914245-1 3-Major BT914245 Reboot after tmsh load sys config changes sys FPGA firmware-config value 14.1.4.1, 15.1.3, 16.0.1.2
841649-2 3-Major BT841649 Hardware accelerated connection mismatch resulting in tmm core 14.1.4.1, 15.1.2
839121-1 3-Major K74221031, BT839121 A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade 14.1.4.1, 15.1.3, 16.0.1.2
829821-3 3-Major BT829821 Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
692218-3 3-Major BT692218 Audit log messages sent from the primary blade to the secondaries should not be logged. 14.1.4.1, 15.1.3, 16.0.1.2
675911-13 3-Major K13272442, BT675911 Different sections of the GUI can report incorrect CPU utilization 14.1.4.1, 15.1.3, 16.0.1.2
601220-3 3-Major BT601220 Multi-blade trunks seem to leak packets ingressed via one blade to a different blade 14.1.4.1
569859-5 3-Major BT569859 Password policy enforcement for root user when mcpd is not available 14.1.4.1, 15.1.3
879189-3 4-Minor BT879189 Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section 14.1.4.1, 15.1.3, 16.0.1.2
658943-2 4-Minor BT658943 Errors when platform-migrate loading UCS using trunks on vCMP guest 14.1.4.1
440599-1 4-Minor BT440599 Added DB Variable to configure 'difok' variable in password policy 14.1.4.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
908621-3 2-Critical BT908621 Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core 14.1.4.1, 15.1.2
738964-2 2-Critical   Instruction logger debugging enhancement 14.1.4.1, 15.1.3
888517-3 3-Major BT888517 Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU. 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
878925-3 3-Major BT878925 SSL connection mirroring failover at end of TLS handshake 14.1.4.1, 15.1.2
760406-3 3-Major BT760406 HA connection might stall on Active device when the SSL session cache becomes out-of-sync. 14.1.4.1
756812-2 3-Major BT756812 Nitrox 3 instruction/request logger may fail due to SELinux permission error 14.1.4.1, 15.1.3
756817-1 4-Minor BT756817 ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks. 14.1.4.1, 15.0.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
971297-3 3-Major BT971297 DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade 14.1.4.1, 15.1.3, 16.0.1.2
885201-3 4-Minor BT885201 BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log 14.1.4.1, 15.1.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956373-3 3-Major BT956373 ASM sync files not cleaned up immediately after processing 14.1.4.1, 15.1.3, 16.0.1.2
947341-3 3-Major BT947341 MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. 14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2
929001-4 3-Major K48321015, BT929001 ASM form handling improvements 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
767077-1 3-Major BT767077 Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error 14.1.4.1
824093-3 4-Minor BT824093 Parameters payload parser issue 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
869049-2 3-Major BT869049 Charts discrepancy in AVR reports 14.1.4.1, 15.1.3, 16.0.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883577-2 3-Major BT883577 ACCESS::session irule command does not work in HTTP_RESPONSE event 14.1.4.1, 15.1.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
750679-1 2-Critical BT750679 Tmm crash on standby device and Diameter stats issues 14.1.4.1
982869-3 3-Major BT982869 With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 14.1.4.1, 15.1.3, 16.0.1.2
977053-3 3-Major BT977053 TMM crash on standby due to invalid MR router instance 14.1.4.1, 15.1.3, 16.0.1.2
966701-3 3-Major BT966701 Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP 14.1.4.1, 15.1.3, 16.0.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
851745-1 2-Critical BT851745 High cpu consumption due when enabling large number of virtual servers 14.1.4.1, 15.1.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
914293-1 3-Major BT914293 TMM SIGSEGV and crash 14.1.4.1, 15.1.3, 16.0.1.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
964577-1 4-Minor BT964577 IPS automatic IM download not working as expected 14.1.4.1, 15.1.3, 16.0.1.2



Cumulative fixes from BIG-IP v14.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
975233-3 CVE-2021-22992 K52510511, BT975233 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
973333-3 CVE-2021-22991 K56715231, BT973333 TMM buffer-overflow vulnerability CVE-2021-22991 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
955145-3 CVE-2021-22986 K03009991, BT955145 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
954381-3 CVE-2021-22986 K03009991, BT954381 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
953677-3 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT953677 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
951705-3 CVE-2021-22986 K03009991, BT951705 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 14.1.4, 15.1.2.1, 16.0.1.1
981169-3 CVE-2021-22994 K66851119, BT981169 F5 TMUI XSS vulnerability CVE-2021-22994 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
959121-2 CVE-2021-23015 K74151369, BT959121 Not following best practices in Guided Configuration Bundle Install worker 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
953729-3 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101, BT953729 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
949933-2 CVE-2021-22980 K29282483, BT949933 BIG-IP APM CTU vulnerability CVE-2021-22980 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1
931837-5 CVE-2020-13817 K55376430, BT931837 NTP has predictable timestamps 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
882633-4 CVE-2021-23008 K51213246, BT882633 Active Directory authentication does not follow current best practices 12.1.6, 13.1.4, 14.1.4, 15.1.3
976925-3 CVE-2021-23002 K71891773, BT976925 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
954429-3 CVE-2021-23014 K23203045, BT954429 User authorization changes for live update 14.1.4, 15.1.3, 16.0.1.1
948769-4 CVE-2021-23013 K05300051, BT948769 TMM panic with SCTP traffic 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
946581-3 CVE-2020-27713 K37960100, BT946581 TMM vulnerability CVE-2020-27713 13.1.3.5, 14.1.4
938233-3 CVE-2021-23042 K93231374 An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
937637-4 CVE-2021-23002 K71891773, BT937637 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
935401-4 CVE-2021-23001 K06440657, BT935401 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
932697-2 CVE-2021-23000 K34441555, BT932697 BIG-IP TMM vulnerability CVE-2021-23000 12.1.5.3, 13.1.4, 14.1.4
903889 CVE-2021-22999 K02333782, BT903889 BIG-IP HTTP/2 vulnerability CVE-2021-22999 14.1.4
877109-3 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
743105-4 CVE-2021-22998 K31934524, BT743105 BIG-IP SNAT vulnerability CVE-2021-22998 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
718189-7 CVE-2021-23011 K10751325, BT718189 Unspecified IP traffic can cause low-memory conditions 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
912289-3 2-Critical BT912289 Cannot roll back after upgrading on certain platforms 12.1.6, 13.1.4, 14.1.4, 15.1.1
945265-3 3-Major BT945265 BGP may advertise default route with incorrect parameters 14.1.4, 15.1.3, 16.0.1.1
913829-3 3-Major BT913829 i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
867793-3 3-Major BT867793 BIG-IP sending the wrong trap code for BGP peer state 14.1.4, 15.1.2.1
794417-1 3-Major BT794417 Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
742860-3 3-Major BT742860 VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. 13.1.3.6, 14.1.4
719338-2 4-Minor BT719338 Concurrent management SSH connections are unlimited 13.1.4, 14.1.4, 15.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
990849-3 2-Critical BT990849 Loading UCS with platform-migrate option hangs and requires exiting from the command 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
940021-2 2-Critical BT940021 Syslog-ng hang may lead to unexpected reboot 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
932437-4 2-Critical BT932437 Loading SCF file does not restore files from tar file 14.1.4, 15.1.2.1, 16.0.1.1
915305-3 2-Critical BT915305 Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
908517-1 2-Critical BT908517 LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' 14.1.4, 15.1.3, 16.0.1.1
888341-5 2-Critical BT888341 HA Group failover may fail to complete Active/Standby state transition 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
886693-2 2-Critical BT886693 System might become unresponsive after upgrading. 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
817085-4 2-Critical BT817085 Multicast Flood Can Cause the Host TMM to Restart 12.1.5.3, 14.1.4
811973-2 2-Critical BT811973 TMM may crash when shutting down 14.1.4
797221-1 2-Critical BT797221 BCM daemon can be killed by watchdog timeout during blade-to-blade failover 14.1.4
785017-1 2-Critical BT785017 Secondary blades go offline after new primary is elected 13.1.4, 14.1.4, 15.1.3
776393-2 2-Critical BT776393 Restjavad restarts frequently due to insufficient memory with relatively large configurations 14.1.4, 15.1.3, 16.0.1.1
751991-1 2-Critical BT751991 BIOS update fails with "flashrom not safe for BIOS updates yet" log message 14.1.4
739507-1 2-Critical BT739507 Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check 13.1.1.2, 14.1.4, 15.1.0.5
739505-2 2-Critical BT739505 Automatic ISO digital signature checking not required when FIPS license active 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1
973201 3-Major BT973201 F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions 14.1.4, 15.1.4
967745-2 3-Major BT967745 Last resort pool error for the modify command for Wide IP 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
963017-3 3-Major BT963017 The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed 14.1.4, 15.1.3
946745-3 3-Major BT946745 'System Integrity: Invalid' after Engineering Hotfix installation 14.1.4, 15.1.3
943793 3-Major BT943793 Neurond continuously restarting. 14.1.4
939541-3 3-Major BT939541 TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE 14.1.4, 15.1.3, 16.0.1.1
930905-1 3-Major BT930905 Management route lost after reboot. 14.1.4, 15.1.2.1, 16.0.1.1
927941-3 3-Major BT927941 IPv6 static route BFD does not come up after OAMD restart 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
914081-3 3-Major BT914081 Engineering Hotfixes missing bug titles 14.1.4, 15.1.3
913433-1 3-Major BT913433 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
909197-5 3-Major BT909197 The mcpd process may become unresponsive 14.1.4, 15.1.4.1, 16.0.1.1
904785-3 3-Major BT904785 Remotely authenticated users may experience difficulty logging in over the serial console 14.1.4, 15.1.2.1, 16.0.1.1
896817-4 3-Major BT896817 iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb 14.1.4, 15.1.2.1, 16.0.1.1
896553-2 3-Major BT896553 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3
895837-1 3-Major BT895837 Mcpd crash when a traffic-matching-criteria destination-port-list is modified 14.1.4, 15.1.2.1, 16.0.1.1
893949 3-Major BT893949 Support TCP directional offload for hardware-accelerated connections 14.1.4
893885 3-Major BT893885 The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation 14.1.4, 15.1.3
891337-3 3-Major BT891337 'save_master_key(master): Not ready to save yet' errors in the logs 14.1.4, 15.1.3
889029-4 3-Major BT889029 Unable to login if LDAP user does not have search permissions 14.1.4, 15.1.3, 16.0.1.2
879829-3 3-Major BT879829 HA daemon sod cannot bind to ports numbered lower than 1024 14.1.4, 15.1.3, 16.0.1.2
876805-1 3-Major BT876805 Modifying address-list resets the route advertisement on virtual servers. 14.1.4, 15.1.3, 16.0.1.1
862937-2 3-Major BT862937 Running cpcfg after first boot can result in daemons stuck in restart loop 14.1.4, 15.1.3, 16.0.1.2
838901-2 3-Major BT838901 TMM receives invalid rx descriptor from HSB hardware 13.1.4, 14.1.4, 15.1.2
830413-4 3-Major BT830413 Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure 14.1.4, 15.1.2.1, 16.0.1.1
820845-2 3-Major BT820845 Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
814053-2 3-Major BT814053 Under heavy load, bcm56xxd can be killed by the watchdog 14.1.4
803237-4 3-Major BT803237 PVA does not validate interface MTU when setting MSS 14.1.4, 15.1.3
799001-3 3-Major BT799001 Sflow agent does not handle disconnect from SNMPD manager correctly 14.1.4, 15.1.3
787885-1 3-Major BT787885 The device status is falsely showing as forced offline on the network map while actual device status is not. 14.1.4, 15.1.3, 16.0.1.1
759596-2 3-Major BT759596 Tcl errors in iRules 'table' command 12.1.5.3, 13.1.3.6, 14.1.4
754132-2 3-Major BT754132 A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command 13.1.3.6, 14.1.4
751448-1 3-Major BT751448 TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart 14.1.4
751021-1 3-Major BT751021 One or more TMM instances may be left without dynamic routes. 13.1.3.5, 14.1.4
750194-4 3-Major   Moderate: net-snmp security update 13.1.3.5, 14.1.4
749007-2 3-Major BT749007 South Sudan, Sint Maarten, and Curacao country missing in GTM region list 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
744252-2 3-Major BT744252 BGP route map community value: either component cannot be set to 65535 13.1.3.6, 14.1.4
719555-5 3-Major BT719555 Interface listed as 'disable' after SFP insertion and enable 14.1.4, 15.1.1
661640-1 3-Major BT661640 Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair. 14.1.4
615934-4 3-Major BT615934 Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. 13.1.3.5, 14.1.4, 15.1.3
966277-3 4-Minor BT966277 BFD down on multi-blade system 14.1.4, 15.1.3, 16.0.1.1
959889-1 4-Minor BT959889 Cannot update firewall rule with ip-protocol property as 'any' 14.1.4, 15.1.3
947865-3 4-Minor BT947865 Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read 14.1.4, 15.1.3
774617-1 4-Minor BT774617 SNMP daemon reports integer truncation error for values greater than 32 bits 14.1.4, 15.1.0.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
926929-2 1-Blocking BT926929 RFC Compliance Enforcement lacks configuration availability 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
910653-3 2-Critical BT910653 iRule parking in clientside/serverside command may cause tmm restart 14.1.4, 15.1.3, 16.0.1.1
889209-1 2-Critical BT889209 Sflow receiver configuration may lead to egress traffic dropped after TMM starts. 14.1.4, 15.1.1
882157-2 2-Critical BT882157 One thread of pkcs11d consumes 100% without any traffic. 14.1.4, 15.1.3
876801-3 2-Critical BT876801 Tmm crash: invalid route type 13.1.4, 14.1.4, 15.1.2
812525-3 2-Critical K27551003, BT812525 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
968641-1 3-Major BT968641 Fix for zero LACP priority 14.1.4, 15.1.3, 16.0.1.2
965537 3-Major BT965537 SSL filter does not re-initialize when OCSP validator is modified 14.1.4
953845-4 3-Major BT953845 After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
944641-3 3-Major BT944641 HTTP2 send RST_STREAM when exceeding max streams 14.1.4, 15.1.4, 16.0.1.1
940209-1 3-Major BT940209 Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. 14.1.4, 15.1.2
932033-1 3-Major BT932033 Chunked response may have DATA frame with END_STREAM prematurely 14.1.4, 15.1.2
928857-3 3-Major BT928857 Use of OCSP responder may leak X509 store instances 14.1.4, 15.1.3
928805-3 3-Major BT928805 Use of OCSP responder may cause memory leakage 14.1.4, 15.1.3
928789-3 3-Major BT928789 Use of OCSP responder may leak SSL handshake instances 14.1.4, 15.1.3
921881-4 3-Major BT921881 Use of IPFIX log destination can result in increased CPU utilization 14.1.4, 15.1.3, 16.0.1.2
892941-4 3-Major K20105555, BT892941 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) 14.1.4, 15.1.2, 16.0.1.1
889601-1 3-Major K14903688, BT889601 OCSP revocation not properly checked 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
889165-1 3-Major BT889165 "http_process_state_cx_wait" errors in log and connection reset 14.1.4, 15.1.3
868209-1 3-Major BT868209 Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection 14.1.4, 15.1.2.1
858701-3 3-Major BT858701 Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
858301-3 3-Major K27551003, BT858301 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858297-3 3-Major K27551003, BT858297 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858289-3 3-Major K27551003, BT858289 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858285-3 3-Major K27551003, BT858285 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
845333-3 3-Major BT845333 An iRule with a proc referencing a datagroup cannot be assigned to Transport Config 14.1.4, 15.1.3, 16.0.1.1
825689-3 3-Major   Enhance FIPS crypto-user storage 12.1.6, 13.1.4, 14.1.4, 15.1.1
818109-3 3-Major BT818109 Certain plaintext traffic may cause SSL Orchestrator to hang 14.1.4, 15.1.2.1
795501-3 3-Major BT795501 Possible SSL crash during config sync 14.1.4
790845-2 3-Major BT790845 An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default 13.1.3.5, 14.1.4, 15.1.2
785877-2 3-Major BT785877 VLAN groups do not bridge non-link-local multicast traffic. 14.1.4, 15.1.3, 16.0.1.2
767341-3 3-Major BT767341 If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. 14.1.4, 15.1.3, 16.0.1.2
758099-1 3-Major BT758099 TMM may crash in busy environment when handling HTTP responses 14.1.4
757442-2 3-Major BT757442 A missed SYN cookie check causes crash at the standby TMM in HA mirroring system 13.1.3, 14.1.4
753383-4 3-Major BT753383 Deadlock While Attaching NDAL Devices 14.1.4
719304-1 3-Major BT719304 Inconsistent node ICMP monitor operation for IPv6 nodes 13.1.3, 14.1.4
714642-4 3-Major BT714642 Ephemeral pool-member state on the standby is down 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
962177-3 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
804157-1 4-Minor BT804157 ICMP replies are forwarded with incorrect checksums causing them to be dropped 14.1.4, 15.1.3, 16.0.1.2
772297-2 4-Minor BT772297 LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade 14.1.4
748333-4 4-Minor BT748333 DHCP Relay does not retain client source IP address for chained relay mode 14.1.4, 15.1.3, 16.0.1.1
743253-3 4-Minor BT743253 TSO in software re-segments L3 fragments. 14.1.4, 15.1.3, 16.0.1.2
738032-1 4-Minor BT738032 BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
960749-3 1-Blocking BT960749 TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
933405-3 1-Blocking K34257075, BT933405 Zonerunner GUI hangs when attempting to list Resource Records 14.1.4, 15.1.4.1, 16.0.1.1
960437-3 2-Critical BT960437 The BIG-IP system may initially fail to resolve some DNS queries 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
905557-6 2-Critical BT905557 Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure 14.1.4, 15.1.2
921625-4 3-Major BT921625 The certs extend function does not work for GTM/DNS sync group 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
891093-3 3-Major BT891093 iqsyncer does not handle stale pidfile 14.1.4, 15.1.2.1, 16.0.1.1
858973-3 3-Major BT858973 DNS request matches less specific WideIP when adding new wildcard wideips 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
885869-4 4-Minor BT885869 Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime 14.1.4
853585-2 4-Minor BT853585 REST Wide IP object presents an inconsistent lastResortPool value 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
846057-2 2-Critical BT846057 UCS backup archive may include unnecessary files 13.1.4, 14.1.4, 15.1.3
960369-3 3-Major BT960369 Negative value suggested in Traffic Learning as max value 14.1.4, 15.1.3, 16.0.1.2
941621-3 3-Major K91414704, BT941621 Brute Force breaks server's Post-Redirect-Get flow 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
929077-1 3-Major BT929077 Bot Defense allow list does not apply when using default Route Domain and XFF header 14.1.4, 15.1.3, 16.0.1.1
921677-4 3-Major BT921677 Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. 14.1.4, 15.1.3, 16.0.1.1
904053-4 3-Major BT904053 Unable to set ASM Main Cookie/Domain Cookie hashing to Never 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
867373-2 3-Major BT867373 Methods Missing From ASM Policy 14.1.4, 15.1.3
864677-3 3-Major BT864677 ASM causes high mcpd CPU usage 14.1.4, 15.1.3
964897-4 4-Minor BT964897 Live Update - Indication of "Update Available" when there is no available update 14.1.4, 15.1.3, 16.0.1.2
935293-3 4-Minor BT935293 'Detected Violation' Field for event logs not showing 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
922785-4 4-Minor BT922785 Live Update scheduled installation is not installing on set schedule 14.1.4, 15.1.3, 16.0.1.2
767941-1 4-Minor BT767941 Gracefully handle policy builder errors 13.1.3.6, 14.1.4
758336-3 4-Minor BT758336 Incorrect recommendation in Online Help of Proactive Bot Defense 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
965581 2-Critical BT965581 Statistics are not reported to BIG-IQ 14.1.4, 15.1.4
949593-2 3-Major BT949593 Unable to load config if AVR widgets were created under '[All]' partition 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
743826-1 3-Major BT743826 Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
648242-4 3-Major K73521040, BT648242 Administrator users unable to access all partition via TMSH for AVR reports 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
894565-2 2-Critical BT894565 Autodosd.default crash with SIGFPE 14.1.4, 15.1.3
976501-3 3-Major BT976501 Failed to establish VPN connection 13.1.3.6, 14.1.4, 15.1.3
952557-1 3-Major BT952557 Azure B2C Provider OAuth URLs are updated for B2Clogin.com 14.1.4, 15.1.3
925573-3 3-Major BT925573 SIGSEGV: receiving a sessiondb callback response after the flow is aborted 14.1.4, 15.1.3
916969-2 3-Major BT916969 Support of Microsoft Identity 2.0 platform 14.1.4, 15.1.3
892937-4 3-Major K20105555, BT892937 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) 14.1.4, 15.1.1, 16.0.1
850277-3 3-Major BT850277 Memory leak when using OAuth 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2
774301-4 3-Major BT774301 Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList 12.1.5, 14.1.4, 15.0.1.3
709126-1 3-Major BT709126 Localdb authentication may fail 14.1.4
833049-2 4-Minor BT833049 Category lookup tool in GUI may not match actual traffic categorization 13.1.3.5, 14.1.4, 15.1.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
952545-3 3-Major BT952545 'Current Sessions' statistics of HTTP2 pool may be incorrect 14.1.4, 15.1.3, 16.0.1.1
939529-3 3-Major BT939529 Branch parameter not parsed properly when topmost via header received with comma separated values 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
913373-3 3-Major BT913373 No connection error after failover with MRF, and no connection mirroring 14.1.4, 15.1.3, 16.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
969509-3 3-Major BT969509 Possible memory corruption due to DOS vector reset 14.1.4, 15.1.3, 16.0.1.2
965617-1 3-Major BT965617 HSB mitigation is not applied on BDoS signature with stress-based mitigation mode 14.1.4, 15.1.3, 16.0.1.1
963237-1 3-Major BT963237 Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. 14.1.4, 15.1.3, 16.0.1.1
910417-3 3-Major BT910417 TMM core may be seen when reattaching a vector to a DoS profile 14.1.4, 15.1.2, 16.0.1.2
903561-2 3-Major BT903561 Autodosd returns small bad destination detection value when the actual traffic is high 14.1.4, 15.1.3
887017-2 3-Major BT887017 The dwbld daemon consumes a large amount of memory 14.1.4, 15.1.3
840809-1 3-Major BT840809 If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged 14.1.4, 15.1.2
837233-1 3-Major BT837233 Application Security Administrator user role cannot use GUI to manage DoS profile 14.1.4, 15.1.3
819321-1 3-Major BT819321 DoS stats table shows drops count on tcp-half-open global vector for packets dropped by ltm syn cookie 14.1.4
789857-1 3-Major BT789857 "TCP half open' reports drops made by LTM syn-cookies mitigation. 14.1.4, 15.1.1
773773-2 3-Major BT773773 DoS auto-threshold detection values are not reloaded correctly after a reboot. 14.1.4
760497-1 3-Major BT760497 Invalid configuration parameters are visible when Dos Vector is in "Auto Detection/Multiplier Based Mitigation" 14.1.4
759004-2 3-Major BT759004 Autodosd history files not loaded correctly after software upgrade 14.1.4
753141-2 3-Major BT753141 Hardware returning incorrect type of entry when notifying software might cause tmm crash 14.1.4
686043-1 3-Major BT686043 dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets 14.1.4
967889-2 4-Minor BT967889 Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) 14.1.4, 15.1.3
748561-1 4-Minor BT748561 Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context 14.1.4, 15.1.3


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
845313 2-Critical BT845313 Tmm crash under heavy load 14.1.4, 15.1.2.1
941169-1 3-Major BT941169 Subscriber Management is not working properly with IPv6 prefix flows. 14.1.4, 15.1.2.1
875401-3 3-Major BT875401 PEM subcriber lookup can fail for internet side new connections 14.1.4, 15.1.2.1
842989-7 3-Major BT842989 PEM: tmm could core when running iRules on overloaded systems 14.1.4, 15.1.2


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
928553-1 2-Critical BT928553 LSN64 with hairpinning can lead to a tmm core in rare circumstances 14.1.4, 15.1.3, 16.0.1.1
966681-2 3-Major BT966681 NAT translation failures while using SP-DAG in a multi-blade chassis 14.1.4, 15.1.3, 16.0.1.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
943889-1 2-Critical BT943889 Reopening the publisher after a failed publishing attempt 13.1.3.5, 14.1.4


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
932737-1 2-Critical BT932737 DNS & BADOS high-speed logger messages are mixed 14.1.4, 15.1.3, 16.0.1.2
922597-1 3-Major BT922597 BADOS default sensitivity of 50 creates false positive attack on some sites 14.1.4, 15.1.3
915489-1 4-Minor BT915489 LTM Virtual Server Health is not affected by iRule Requests dropped 14.1.4, 15.1.2.1, 16.0.1.1


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
768085-3 4-Minor BT768085 Error in python script /usr/libexec/iAppsLX_save_pre line 79 14.1.4, 15.1.3, 16.0.1.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
964585-4 3-Major BT964585 "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update 14.1.4, 15.1.3, 16.0.1.2
825501-1 3-Major BT825501 IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline. 14.1.4, 15.1.3, 16.0.1.1



Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
950077-3 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT950077 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
943125-3 CVE-2021-23010 K18570111, BT943125 ASM bd may crash while processing WebSocket traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
941449-4 CVE-2021-22993 K55237223, BT941449 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
935029-1 CVE-2020-27720 K04048104, BT935029 TMM may crash while processing IPv6 NAT traffic 14.1.3.1, 15.1.1, 16.0.1
932065-3 CVE-2021-22978 K87502622, BT932065 iControl REST vulnerability CVE-2021-22978 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
931513-2 CVE-2021-22977 K14693346, BT931513 TMM vulnerability CVE-2021-22977 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1
928321-3 CVE-2020-27719 K19166530, BT928321 K19166530: XSS vulnerability CVE-2020-27719 14.1.3.1, 15.1.1, 16.0.1
921337-3 CVE-2021-22976 K88230177, BT921337 BIG-IP ASM WebSocket vulnerability CVE-2021-22976 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
917509-5 CVE-2020-27718 K58102101, BT917509 BIG-IP ASM vulnerability CVE-2020-27718 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
916821-4 CVE-2021-22974 K68652018, BT916821 iControl REST vulnerability CVE-2021-22974 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
908673-3 CVE-2020-27717 K43850230, BT908673 TMM may crash while processing DNS traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904165-3 CVE-2020-27716 K51574311, BT904165 BIG-IP APM vulnerability CVE-2020-27716 14.1.3.1, 15.1.1
882189-5 CVE-2020-5897 K20346072, BT882189 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
882185-5 CVE-2020-5897 K20346072, BT882185 BIG-IP Edge Client Windows ActiveX 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881317-4 CVE-2020-5896 K15478554, BT881317 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881293-5 CVE-2020-5896 K15478554, BT881293 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
754855-2 CVE-2020-27714 K60344652, BT754855 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile 13.1.4, 14.1.3.1, 15.1.1
939845-3 CVE-2021-23004 K31025212, BT939845 BIG-IP MPTCP vulnerability CVE-2021-23004 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
939841-3 CVE-2021-23003 K43470422, BT939841 BIG-IP MPTCP vulnerability CVE-2021-23003 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
928037-3 CVE-2020-27729 K15310332, BT928037 APM Hardening 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
919841-1 CVE-2020-27728 K45143221, BT919841 AVRD may crash while processing Bot Defense traffic 14.1.3.1, 15.1.1, 16.0.1
912969-4 CVE-2020-27727 K50343630, BT912969 iAppsLX REST vulnerability CVE-2020-27727 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
905125-3 CVE-2020-27726 K30343902, BT905125 Security hardening for APM Webtop 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904937-4 CVE-2020-27725 K25595031, BT904937 Excessive resource consumption in zxfrd 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
898949-3 CVE-2020-27724 K04518313, BT898949 APM may consume excessive resources while processing VPN traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
881445-5 CVE-2020-5898 K69154630, BT881445 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
880361-3 CVE-2021-22973 K13323323, BT880361 iRules LX vulnerability CVE-2021-22973 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
842829-3 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730, BT842829 Multiple tcpdump vulnerabilities 13.1.4.1, 14.1.3.1, 15.1.3
842717-4 CVE-2020-5855 K55102004, BT842717 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
832757-5 CVE-2017-18551 K48073202, BT832757 Linux kernel vulnerability CVE-2017-18551 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3
831777-3 CVE-2020-27723 K42933418, BT831777 Tmm crash in Ping access use case 13.1.3.5, 14.1.3.1
811965-2 CVE-2020-27722 K73657294, BT811965 Some VDI use cases can cause excessive resource consumption 13.1.3.5, 14.1.3.1, 15.0.1.4
778049-4 CVE-2018-13405 K00854051, BT778049 Linux Kernel Vulnerability: CVE-2018-13405 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
693360-4 CVE-2020-27721 K52035247, BT693360 A virtual server status changes to yellow while still available 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
852929-7 CVE-2020-5920 K25160703, BT852929 AFM WebUI Hardening 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1
825413-2 CVE-2021-23053 K36942191, BT825413 ASM may consume excessive resources when matching signatures 13.1.3.6, 14.1.3.1, 15.1.3
818213-2 CVE-2019-10639 K32804955, BT818213 CVE-2019-10639: KASLR bypass using connectionless protocols 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
773693-5 CVE-2020-5892 K15838353, BT773693 CVE-2020-5892: APM Client Vulnerability 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
834533-2 CVE-2019-15916 K57418558, BT834533 Linux kernel vulnerability CVE-2019-15916 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
920961-3 3-Major BT920961 Devices incorrectly report 'In Sync' after an incremental sync 14.1.3.1, 15.1.2, 16.0.1.1
756139-1 3-Major BT756139 Inconsistent logging of hostname files when hostname contains periods 14.1.3.1, 15.1.2, 16.0.1.1
921421-1 4-Minor BT921421 iRule support to get/set UDP's Maximum Buffer Packets 14.1.3.1, 15.1.2, 16.0.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
809553 1-Blocking BT809553 ONAP Licensing - Cipher negotiation fails 14.1.3.1
957337-4 2-Critical BT957337 Tab complete in 'mgmt' tree is broken 14.1.3.1, 15.1.2, 16.0.1.1
954025 2-Critical BT954025 "switchboot -b HD1.1" fails to reboot chassis 14.1.3.1
933409-4 2-Critical BT933409 Tomcat upgrade via Engineering Hotfix causes live-update files removal 14.1.3.1, 15.1.2, 16.0.1.1
927033-1 2-Critical BT927033 Installer fails to calculate disk size of destination volume 14.1.3.1, 15.1.2, 16.0.1.1
910201-1 2-Critical BT910201 OSPF - SPF/IA calculation scheduling might get stuck infinitely 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
896217-4 2-Critical BT896217 BIG-IP GUI unresponsive 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
860517-3 2-Critical BT860517 MCPD may crash on startup with many thousands of monitors on a system with many CPUs. 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
829277-1 2-Critical BT829277 A Large /config folder can cause memory exhaustion during live-install 14.1.3.1, 15.1.2.1
796601-4 2-Critical BT796601 Invalid parameter in errdefsd while processing hostname db_variable 13.1.3.5, 14.1.3.1, 15.1.2
787285 2-Critical BT787285 Configuration fails to load after install of v14.1.0 or v14.1.2 on BIG-IP 800 14.1.3.1
770989 2-Critical BT770989 Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x. 13.1.3.5, 14.1.3.1
769817-3 2-Critical BT769817 BFD fails to propagate sessions state change during blade restart 11.6.5.1, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4
706521-4 2-Critical K21404407, BT706521 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
934941-3 3-Major BT934941 Platform FIPS power-up self test failures not logged to console 14.1.3.1, 15.1.3
930741-1 3-Major BT930741 Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot 13.1.3.6, 14.1.3.1, 15.1.2
920301-2 3-Major BT920301 Unnecessarily high number of JavaScript Obfuscator instances when device is busy 14.1.3.1, 15.1.2
915825-4 3-Major BT915825 Configuration error caused by Drafts folder in a deleted custom partition while upgrading. 13.1.3.5, 14.1.3.1, 15.1.1
915497-3 3-Major BT915497 New Traffic Class Page shows multiple question marks. 14.1.3.1, 15.1.0.5, 16.0.1.1
911809-1 3-Major BT911809 TMM might crash when sending out oversize packets. 14.1.3.1, 15.1.2
908021-2 3-Major BT908021 Management and VLAN MAC addresses are identical 13.1.3.5, 14.1.3.1, 15.1.3
904845-3 3-Major BT904845 VMware guest OS customization works only partially in a dual stack environment. 14.1.3.1, 15.1.1, 16.0.1
902401-3 3-Major BT902401 OSPFd SIGSEGV core when 'ospf clear' is done on remote device 14.1.3.1, 15.1.2, 16.0.1.1
898705-3 3-Major BT898705 IPv6 static BFD configuration is truncated or missing 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
898461-4 3-Major BT898461 Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' 14.1.3.1, 15.1.1, 16.0.1.1
889041-1 3-Major BT889041 Failover scripts fail to access resolv.conf due to permission issues 14.1.3.1, 15.1.2, 16.0.1.1
886689-4 3-Major BT886689 Generic Message profile cannot be used in SCTP virtual 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
867181-3 3-Major BT867181 ixlv: double tagging is not working 13.1.3.6, 14.1.3.1, 15.1.2
865241-3 3-Major BT865241 Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" 13.1.3.6, 14.1.3.1, 15.1.2
865177-2 3-Major BT865177 Cert-LDAP returning only first entry in the sequence that matches san-other oid 14.1.3.1, 15.1.2.1, 16.0.1.1
860317-1 3-Major BT860317 JavaScript Obfuscator can hang indefinitely 14.1.3.1, 15.1.2
851733-1 3-Major BT851733 Tcpdump messages (warning, error) are sent to stdout instead of stderr 14.1.3.1
850777-1 3-Major BT850777 BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config 14.1.3.1, 15.1.1
846441-1 3-Major BT846441 Flow-control is reset to default for secondary blade's interface 13.1.3.5, 14.1.3.1, 15.1.2
846137-3 3-Major BT846137 The icrd returns incorrect route names in some cases 13.1.3.5, 14.1.3.1, 15.1.2
843597-3 3-Major BT843597 Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle 13.1.3.6, 14.1.3.1, 15.1.2
829193-2 3-Major BT829193 REST system unavailable due to disk corruption 13.1.3.6, 14.1.3.1, 15.1.0.4
826905-1 3-Major BT826905 Host traffic via IPv6 route pool uses incorrect source address 14.1.3.1, 15.1.2
806073-3 3-Major BT806073 MySQL monitor fails to connect to MySQL Server v8.0 14.1.3.1, 15.1.2.1, 16.0.1.1
795649-3 3-Major BT795649 Loading UCS from one iSeries model to another causes FPGA to fail to load 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3
788577-4 3-Major BT788577 BFD sessions may be reset after CMP state change 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
783113-4 3-Major BT783113 BGP sessions remain down upon new primary slot election 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.1
767737-2 3-Major BT767737 Timing issues during startup may make an HA peer stay in the inoperative state 13.1.3.5, 14.1.3.1, 15.1.2.1
755197-3 3-Major BT755197 UCS creation might fail during frequent config save transactions 13.1.3.5, 14.1.3.1, 15.1.2
754971-2 3-Major BT754971 OSPF inter-process redistribution might break OSPF route redistribution of various types. 13.1.3.5, 14.1.3.1
751584-1 3-Major BT751584 Custom MIB actions can be blocked by SELINUX permissions 14.1.3.1
740589-1 3-Major BT740589 Mcpd crash with core after 'tmsh edit /sys syslog all-properties' 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
737098-2 3-Major BT737098 ASM Sync does not work when the configsync IP address is an IPv6 address 13.1.3.5, 14.1.3.1, 15.1.2
652502-3 3-Major BT652502 SNMP queries return 'No Such Object available' error for LTM OIDs 13.1.1.4, 14.1.3.1
933461-3 4-Minor BT933461 BGP multi-path candidate selection does not work properly in all cases. 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
924429-3 4-Minor BT924429 Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values 14.1.3.1, 15.1.2, 16.0.1.1
892677-4 4-Minor BT892677 Loading config file with imish adds the newline character 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
882713-1 4-Minor BT882713 BGP SNMP trap has the wrong sysUpTime value 14.1.3.1, 15.1.2
864757-2 4-Minor BT864757 Traps that were disabled are enabled after configuration save 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
722230-3 4-Minor BT722230 Cannot delete FQDN template node if another FQDN node resolves to same IP address 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2
591732-5 4-Minor BT591732 Local password policy not enforced when auth source is set to a remote type. 12.1.5.1, 13.1.3.5, 14.1.3.1, 15.0.1.4
583084-8 4-Minor K15101680, BT583084 iControl produces 404 error while creating records successfully 13.1.3.5, 14.1.3.1, 15.1.2
849085-3 5-Cosmetic BT849085 Lines with only asterisks filling message and user.log file 14.1.3.1, 15.1.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941089 2-Critical BT941089 TMM core when using Multipath TCP 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
911041-2 2-Critical BT911041 Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash 14.1.3.1, 15.1.2.1, 16.0.1.2
891849-2 2-Critical BT891849 Running iRule commands while suspending iRule commands that are running can lead to a crash 14.1.3.1, 15.1.2
879409-2 2-Critical BT879409 TMM core with mirroring traffic due to unexpected interface name length 14.1.3.1, 15.1.1
851857-3 2-Critical BT851857 HTTP 100 Continue handling does not work when it arrives in multiple packets 13.1.3.5, 14.1.3.1, 15.1.1
851345-2 2-Critical BT851345 The TMM may crash in certain rare scenarios involving HTTP/2 14.1.3.1, 15.1.2
850873-1 2-Critical BT850873 LTM global SNAT sets TTL to 255 on egress. 14.1.3.1, 15.1.2
824881-2 2-Critical BT824881 A rare TMM crash cause by the fix for ID 816625 14.1.3.1, 15.0.1.1
811161-1 2-Critical BT811161 Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992 14.1.3.1
766509-1 2-Critical BT766509 Strict internal checking might cause tmm crash 14.1.3.1
705768-1 2-Critical BT705768 The dynconfd process may core and restart with multiple DNS name servers configured 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
951033-2 3-Major BT951033 Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' 13.1.3.5, 14.1.3.1
949145-4 3-Major BT949145 Improve TCP's response to partial ACKs during loss recovery 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
948757-3 3-Major BT948757 A snat-translation address responds to ARP requests but not to ICMP ECHO requests. 14.1.3.1, 15.1.2, 16.0.1
915689-4 3-Major BT915689 HTTP/2 dynamic header table may fail to identify indexed headers on the response side. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915605-1 3-Major K56251674, BT915605 Image install fails if iRulesLX is provisioned and /usr mounted read-write 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
913249-4 3-Major BT913249 Restore missing UDP statistics 14.1.3.1, 15.1.2, 16.0.1.1
901929-4 3-Major BT901929 GARPs not sent on virtual server creation 14.1.3.1, 15.1.2, 16.0.1.1
892385-2 3-Major BT892385 HTTP does not process WebSocket payload when received with server HTTP response 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
879413-3 3-Major BT879413 Statsd fails to start if one or more of its *.info files becomes corrupted 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
862597-5 3-Major BT862597 Improve MPTCP's SYN/ACK retransmission handling 13.1.3.5, 14.1.3.1, 15.1.0.2
860005-3 3-Major BT860005 Ephemeral nodes/pool members may be created for wrong FQDN name 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
857845-6 3-Major BT857845 TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule 13.1.3.6, 14.1.3.1, 15.1.2
851477-3 3-Major BT851477 Memory allocation failures during proxy initialization are ignored leading to TMM cores 14.1.3.1, 15.1.1
851045-3 3-Major BT851045 LTM database monitor may hang when monitored DB server goes down 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1
850145-3 3-Major BT850145 Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed 14.1.3.1, 15.1.2
823921-2 3-Major BT823921 FTP profile causes memory leak 14.1.3.1
820333-3 3-Major BT820333 LACP working member state may be inconsistent when blade is forced offline 14.1.3.1, 15.1.2
819329-2 3-Major BT819329 Specific FIPS device errors will not trigger failover 14.1.3.1, 15.1.4, 16.0.1.2
818853-3 3-Major BT818853 Duplicate MAC entries in FDB 13.1.3.5, 14.1.3.1, 15.1.0.2
809701-2 3-Major BT809701 Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist 14.1.3.1, 15.0.1.3, 15.1.2
805017-2 3-Major BT805017 DB monitor marks pool member down if no send/recv strings are configured 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.3
803233-3 3-Major BT803233 Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
796993-1 3-Major BT796993 Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs 12.1.5.3, 13.1.3.4, 14.1.3.1
787853-2 3-Major BT787853 BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps. 14.1.3.1
786517-3 3-Major BT786517 Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address 13.1.3.5, 14.1.3.1, 15.1.0.5
783617-1 3-Major BT783617 Virtual server resets connections when all pool members are marked disabled 13.1.3.5, 14.1.3.1
776229-2 3-Major BT776229 iRule 'pool' command no longer accepts pool members with ports that have a value of zero 13.1.3.4, 14.1.3.1
759480-3 3-Major BT759480 HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash 12.1.5, 13.1.3.4, 14.1.3.1
759056-2 3-Major BT759056 stpd memory leak on secondary blades in a multi-blade system 13.1.3.6, 14.1.3.1
753805-3 3-Major BT753805 BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. 12.1.5.3, 13.1.3.4, 14.1.3.1
753594-2 3-Major BT753594 In-TMM monitors may have duplicate instances or stop monitoring 13.1.3, 14.1.3.1
750278-4 3-Major K25165813, BT750278 A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases 14.1.3.1, 15.0.1.3
745682-1 3-Major BT745682 Failed to parse X-Forwarded-For header in HTTP requests 13.1.3.6, 14.1.3.1
724824-3 3-Major BT724824 Ephemeral nodes on peer devices report as unknown and unchecked after full config sync 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
722707-2 3-Major BT722707 mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall 12.1.5.3, 13.1.3.6, 14.1.3.1
720440-4 3-Major BT720440 Radius monitor marks pool members down after 6 seconds 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5
718790-1 3-Major BT718790 Virtual server reports unavailable and resets connection erroneously. 14.1.3.1
710930-3 3-Major BT710930 Enabling BigDB key bigd.tmm may cause SSL monitors to fail 13.1.3.5, 14.1.3.1
935593-3 4-Minor BT935593 Incorrect SYN re-transmission handling with FastL4 timestamp rewrite 14.1.3.1, 15.1.2, 16.0.1.1
932937-3 4-Minor BT932937 HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. 14.1.3.1, 15.1.1, 16.0.1
895153-2 4-Minor BT895153 HTTP::has_responded returns incorrect values when using HTTP/2 14.1.3.1, 15.1.2
895141 4-Minor BT895141 HTTP::has_responded returns incorrect values when using HTTP/2 14.1.3.1
822025-2 4-Minor BT822025 HTTP response not forwarded to client during an early response 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2
808409-3 4-Minor BT808409 Unable to specify if giaddr will be modified in DHCP relay chain 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
801705-4 4-Minor BT801705 When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC 13.1.3.6, 14.1.3.1
781225-2 4-Minor BT781225 HTTP profile Response Size stats incorrect for keep-alive connections 12.1.5.3, 13.1.3.5, 14.1.3.1
726983-2 4-Minor BT726983 Inserting multi-line HTTP header not handled correctly 12.1.5.3, 13.1.3.5, 14.1.3.1
859717-3 5-Cosmetic BT859717 ICMP-limit-related warning messages in /var/log/ltm 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
919553-3 2-Critical BT919553 GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
837637-2 2-Critical K02038650, BT837637 Orphaned bigip_gtm.conf can cause config load failure after upgrading 14.1.3.1, 15.1.2, 16.0.1.1
788465-2 2-Critical BT788465 DNS cache idx synced across HA group could cause tmm crash 14.1.3.1, 15.1.1, 16.0.1
926593-3 3-Major BT926593 GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' 14.1.3.1, 15.1.2, 16.0.1.1
852101-3 3-Major BT852101 Monitor fails. 13.1.3.6, 14.1.3.1, 15.1.2
844689-3 3-Major BT844689 Possible temporary CPU usage increase with unusually large named.conf file 14.1.3.1, 15.1.2
781829-1 3-Major BT781829 GTM TCP monitor does not check the RECV string if server response string not ending with \n 13.1.3.5, 14.1.3.1
644192-4 3-Major K23022557, BT644192 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN 11.6.5.3, 14.1.3.1, 15.1.2, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
940249-3 2-Critical BT940249 Sensitive data is not masked after "Maximum Array/Object Elements" is reached 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
927617-3 2-Critical BT927617 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
941853-2 3-Major BT941853 Logging Profiles do not disassociate from virtual server when multiple changes are made 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
940897-2 3-Major BT940897 Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
893061-1 3-Major BT893061 Out of memory for restjavad 14.1.3.1, 15.1.2, 16.0.1.1
884425-1 3-Major   Creation of new allowed HTTP URL is not possible 14.1.3.1, 15.1.3
868053-1 3-Major BT868053 Live Update service indicates update available when the latest update was already installed 14.1.3.1, 15.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910097-3 2-Critical BT910097 Changing per-request policy while tmm is under traffic load may drop heartbeats 14.1.3.1, 15.1.2, 16.0.1.1
896709-2 2-Critical BT896709 Add support for Restart Desktop for webtop in VMware VDI 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
760130-3 2-Critical BT760130 [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK 13.1.3, 14.1.3.1
748572-2 2-Critical BT748572 Occasionally ramcache might crash when data is sent without the corresponding event. 14.1.3.1
924929-1 3-Major BT924929 Logging improvements for VDI plugin 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
914649-2 3-Major BT914649 Support USB redirection through VVC (VMware virtual channel) with BlastX 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
771961-1 3-Major BT771961 While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core 14.1.3.1, 15.1.1
760629-3 3-Major BT760629 Remove Obsolete APM keys in BigDB 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
759356-2 3-Major BT759356 Access session data cache might leak if there are multiple TMMs 14.1.3.1
747020-1 3-Major BT747020 Requests that evaluate to same subsession can be processed concurrently 14.1.3.1, 15.1.1, 16.0.1
739570-3 3-Major BT739570 Unable to install EPSEC package 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
904373-1 3-Major BT904373 MRF GenericMessage: Implement limit to message queues size 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
891385-4 3-Major BT891385 Add support for URI protocol type "urn" in MRF SIP load balancing 14.1.3.1, 15.1.1, 16.0.1
924349-1 4-Minor   DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP 14.1.3.1, 15.1.1, 16.0.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
938165-2 2-Critical BT938165 TMM Core after attempted update of IP geolocation database file 14.1.3.1, 15.1.2, 16.0.1.1
747225-1 2-Critical BT747225 PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart 14.1.3.1
872645 3-Major BT872645 Protected Object Aggregate stats are causing elevated CPU usage 14.1.3.1, 15.1.1
813301 3-Major BT813301 LSN_PB_UPDATE logs are not generated when subscriber info changes 14.1.3.1, 15.1.0
781425 3-Major BT781425 Firewall rule list configuration causes config load failure 14.1.3.1
920361-4 4-Minor BT920361 Standby device name sent in Traffic Statistics syslog/Splunk messages 14.1.3.1, 15.1.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
783289-1 2-Critical BT783289 PEM actions not applied in VE bigTCP. 13.1.3.5, 14.1.3.1


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
815001-1 2-Critical BT815001 TMM Crash with inbound traffic during high availability (HA) failover 14.1.3.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
940401-3 5-Cosmetic BT940401 Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
944785-1 3-Major BT944785 Admd restarting constantly. Out of memory due to loading malformed state file 14.1.3.1, 15.1.2, 16.0.1.2
923125-1 3-Major BT923125 Huge amount of admd processes caused oom 14.1.3.1, 15.1.2
818465-2 3-Major BT818465 Unnecessary memory allocation in AVR module 14.1.3.1


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
767613-2 3-Major BT767613 Restjavad can keep partially downloaded files open indefinitely 13.1.3.5, 14.1.3.1



Cumulative fixes from BIG-IP v14.1.3 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
928029 2-Critical BT928029 Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis 14.1.3, 15.1.4
905849 3-Major BT905849 FastL4 UDP flows might not get offloaded to hardware 14.1.3
829317-6 3-Major BT829317 Memory leak in icrd_child due to concurrent REST usage 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
943101 2-Critical BT943101 Tmm crash in cipher group delete. 14.1.3, 15.1.4
934461 2-Critical BT934461 Connection error with server with TLS1.3 single-dh-use. 14.1.3, 15.1.4
915957 2-Critical BT915957 The wocplugin may get into a restart loop when AAM is provisioned 14.1.3, 15.1.2
939209-3 3-Major BT939209 FIPS 140-2 SP800-56Arev3 compliance 14.1.3
930385 3-Major BT930385 SSL filter does not re-initialize when an OCSP object is modified 14.1.3, 15.1.4
921721-2 3-Major BT921721 FIPS 140-2 SP800-56Arev3 compliance 14.1.3, 15.1.3
809597-3 3-Major BT809597 Memory leak in icrd_child observed during REST usage 13.1.4, 14.1.3, 15.1.0.2
629787-1 3-Major BT629787 vCMP hypervisor version mismatch may cause connection mirroring problems. 14.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
934393 1-Blocking BT934393 APM authentication fails due to delay in sessionDB readiness 14.1.3, 15.1.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
697331-3 3-Major BT697331 Some TMOS tools for querying various DBs fail when only a single TMM is running 14.1.3, 14.1.3.1, 15.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
892621-2 3-Major BT892621 Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software 14.1.3, 15.1.0.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
927993-4 1-Blocking K97501254, BT927993 Built-in SSL Orchestrator RPM installation failure 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1



Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
935721-4 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291, BT935721 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1
933741-4 CVE-2021-22979 K63497634, BT933741 BIG-IP FPS XSS vulnerability CVE-2021-22979 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
911761-4 CVE-2020-5948 K42696541, BT911761 F5 TMUI XSS vulnerability CVE-2020-5948 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
879745-1 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
917469-4 CVE-2020-5946 K53821711, BT917469 TMM may crash while processing FPS traffic 14.1.2.8, 15.1.1, 16.0.1
910017-4 CVE-2020-5945 K21540525, BT910017 Security hardening for the TMUI Interface page 14.1.2.8, 15.1.1, 16.0.1
907201-1 CVE-2021-23039 K66782293, BT907201 TMM may crash when processing IPSec traffic 14.1.2.8, 15.1.3, 16.0.1.2
889557-2 CVE-2019-11358 K20455158, BT889557 jQuery Vulnerability CVE-2019-11358 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
870273-3 CVE-2020-5936 K44020030, BT870273 TMM may consume excessive resources when processing SSL traffic 12.1.5.2, 14.1.2.8, 15.1.1
856961-2 CVE-2018-12207 K17269881, BT856961 INTEL-SA-00201 MCE vulnerability CVE-2018-12207 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5
751036-1 CVE-2020-27721 K52035247, BT751036 Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8
818177-4 CVE-2019-12295 K06725231, BT818177 CVE-2019-12295 Wireshark Vulnerability 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1
717276-7 CVE-2020-5930 K20622530, BT717276 TMM Route Metrics Hardening 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5
858537-3 CVE-2019-1010204 K05032915, BT858537 CVE-2019-1010204: Binutilis Vulnerability 14.1.2.8, 15.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
890229-3 3-Major BT890229 Source port preserve setting is not honored 13.1.3.5, 14.1.2.8, 15.1.1
747013-3 3-Major BT747013 Add OCSP server support to IKEv2 negotiation for IPsec peer authentication 14.1.2.8
617929-2 3-Major BT617929 Support non-default route domains 13.1.3.4, 14.1.2.8, 15.0.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
920481 2-Critical BT920481 REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase 14.1.2.8
871561-3 2-Critical BT871561 Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)' 14.1.2.8, 15.1.1, 16.0.1
860349-1 2-Critical BT860349 Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication 14.1.2.8, 15.1.3
856713-1 2-Critical BT856713 IPsec crash during rekey 14.1.2.8, 16.0.1.2
854493-3 2-Critical BT854493 Kernel page allocation failures messages in kern.log 14.1.2.8, 15.1.0.2
842865-1 2-Critical BT842865 Add support for Auto MAC configuration (ixlv) 14.1.2.8, 15.0.1.4, 15.1.0.5
841953-5 2-Critical BT841953 A tunnel can be expired when going offline, causing tmm crash 12.1.5.3, 14.1.2.8, 15.1.0.2
841333-5 2-Critical BT841333 TMM may crash when tunnel used after returning from offline 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
818253-1 2-Critical BT818253 Generate signature files for logs 14.1.2.8, 15.1.1, 16.0.1.1
817709-2 2-Critical BT817709 IPsec: TMM cored with SIGFPE in racoon2 14.1.2.8, 15.1.0.2
811149-1 2-Critical BT811149 Remote users are unable to authenticate via serial console. 14.1.2.8, 15.0.1.4, 15.1.0.2
807453-1 2-Critical BT807453 IPsec works inefficiently with a second blade in one chassis 14.1.2.8
777229-1 2-Critical BT777229 IPsec improvements to internal pfkey messaging between TMMs on multi-blade 14.1.2.8
774361-2 2-Critical BT774361 IPsec High Availability sync during multiple failover via RFC6311 messages 14.1.2.8
769357-1 2-Critical   IPsec debug logging needs more organization and is missing HA-related logging 14.1.2.8
755716-1 2-Critical BT755716 IPsec connection can fail if connflow expiration happens before IKE encryption 14.1.2.8
749249-1 2-Critical BT749249 IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP 14.1.2.8
741676-2 2-Critical BT741676 Intermittent crash switching between tunnel mode and interface mode 14.1.2.8
593536-7 2-Critical K64445052, BT593536 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations 14.1.2.8, 15.1.1
924493-4 3-Major BT924493 VMware EULA has been updated 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
904705-3 3-Major BT904705 Cannot clone Azure marketplace instances. 14.1.2.8, 15.1.1, 16.0.1
888497-4 3-Major BT888497 Cacheable HTTP Response 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
887089-3 3-Major BT887089 Upgrade can fail when filenames contain spaces 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
880625-2 3-Major BT880625 Check-host-attr enabled in LDAP system-auth creates unusable config 14.1.2.8, 15.1.1, 16.0.1
880165-1 3-Major BT880165 Auto classification signature update fails 14.1.2.8, 15.1.1, 16.0.1
858197-1 3-Major BT858197 Merged crash when memory exhausted 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1
856953-2 3-Major BT856953 IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 14.1.2.8, 15.1.4.1
844085-3 3-Major BT844085 GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address 14.1.2.8, 15.1.0.5, 16.0.1
838297-1 3-Major BT838297 Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication 14.1.2.8, 15.1.1
828789-3 3-Major BT828789 Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters 14.1.2.8, 15.1.1
820213-2 3-Major BT820213 'Application Service List' empty after UCS restore 14.1.2.8
814585-3 3-Major BT814585 PPTP profile option not available when creating or modifying virtual servers in GUI 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1
810381-4 3-Major BT810381 The SNMP max message size check is being incorrectly applied. 13.1.3.5, 14.1.2.8, 15.1.0.4
807337-3 3-Major BT807337 Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. 14.1.2.8, 15.1.1, 16.0.1.1
804537-1 3-Major BT804537 Check SAs in context callbacks 14.1.2.8
802889 3-Major BT802889 Problems establishing HA connections on chassis platforms 14.1.2.8, 14.1.3
797829-5 3-Major BT797829 The BIG-IP system may fail to deploy new or reconfigure existing iApps 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
783753-1 3-Major BT783753 Increase vCPU amount guests can use on i11800-DS platforms. 14.1.2.8
761753-2 3-Major BT761753 BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs 14.1.2.8
759564-4 3-Major BT759564 GUI not available after upgrade 14.1.2.8, 15.1.1, 16.0.1
758517-1 3-Major BT758517 Callback for Diffie Hellman crypto is missing defensive coding 14.1.2.8
758516-1 3-Major BT758516 IKEv2 auth encryption is missing defensive coding that checks object validity 14.1.2.8
757862-1 3-Major BT757862 IKEv2 debug logging an uninitialized variable leading to core 14.1.2.8
748443-1 3-Major BT748443 HiGig MAC recovery mechanism may fail continuously at runtime 14.1.2.8
746704-2 3-Major BT746704 Syslog-ng Memory Leak 13.1.3.5, 14.1.2.8
745261-2 3-Major BT745261 The TMM process may crash in some tunnel cases 12.1.5.3, 13.1.3.5, 14.1.2.8
726416-3 3-Major BT726416 Physical disk HD1 not found for logical disk create 14.1.2.8
489572-4 3-Major K60934489, BT489572 Sync fails if file object is created and deleted before sync to peer BIG-IP 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
431503-3 3-Major K14838, BT431503 TMSH crashes in rare initial tunnel configurations 13.1.3.5, 14.1.2.8, 15.1.1
919745-4 4-Minor BT919745 CSV files downloaded from the Dashboard have the first row with all 'NaN 14.1.2.8, 15.1.0.5, 16.0.1
918209-1 4-Minor BT918209 GUI Network Map icons color scheme is not section 508 compliant 14.1.2.8, 15.1.0.5, 16.0.1
914761-1 4-Minor BT914761 Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. 14.1.2.8, 15.1.1, 16.0.1.1
906889-1 4-Minor BT906889 Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. 14.1.2.8, 15.1.1, 16.0.1
902417-4 4-Minor BT902417 Configuration error caused by Drafts folder in a deleted custom partition 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1
890277-2 4-Minor BT890277 Full config sync to a device group operation takes a long time when there are a large number of partitions. 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
822377-2 4-Minor   CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability 14.1.2.8, 15.1.1
779857-1 4-Minor BT779857 Misleading GUI error when installing a new version in another partition 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
777237-1 4-Minor   IPsec high availability (HA) for failover confused by runtime changes in blade count 14.1.2.8
751103-4 4-Minor BT751103 TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop 14.1.2.8, 15.1.1, 16.0.1
767269-2 5-Cosmetic   Linux kernel vulnerability: CVE-2018-16884 14.1.2.8, 15.1.0.5
714176-3 5-Cosmetic BT714176 UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
858429 2-Critical BT858429 BIG-IP system sends ICMP packets on both virtual wire interfaces. 14.1.2.8, 15.0.1.4, 15.1.1
851581-1 2-Critical BT851581 Server-side detach may crash TMM 14.1.2.8, 15.1.1
839749-2 2-Critical BT839749 Virtual server with specific address list might fail to create via GUI 14.1.2.8, 15.0.1.1, 15.1.0.5
813561-3 2-Critical BT813561 MCPD crashes when assigning an iRule that uses a proc 13.1.3.4, 14.1.2.8, 15.0.1.3
726518-3 2-Critical BT726518 Tmsh show command terminated with CTRL-C can cause TMM to crash. 13.1.3.6, 14.1.2.8, 15.1.2
915281-1 3-Major BT915281 Do not rearm TCP Keep Alive timer under certain conditions 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
816881-1 3-Major BT816881 Serverside conection may use wrong VLAN when virtual wire is configured 14.1.2.8, 15.1.1
810445-2 3-Major BT810445 PEM: ftp-data not classified or reported 13.1.3.5, 14.1.2.8
800101-1 3-Major BT800101 BIG-IP chassis system may send out duplicated UDP packets to the server side 14.1.2.8
788753-4 3-Major BT788753 GATEWAY_ICMP monitor marks node down with wrong error code 13.1.3.4, 14.1.2.8, 15.1.0.5
785701-1 3-Major BT785701 Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile 14.1.2.8
785481-2 3-Major BT785481 A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached 12.1.5.3, 14.1.2.8, 15.0.1.1
781753-3 3-Major BT781753 WebSocket traffic is transmitted with unknown opcodes 13.1.3.2, 14.1.2.8
766169-2 3-Major BT766169 Replacing all VLAN interfaces resets VLAN MTU to a default value 12.1.5.2, 13.1.3.5, 14.1.2.8
758437-6 3-Major BT758437 SYN w/ data disrupts stat collection in Fast L4 13.1.3.5, 14.1.2.8
758436-4 3-Major BT758436 Optimistic ACKs degrade Fast L4 statistics 13.1.3.5, 14.1.2.8
745663-3 3-Major BT745663 During traffic forwarding, nexthop data may be missed at large packet split 13.1.3.5, 14.1.2.8
726734-4 3-Major BT726734 DAGv2 port lookup stringent may fail 13.1.3.2, 14.1.2.8
814037-4 4-Minor BT814037 No virtual server name in Hardware Syncookie activation logs. 13.1.3.5, 14.1.2.8, 15.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
783125-2 2-Critical BT783125 iRule drop command on DNS traffic without Datagram-LB may cause TMM crash 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
800265-2 3-Major BT800265 Undefined subroutine in bigip_add_appliance_helper message 14.1.2.8


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
911629 2-Critical BT911629 Manual upload of LiveUpdate image file results in NULL response 14.1.2.8, 15.0.1.4
918933-3 3-Major K88162221, BT918933 The BIG-IP ASM system may not properly perform signature checks on cookies 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
901061-4 3-Major BT901061 Safari browser might be blocked when using Bot Defense profile and related domains. 14.1.2.8, 15.1.1, 16.0.1
888285-3 3-Major K18304067, BT888285 Sensitive positional parameter not masked in 'Referer' header value 14.1.2.8, 15.1.1
848445-3 3-Major K86285055, BT848445 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
919001-1 4-Minor BT919001 Live Update: Update Available notification is shown twice in rare conditions 14.1.2.8, 15.1.2, 16.0.1.1
879777 4-Minor BT879777 Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge 14.1.2.8, 15.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
908065-4 3-Major BT908065 Logrotation for /var/log/avr blocked by files with .1 suffix 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
866613-1 4-Minor BT866613 Missing MaxMemory Attribute 13.1.3.5, 14.1.2.8, 15.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
891505-1 2-Critical BT891505 TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. 14.1.2.8, 15.1.4
579219-3 2-Critical BT579219 Access keys missing from SessionDB after multi-blade reboot. 14.1.2.8, 15.1.1
706782-3 3-Major BT706782 Inefficient APM processing in large configurations. 14.1.2.8, 15.0.1.3, 15.1.0.2
679751-1 4-Minor BT679751 Authorization header can cause a connection reset 13.1.3.5, 14.1.2.8, 15.1.1
602396-1 4-Minor BT602396 EPSEC Upload Package Button Is Greyed Out 14.1.2.8
478450-2 4-Minor BT478450 Improve log details when "Detection invalid host header ()" is logged 14.1.2.8


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
763121-3 2-Critical BT763121 Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. 13.1.3, 14.1.2.8
870385-3 3-Major BT870385 TMM may restart under very heavy traffic load 14.1.2.8, 15.1.2.1
811157-2 3-Major BT811157 Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself 14.1.2.8
757555-2 3-Major BT757555 Network DoS Logging Profile does not work with other logging profiles together 14.1.2.8
757279-1 3-Major BT757279 LDAP authenticated Firewall Manager role cannot edit firewall policies 13.1.1.5, 14.1.2.8, 15.1.0.5
746483-2 3-Major BT746483 The autodosd process consumes a lot of memory and continuously restarts. 14.1.2.8
703165-4 3-Major BT703165 shared memory leakage 13.1.3.5, 14.1.2.8
803149-1 4-Minor BT803149 Flow Inspector cannot filter on IP address with non-default route_domain 14.1.2.8
906885 5-Cosmetic BT906885 Spelling mistake on AFM GUI Flow Inspector screen 14.1.2.8, 15.1.2.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
741213-2 3-Major BT741213 Modifying disabled PEM policy causes coredump 14.1.2.8


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
837269 3-Major BT837269 Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic 14.1.2.8, 15.1.0


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
876581-4 3-Major BT876581 JavaScript engine file is empty if the original HTML page cached for too long 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
891729-4 4-Minor BT891729 Errors in datasyncd.log 14.1.2.8, 15.1.1, 16.0.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
797277-2 3-Major BT797277 URL categorization fails when multiple segments present in URL path and belong to different categories. 14.1.2.8
761273-2 3-Major BT761273 wr_urldbd creates sparse log files by writing from the previous position after logrotate. 13.1.1.5, 14.1.2.8



Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
912221-2 CVE-2020-12662
CVE-2020-12663
K37661551, BT912221 CVE-2020-12662 & CVE-2020-12663 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5
900905-1 CVE-2020-5926 K42830212, BT900905 TMM may crash while processing SIP data 14.1.2.7, 15.0.1.4, 15.1.0.5
891457-4 CVE-2020-5939 K75111593, BT891457 NIC driver may fail while transmitting data 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1
888417-4 CVE-2020-8840 K15320518, BT888417 Apache Vulnerability: CVE-2020-8840 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
846917-3 CVE-2019-10744 K47105354, BT846917 lodash Vulnerability: CVE-2019-10744 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2
841577-4 CVE-2020-5922 K20606443, BT841577 iControl REST hardening 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
839453-4 CVE-2019-10744 K47105354, BT839453 lodash library vulnerability CVE-2019-10744 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1
788057-5 CVE-2020-5921 K00103216, BT788057 MCPD may crash while processing syncookies 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
917005-4 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1
909837-2 CVE-2020-5950 K05204103, BT909837 TMM may consume excessive resources when AFM is provisioned 13.1.3.5, 14.1.2.7, 15.1.0.5
888489-4 CVE-2020-5927 K55873574, BT888489 ASM UI hardening 14.1.2.7, 15.0.1.4, 15.1.0.5
886085-3 CVE-2020-5925 K45421311, BT886085 BIG-IP TMM vulnerability CVE-2020-5925 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
832885-3 CVE-2020-5923 K05975972, BT832885 Self-IP hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
816413-2 CVE-2019-1125 K31085564, BT816413 CVE-2019-1125: Spectre SWAPGS Gadget 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
888493-4 CVE-2020-5928 K40843345, BT888493 ASM GUI Hardening 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
839145-2 CVE-2019-10744 K47105354, BT839145 CVE-2019-10744: lodash vulnerability 14.1.2.7, 15.1.0.5, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
816233-3 2-Critical BT816233 Session and authentication cookies should use larger character set 14.1.2.7, 15.0.1.4, 15.1.0.5
724556-3 2-Critical BT724556 icrd_child spawns more than maximum allowed times (zombie processes) 12.1.5.3, 13.1.3.2, 14.1.2.7
858189-1 3-Major BT858189 Make restnoded/restjavad/icrd timeout configurable with sys db variables. 12.1.5.2, 14.1.2.7, 15.1.1
802977-2 3-Major BT802977 PEM iRule crashes when more than 10 policies are tried to be set for a subscriber 14.1.2.7
691499-3 3-Major BT691499 GTP::ie primitives in iRule to be certified 13.1.3.4, 14.1.2.7, 15.1.0.5
745465-1 4-Minor BT745465 The tcpdump file does not provide the correct extension 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
864513-3 1-Blocking K48234609, BT864513 ASM policies may not load after upgrading to 14.x or later from a previous major version 14.1.2.7, 15.1.1
891477 2-Critical BT891477 No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server 14.1.2.7, 15.0.1.4, 15.1.0.5
829677-1 2-Critical BT829677 .tmp files in /var/config/rest/ may cause /var directory exhaustion 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1
811701-1 2-Critical BT811701 AWS instance using xnet driver not receiving packets on an interface. 14.1.2.7, 15.0.1.4, 15.1.0.2
810593-2 2-Critical K10963690, BT810593 Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade 13.1.3.5, 14.1.2.7
805417-1 2-Critical BT805417 Unable to enable LDAP system auth profile debug logging 14.1.2.7, 15.1.1
769581-1 2-Critical BT769581 Timeout when sending many large iControl Rest requests 13.1.3.5, 14.0.0.5, 14.1.2.7
758604-2 2-Critical BT758604 Deleting a port from a single-port trunk does not work. 14.1.2.7
891721-1 3-Major BT891721 Anti-Fraud Profile URLs with query strings do not load successfully 14.1.2.7, 15.0.1.4, 15.1.0.5
871657-2 3-Major BT871657 Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
867013-1 3-Major BT867013 Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout 13.1.3.5, 14.1.2.7, 15.1.1
842189-2 3-Major BT842189 Tunnels removed when going offline are not restored when going back online 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1
821309-3 3-Major BT821309 After an initial boot, mcpd has a defunct child "systemctl" process 14.1.2.7, 15.1.0.5
812929-2 3-Major BT812929 mcpd may core when resetting a DSC connection 14.1.2.7, 15.0.1.4
811053-2 3-Major BT811053 REBOOT REQUIRED prompt appears after failover and clsh reboot 14.1.2.7, 15.1.2
810821-1 3-Major BT810821 Management interface flaps after rebooting the device. 13.1.3.5, 14.1.2.7, 15.1.2
807005-1 3-Major BT807005 Save-on-auto-sync is not working as expected with large configuration objects 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
806985 3-Major BT806985 Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package 14.1.2.7
802685-3 3-Major BT802685 Unable to configure performance HTTP virtual server via GUI 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
793121-3 3-Major BT793121 Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2
788949-3 3-Major BT788949 MySQL Password Initialization Loses Already Written Password 14.1.2.7
760950-4 3-Major BT760950 Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment 12.1.5.3, 14.1.2.7
756153-3 3-Major BT756153 Add diskmonitor support for MySQL /var/lib/mysql 12.1.4.1, 13.1.3, 14.1.2.7
753860-3 3-Major BT753860 Virtual server config changes causing incorrect route injection. 13.1.3.4, 14.1.2.7
720610-2 3-Major BT720610 Automatic Update Check logs false 'Update Server unavailable' message on every run 13.1.3, 14.1.2.7
701529-2 3-Major BT701529 Configuration may not load or not accept vlan or tunnel names as "default" or "all" 13.1.3.4, 14.1.2.7
688399-2 3-Major BT688399 HSB failure results in continuous TMM restarts 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4
683135-1 3-Major BT683135 Hardware syncookies number for virtual server stats is unrealistically high 13.1.3.2, 14.1.2.7
605675-4 3-Major BT605675 Sync requests can be generated faster than they can be handled 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2
831293-3 4-Minor BT831293 SNMP address-related GET requests slow to respond. 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2
804309-2 4-Minor BT804309 [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument 13.1.3.5, 14.1.2.7, 15.1.0.5
755018-2 4-Minor BT755018 Egress traffic processing may be stopped on one or more VE trunk interfaces 13.1.3.2, 14.1.2.7, 15.0.1.1
743815-2 4-Minor BT743815 vCMP guest observes connflow reset when a CMP state change occurs. 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7
484683-2 4-Minor BT484683 Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. 13.1.3.2, 14.1.2.7


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
842937-4 2-Critical BT842937 TMM crash due to failed assertion 'valid node' 12.1.5.3, 14.1.2.7, 15.1.1
751589-1 2-Critical BT751589 In BIG-IP VE, some IP rules may not be created during the first boot up. 14.1.2.7
893281-1 3-Major BT893281 Possible ssl stall on closed client handshake 14.1.2.7, 15.1.0.5
852873 3-Major BT852873 Proprietary Multicast PVST+ packets are forwarded instead of dropped 14.1.2.7, 15.1.0.2
848777-1 3-Major BT848777 Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. 14.1.2.7, 15.1.0.4
828601-3 3-Major BT828601 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.1.0.3
813701-3 3-Major BT813701 Proxy ARP failure 14.1.2.7, 15.1.0.5
810533-4 3-Major BT810533 SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile 14.1.2.7
802245-1 3-Major BT802245 When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected. 14.1.2.7
790205-3 3-Major BT790205 Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.2.7, 15.0.1.1
781041-1 3-Major BT781041 SIP monitor in non default route domain is not working. 14.1.2.7
778517-1 3-Major K91052217, BT778517 Large number of in-TMM monitors results in delayed processing 13.1.3.4, 14.1.2.7
760050-2 3-Major BT760050 "cwnd too low" warning message seen in logs 13.1.4.1, 14.1.2.7, 15.1.4
758599-1 3-Major BT758599 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3
758041-3 3-Major BT758041 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. 13.1.3.5, 14.1.2.7, 15.1.4.1
757446-2 3-Major BT757446 Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. 14.1.2.7
756494-3 3-Major BT756494 For in-tmm monitoring: multiple instances of the same agent are running on the Standby device 13.1.3.4, 14.1.2.7
752530-1 3-Major BT752530 TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. 13.1.4.1, 14.1.2.7
752334-1 3-Major BT752334 Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation 13.1.4.1, 14.1.2.7
750473-4 3-Major BT750473 VA status change while 'disabled' are not taken into account after being 'enabled' again 11.6.5.2, 12.1.5.3, 14.1.2.7
746922-6 3-Major BT746922 When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. 12.1.4.1, 13.1.3, 14.0.1.1, 14.1.2.7
714502-2 3-Major BT714502 bigd restarts after loading a UCS for the first time 14.1.2.7, 15.1.0.5
686059-4 3-Major BT686059 FDB entries for existing VLANs may be flushed when creating a new VLAN. 12.1.5.3, 13.1.3.4, 14.1.2.7
608952-3 3-Major BT608952 MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5
522241-1 3-Major BT522241 Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918169-2 2-Critical BT918169 The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
744743-1 2-Critical BT744743 Rolling DNSSEC Keys may stop generating after BIG-IP restart 14.1.2.7
803645-3 3-Major BT803645 GTMD daemon crashes 13.1.3.3, 14.1.2.7
789421-2 3-Major BT789421 Resource-administrator cannot create GTM server object through GUI 14.1.2.7, 15.1.0.5, 16.0.1
778365-2 3-Major BT778365 dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service 13.1.3.4, 14.1.2.7
774481-2 3-Major BT774481 DNS Virtual Server creation problem with Dependency List 13.1.3.4, 14.1.2.7
769385-1 3-Major BT769385 GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message 14.0.0.5, 14.1.2.7
758772-3 3-Major BT758772 DNS Cache RRSET Evictions Stat not increasing 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
757464-1 3-Major BT757464 DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
746348-2 3-Major BT746348 On rare occasions, gtmd fails to process probe responses originating from the same system. 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2
712335-3 4-Minor BT712335 GTMD may intermittently crash under unusual conditions. 12.1.6, 13.1.4, 14.1.2.7
774257-2 5-Cosmetic BT774257 tmsh show gtm pool and tmsh show gtm wideip print duplicate object types 14.1.2.7, 15.1.0.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
904593-2 2-Critical BT904593 Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled 14.1.2.7, 15.1.0.5
868641-1 2-Critical BT868641 Possible TMM crash when disabling bot profile for the entire connection 14.1.2.7, 15.1.1
865461-3 2-Critical BT865461 BD crash on specific scenario 14.1.2.7, 15.1.0.5
843801-1 2-Critical BT843801 Like-named previous Signature Update installations block Live Update usage after upgrade 14.1.2.7, 15.1.1
813409-1 2-Critical BT813409 BD crash under certain circumstances 14.1.2.7
803813-2 2-Critical BT803813 TMM may experience high latency when processing WebSocket traffic 13.1.3.4, 14.1.2.7
903357-3 3-Major BT903357 Bot defense Profile list is loads too slow when there are 750 or more Virtual servers 14.1.2.7, 15.1.1, 16.0.1.1
900797-4 3-Major BT900797 Brute Force Protection (BFP) hash table entry cleanup 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900793-2 3-Major K32055534, BT900793 APM Brute Force Protection resources do not scale automatically 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900789-4 3-Major BT900789 Alert before Brute Force Protection (BFP) hash are fully utilized 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
898825-4 3-Major BT898825 Attack signatures are enforced on excluded headers under some conditions 14.1.2.7
898741-4 3-Major BT898741 Missing critical files causes FIPS-140 system to halt upon boot 14.1.2.7, 15.1.1
892653-2 3-Major BT892653 Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI 14.1.2.7, 15.1.0.5, 16.0.1
880789-1 3-Major BT880789 ASMConfig Handler undergoes frequent restarts 14.1.2.7, 15.1.0.5
880753-1 3-Major K38157961, BT880753 Possible issues when using DoSL7 and Bot Defense profile on the same virtual server 14.1.2.7, 15.0.1.4, 15.1.1
874753-1 3-Major   Filtering by Bot Categories on Bot Requests Log shows 0 events 14.1.2.7, 15.1.0.5
868721-3 3-Major BT868721 Transactions are held for a long time on specific server related conditions 14.1.2.7, 15.1.0.5
863609-2 3-Major BT863609 Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies 14.1.2.7, 15.1.0.5
850677-2 3-Major BT850677 Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy 14.1.2.7, 15.1.0.5
833685-3 3-Major BT833685 Idle async handlers can remain loaded for a long time doing nothing 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5
809125-2 3-Major BT809125 CSRF false positive 12.1.5.1, 14.1.2.7, 15.1.0.5
802873-1 3-Major BT802873 Manual changes to policy imported as XML may introduce corruption for Login Pages 14.1.2.7, 15.1.4
799749-1 3-Major BT799749 Asm logrotate fails to rotate 14.1.2.7, 15.1.0.5
793149-3 3-Major BT793149 Adding the Strict-transport-Policy header to internal responses 12.1.5.1, 14.1.2.7
785529-1 3-Major BT785529 ASM unable to handle ICAP responses which length is greater then 10K 11.6.5.2, 14.1.2.7
783165-3 3-Major BT783165 Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile 14.1.2.7, 15.1.0.5
772165-1 3-Major BT772165 Sync Failed due to Bot Defense profile not found. 14.1.2.7
759449-1 3-Major BT759449 Unable to modify the application language with 'Copy ASM Policy' 14.1.2.7
751430-1 3-Major BT751430 Unnecessary reporting of errors with complex denial-of-service policies 14.1.2.7
745324-1 3-Major BT745324 MCP crash or blocked for a long time when loading configuration 14.1.2.7
742549-2 3-Major BT742549 Cannot create non-ASCII entities in non-UTF ASM policy using REST 13.1.3.6, 14.1.2.7, 15.1.0.5
726401-1 3-Major BT726401 ASM cannot complete initial startup with modified management interface on VE 14.1.2.7
722337-1 3-Major BT722337 Always show violations in request log when post request is large 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1
640842-3 3-Major BT640842 ASM end user using mobile might be blocked when CSRF is enabled 14.1.2.7, 15.1.0.5
896285-4 4-Minor BT896285 No parent entity in suggestion to add predefined-filetype as allowed filetype 14.1.2.7, 15.1.2, 16.0.1.1
882769-3 4-Minor BT882769 Request Log: wrong filter applied when searching by Response contains or Response does not contain 13.1.3.5, 14.1.2.7, 15.1.2
852613-1 4-Minor   Connection Mirroring and ASM Policy not supported on the same virtual server 14.1.2.7


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
902485-2 3-Major BT902485 Incorrect pool member concurrent connection value 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
838685-2 3-Major BT838685 DoS report exist in per-widget but not under individual virtual 13.1.3.5, 14.1.2.7, 15.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
838861-2 2-Critical BT838861 TMM might crash once after upgrading SSL Orchestrator 14.1.2.7, 15.1.1
895313 3-Major BT895313 Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2 14.1.2.7
831517-1 3-Major BT831517 TMM may crash when Network Access tunnel is used 14.1.2.7, 15.1.3
799149-2 3-Major BT799149 Authentication fails with empty password 13.1.3.2, 14.1.2.7
750631-2 3-Major BT750631 There may be a latency between session termination and deletion of its associated IP address mapping 13.1.3, 14.1.2.7
600985-1 3-Major BT600985 Network access tunnel data stalls 13.1.3, 14.1.2.7
719589-2 4-Minor BT719589 GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic 13.1.3.2, 14.1.2.7


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
814097-2 2-Critical BT814097 Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. 11.6.5.2, 13.1.3.4, 14.1.2.7
898997-4 3-Major BT898997 GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes 14.1.2.7, 15.1.1, 16.0.1
842625-3 3-Major BT842625 SIP message routing remembers a 'no connection' failure state forever 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2
825013-3 3-Major BT825013 GENERICMESSAGE::message's src and dst may get cleared in certain scenarios 14.1.2.7, 15.0.1.1, 15.1.0.2
815529-2 3-Major BT815529 MRF outbound messages are dropped in per-peer mode 13.1.3.4, 14.1.2.7
803809-2 3-Major BT803809 SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. 13.1.3.4, 14.1.2.7, 15.1.0.2
782353-6 3-Major BT782353 SIP MRF via header shows TCP Transport when TLS is enabled 13.1.3.4, 14.1.2.7
754658-2 3-Major BT754658 Improved matching of response messages uses end-to-end ID 13.1.3.4, 14.1.2.7
754617-2 3-Major BT754617 iRule 'DIAMETER::avp read' command does not work with 'source' option 13.1.3.4, 14.1.2.7
746731-1 3-Major BT746731 BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set 13.1.3.4, 14.1.2.7
696348-3 3-Major BT696348 "GTP::ie insert" and "GTP::ie append" do not work without "-message" option 13.1.3.4, 14.1.2.7, 15.1.0.5
788513-2 4-Minor BT788513 Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
786981-3 4-Minor BT786981 Pending GTP iRule operation maybe aborted when connection is expired 13.1.3.4, 14.1.2.7
793005-3 5-Cosmetic BT793005 'Current Sessions' statistic of MRF/Diameter pool may be incorrect 13.1.3.4, 14.1.2.7, 15.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
802421 2-Critical BT802421 The /var partition may become 100% full requiring manual intervention to clear space 14.1.2.7, 15.1.0.5
755721-1 3-Major BT755721 A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper 14.1.2.7


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753014-4 3-Major BT753014 PEM iRule action with RULE_INIT event fails to attach to PEM policy 12.1.5.3, 13.1.3.2, 14.1.2.7


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
888625-2 3-Major BT888625 CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks 14.1.2.7, 15.1.0.3
806825 3-Major BT806825 Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool 14.1.2.7
761517-1 4-Minor BT761517 nat64 and ltm pool conflict 14.1.2.7


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
787965-1 3-Major BT787965 URLCAT by URI does not work if it contains port number 14.1.2.7
754257-2 3-Major BT754257 URL lookup queries not working 12.1.5, 14.1.2.7



Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
900757-4 CVE-2020-5902 K52145254, BT900757 TMUI RCE vulnerability CVE-2020-5902 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895525-4 CVE-2020-5902 K52145254, BT895525 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909237-4 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909233-4 CVE-2020-8616 K97810133, BT909233 DNS Hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
905905-3 CVE-2020-5904 K31301245, BT905905 TMUI CSRF vulnerability CVE-2020-5904 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895993-4 CVE-2020-5902 K52145254, BT895993 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895981-4 CVE-2020-5902 K52145254, BT895981 TMUI RCE vulnerability CVE-2020-5902 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895881-3 CVE-2020-5903 K43638305, BT895881 BIG-IP TMUI XSS vulnerability CVE-2020-5903 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
742628-3 3-Major BT742628 A tmsh session initiation adds increased control plane pressure 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
897229 3-Major BT897229 TLS session ticket resumption SNI check 14.1.2.6



Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
883717-3 CVE-2020-5914 K37466356, BT883717 BD crash on specific server cookie scenario 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
879025-4 CVE-2020-5913 K72752002, BT879025 When processing TLS traffic, LTM may not enforce certificate chain restrictions 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2
866013 CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
K78234183, BT866013 Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 14.1.2.5
852445-3 CVE-2019-6477 K15840535, BT852445 Big-IP : CVE-2019-6477 BIND Vulnerability 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.5
838677-3 CVE-2019-10744 K47105354, BT838677 lodash library vulnerability CVE-2019-10744 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
837773-2 CVE-2020-5912 K12936322, BT837773 Restjavad Storage and Configuration Hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
834257-3 CVE-2020-5931 K25400442, BT834257 TMM may crash when processing HTTP traffic 13.1.3.6, 14.1.2.5, 15.1.1
830401-3 CVE-2020-5877 K54200228, BT830401 TMM may crash while processing TCP traffic with iRules 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
819197-4 CVE-2019-13135 K20336394, BT819197 BIGIP: CVE-2019-13135 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
819189-3 CVE-2019-13136 K03512441, BT819189 BIGIP: CVE-2019-13136 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
814953-3 CVE-2020-5940 K43310520, BT814953 TMUI dashboard hardening 14.1.2.5, 15.1.1, 16.0.1
805837-2 CVE-2019-6657 K22441651, BT805837 REST does not follow current design best practices 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1
802261-2 CVE-2020-5875 K65372933, BT802261 TMM may crash while processing SSL traffic via an HTTP/2 full-proxy 14.1.2.5, 15.0.1.1
794561-1 CVE-2020-5874 K46901953, BT794561 TMM may crash while processing JWT/OpenID traffic. 13.1.4.1, 14.0.1.1, 14.1.2.5, 15.0.1.3
780601-2 CVE-2020-5873 K03585731, BT780601 SCP file transfer hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.1.2.5, 15.0.1.1
769589-2 CVE-2019-6974 K11186236, BT769589 CVE-2019-6974: Linux Kernel Vulnerability 13.1.3.2, 14.1.2.5
767373-1 CVE-2019-8331 K24383845, BT767373 CVE-2019-8331: Bootstrap Vulnerability 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.4
762453-2 CVE-2020-5872 K63558580, BT762453 Hardware cryptography acceleration may fail 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.5
745377-1 CVE-2020-5871 K43450419, BT745377 TMM cores in certain scenarios with HTTP virtual server 14.1.2.5
739971 CVE-2018-5391 K74374841, BT739971 Linux kernel vulnerability: CVE-2018-5391 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.5
873469-1 CVE-2020-5889 K24415506, BT873469 APM Portal Access: Base URL may be set to incorrectly 14.1.2.5, 15.0.1.3, 15.1.0.2
872673-3 CVE-2020-5918 K26464312, BT872673 TMM can crash when processing SCTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
868349-3 CVE-2020-5935 K62830532, BT868349 TMM may crash while processing iRules with MQTT commands 13.1.3.4, 14.1.2.5, 15.1.1
864109-3 CVE-2020-5889 K24415506, BT864109 APM Portal Access: Base URL may be set to incorrectly 14.1.2.5, 15.0.1.3, 15.1.0.2
859089-5 CVE-2020-5907 K00091341, BT859089 TMSH allows SFTP utility access 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
858349-1 CVE-2020-5934 K44808538, BT858349 TMM may crash while processing SAML SLO traffic 14.1.2.5, 15.1.1
858025-3 CVE-2021-22984 K33440533, BT858025 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
848405-4 CVE-2020-5933 K26244025, BT848405 TMM may consume excessive resources while processing compressed HTTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1
838881-3 CVE-2020-5853 K73183618, BT838881 APM Portal Access Vulnerability: CVE-2020-5853 11.6.5.2, 12.1.5.2, 14.1.2.5, 15.0.1.3, 15.1.0.2
837837-3 CVE-2020-5917 K43404629, BT837837 F5 SSH server key size vulnerability CVE-2020-5917 12.1.5.2, 14.1.2.5, 15.0.1.4, 15.1.0.5
832021-1 CVE-2020-5888 K73274382, BT832021 Port lockdown settings may not be enforced as configured 14.1.2.5, 15.0.1.3, 15.1.0.2
832017-1 CVE-2020-5887 K10251014, BT832017 Port lockdown settings may not be enforced as configured 14.1.2.5, 15.0.1.3, 15.1.0.2
829121-3 CVE-2020-5886 K65720640, BT829121 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
829117-3 CVE-2020-5885 K17663061, BT829117 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
811789-2 CVE-2020-5915 K57214921, BT811789 Device trust UI hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
810537-2 CVE-2020-5883 K12234501, BT810537 TMM may consume excessive resources while processing iRules 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1
805557-2 CVE-2020-5882 K43815022, BT805557 TMM may crash while processing crypto data 12.1.5.1, 14.1.2.5
789921-2 CVE-2020-5881 K03386032, BT789921 TMM may restart while processing VLAN traffic 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
775833-2 CVE-2020-5880 K94325657, BT775833 Administrative file transfer may lead to excessive resource consumption 14.1.2.5, 15.0.1.4
887637-1 CVE-2019-3815 K22040951, BT887637 Systemd-journald Vulnerability: CVE-2019-3815 14.1.2.5, 15.0.1.4, 15.1.1
868097-1 CVE-2020-5891 K58494243, BT868097 TMM may crash while processing HTTP/2 traffic 14.1.2.5, 15.0.1.3, 15.1.0.2
823893-2 CVE-2020-5890 K03318649, BT823893 Qkview may fail to completely sanitize LDAP bind credentials 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
748122-1 CVE-2018-15333 K53620021, BT748122 BIG-IP Vulnerability CVE-2018-15333 14.1.2.5, 15.0.1.4, 15.1.0.5
746091-1 CVE-2019-19151 K21711352, BT746091 TMSH Vulnerability: CVE-2019-19151 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
760723-2 CVE-2015-4037 K64765350, BT760723 Qemu Vulnerability 12.1.5.2, 14.1.2.5, 15.0.1.4


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
870389-1 3-Major BT870389 Increase size of /var logical volume to 1.5 GiB for LTM-only VE images 14.1.2.5, 15.1.0.2
858229-3 3-Major K22493037, BT858229 XML with sensitive data gets to the ICAP server 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
738330-3 3-Major BT738330 /mgmt/toc endpoint issue after configuring remote authentication 13.1.3.5, 14.1.2.5, 15.0.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
819009-3 2-Critical BT819009 Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol. 14.1.2.5
792285-2 2-Critical BT792285 TMM crashes if the queuing message to all HSL pool members fails 13.1.3.4, 14.1.2.5
777993-2 2-Critical BT777993 Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same 14.1.2.5
775897-1 2-Critical BT775897 High Availability failover restarts tmipsecd when tmm connections are closed 14.1.2.5
769169-3 2-Critical BT769169 BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring 13.1.3.6, 14.0.0.5, 14.1.2.5
767689-1 2-Critical BT767689 F5optics_install using different versions of RPM 14.1.2.5
749388-3 2-Critical BT749388 'table delete' iRule command can cause TMM to crash 12.1.5.2, 13.1.3.2, 14.1.2.5
748205-3 2-Critical BT748205 SSD bay identification incorrect for RAID drive replacement 12.1.5, 13.1.3, 14.1.2.5
699515-2 2-Critical   nsm cores during update of nexthop for ECMP recursive route 13.1.1.5, 14.1.2.5
882557-4 3-Major BT882557 TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
873877 3-Major BT873877 Kernel page allocation failure seen on VIPRION blades 14.1.2.5
866925-3 3-Major BT866925 The TMM pages used and available can be viewed in the F5 system stats MIB 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
852001-3 3-Major BT852001 High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously 14.1.2.5, 15.0.1.3, 15.1.0.2
849405-1 3-Major BT849405 LTM v14.1.2.1 does not log after upgrade 14.1.2.5, 15.1.0.5
842125-4 3-Major BT842125 Unable to reconnect outgoing SCTP connections that have previously aborted 13.1.3.4, 14.1.2.5, 15.1.0.5
812981-4 3-Major BT812981 MCPD: memory leak on standby BIG-IP device 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
810957-2 3-Major BT810957 Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core 12.1.5.3, 14.1.2.5, 15.0.1.4
802281-1 3-Major BT802281 Gossip shows active even when devices are missing 13.1.3.5, 14.1.2.5, 15.1.0.2
800185-4 3-Major BT800185 Saving a large encrypted UCS archive may fail and might trigger failover 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4
795685-2 3-Major BT795685 Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer 14.1.2.5
772117-3 3-Major BT772117 Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card 14.1.2.5
762073-2 3-Major BT762073 Continuous TMM restarts when HSB drops off the PCI bus 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4
759735-2 3-Major BT759735 OSPF ASE route calculation for new external-LSA delayed 13.1.3.2, 14.1.2.5
759172-1 3-Major BT759172 Read Access Denied: user (gu, guest) type (Certificate Order Manager) 14.1.2.5
758387-2 3-Major BT758387 BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it 14.0.0.5, 14.1.2.5, 15.0.1.3
751573-1 3-Major BT751573 Updates to HSL pool members may not take effect 14.1.2.5
749785-2 3-Major BT749785 nsm can become unresponsive when processing recursive routes 12.1.5.3, 13.1.3, 14.1.2.5
749690-1 3-Major BT749690 MOS_Image2Disk_Installation- kjournald service error 14.1.2.5
746861-1 3-Major BT746861 SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated 14.1.2.5, 15.1.4
641450-7 3-Major K30053855, BT641450 A transaction that deletes and recreates a virtual may result in an invalid configuration 12.1.5.1, 13.1.3.4, 14.1.2.5
755317-1 4-Minor BT755317 /var/log logical volume may run out of space due to agetty error message in /var/log/secure 14.1.2.5, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
715032-2 1-Blocking K73302459, BT715032 iRulesLX Hardening 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
860881-1 2-Critical BT860881 TMM can crash when handling a compressed response from HTTP server 14.1.2.5, 15.0.1.3, 15.1.0.2
853329-4 2-Critical BT853329 HTTP explicit proxy can crash TMM when used with classification profile 11.6.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3
839401-3 2-Critical BT839401 Moving a virtual-address from one floating traffic-group to another does not send GARPs out. 14.1.2.5, 15.0.1.4, 15.1.0.2
831325-2 2-Critical K10701310, BT831325 HTTP PSM detects more issues with Transfer-Encoding headers 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.1
799649-2 2-Critical BT799649 TMM crash 14.1.2.5
757391-2 2-Critical BT757391 Datagroup iRule command class can lead to memory corruption 12.1.5, 13.1.3, 14.1.2.5
755134-1 2-Critical BT755134 HTTP/2 connections may leak memory if server-side connection not established 14.1.2.5
868889 3-Major BT868889 BIG-IP may reset a stream with an empty DATA frame as END_STREAM 14.1.2.5
853613-2 3-Major BT853613 Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp 14.1.2.5, 15.0.1.3, 15.1.0.2
851789-3 3-Major BT851789 SSL monitors flap with client certs with private key stored in FIPS 12.1.5.3, 14.1.2.5, 15.1.1
847325-1 3-Major BT847325 Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. 14.1.2.5, 15.0.1.3, 15.1.0.2
843105-1 3-Major BT843105 Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP) 14.1.2.5
809729-2 3-Major BT809729 When HTTP/2 stream is reset by a client, BIG-IP may not respond properly 14.1.2.5, 15.0.1.1
795261-2 3-Major BT795261 LTM policy does not properly evaluate condition when an operand is missing 14.1.2.5, 15.0.1.1
788741-2 3-Major BT788741 TMM cores in the MQTT proxy under rare conditions 14.1.2.5
777269-1 3-Major BT777269 Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup 14.1.2.5
770477-2 3-Major BT770477 SSL aborted when client_hello includes both renegotiation info extension and SCSV 12.1.5.3, 13.1.3.2, 14.1.2.5
761030-2 3-Major BT761030 tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route 13.1.3.2, 14.1.2.5
758631-4 3-Major BT758631 ec_point_formats extension might be included in the server hello even if not specified in the client hello 12.1.5, 13.1.3.5, 14.0.1.1, 14.1.2.5
757827-1 3-Major BT757827 Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution 13.1.3.2, 14.1.2.5, 15.0.1.3
755997-2 3-Major BT755997 Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address 12.1.5.3, 14.1.2.5
755727-2 3-Major BT755727 Ephemeral pool members not created after DNS flap and address record changes 12.1.5.2, 13.1.3.2, 14.1.2.5, 15.0.1.3
755213-1 3-Major BT755213 TMM cores in certain scenarios with HTTP/2 virtual server 14.1.2.5
751052-1 3-Major BT751052 HTTP iRule event HTTP_REJECT broken 14.1.2.5
746078-1 3-Major BT746078 Upgrades break existing iRulesLX workspaces that use node version 6 14.1.2.5
745923-2 3-Major BT745923 Connection flow collision can cause packets to be sent with source and/or destination port 0 13.1.3.5, 14.1.2.5, 15.0.1.4
743257-3 3-Major BT743257 Fix block size insecurity init and assign 13.1.3.2, 14.0.0.5, 14.1.2.5
705112-4 3-Major BT705112 DHCP server flows are not re-established after expiration 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2
636842-2 3-Major K51472519, BT636842 A FastL4 virtual server may drop a FIN packet when mirroring is enabled 12.1.5.1, 13.1.3.2, 14.1.2.5
601189-4 3-Major BT601189 The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode 12.1.5.1, 13.1.3.2, 14.1.2.5
599567-4 3-Major BT599567 APM assumes SNAT automap, does not use SNAT pool 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.2.5
859113-3 4-Minor BT859113 Using "reject" iRules command inside "after" may causes core 14.1.2.5, 15.1.0.2
852373-2 4-Minor BT852373 HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error 14.1.2.5, 15.0.1.4, 15.1.1
839245-1 4-Minor BT839245 IPother profile with SNAT sets egress TTL to 255 14.1.2.5, 15.1.0.2
830833-2 4-Minor BT830833 HTTP PSM blocking resets should have better log messages 13.1.4.1, 14.1.2.5, 15.0.1.1
760683-1 4-Minor BT760683 RST from non-floating self-ip may use floating self-ip source mac-address 13.1.3.2, 14.1.2.5
757777-3 4-Minor BT757777 bigtcp does not issue a RST in all circumstances 14.1.2.5
746077-4 4-Minor BT746077 If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified 12.1.5.3, 13.1.1.5, 14.1.2.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
807177-2 2-Critical BT807177 HTTPS monitoring is not caching SSL sessions correctly 13.1.3.4, 14.1.2.5
704198-4 2-Critical K29403988, BT704198 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance 12.1.5.2, 13.1.3.4, 14.1.2.5
802961-2 3-Major BT802961 The 'any-available' prober selection is not as random as in earlier versions 13.1.3.4, 14.1.2.5
772233-4 3-Major BT772233 IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. 13.1.3.2, 14.1.2.5, 15.0.1.3
754901-1 3-Major BT754901 Frequent zone update notifications may cause TMM to restart 13.1.3, 14.1.2.5
750213-4 3-Major K25351434, BT750213 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. 12.1.5, 13.1.3, 14.1.2.5
744280-2 4-Minor BT744280 Enabling or disabling a Distributed Application results in a small memory leak 13.1.3.4, 14.0.0.5, 14.1.2.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
852437-1 2-Critical K25037027, BT852437 Overly aggressive file cleanup causes failed ASU installation 14.1.2.5, 15.1.0.2
882377-1 3-Major BT882377 ASM Application Security Editor Role User can update/install ASU 14.1.2.5, 15.1.4.1
871905-1 3-Major K02705117, BT871905 Incorrect masking of parameters in event log 14.1.2.5, 15.0.1.4, 15.1.0.5
854177-3 3-Major BT854177 ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5
850673-3 3-Major BT850673 BD sends bad ACKs to the bd_agent for configuration 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
681010-3 3-Major K33572148, BT681010 'Referer' is not masked when 'Query String' contains sensitive parameter 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
838709-1 2-Critical BT838709 Enabling DoS stats also enables page-load-time 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
828937-3 2-Critical K45725467, BT828937 Some systems can experience periodic high IO wait due to AVR data aggregation 13.1.3.4, 14.1.2.5, 15.1.0.5
870957-1 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
863161-3 3-Major BT863161 Scheduled reports are sent via TLS even if configured as non encrypted 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
835381-1 3-Major BT835381 HTTP custom analytics profile 'not found' when default profile is modified 14.1.2.5, 15.0.1.3, 15.1.0.2
830073-3 3-Major BT830073 AVRD may core when restarting due to data collection device connection timeout 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
817649-2 3-Major BT817649 AVR statistics for NAT cannot be shown on multi-bladed machine 14.1.2.5, 15.0.1.3
865053-1 4-Minor BT865053 AVRD core due to a try to load vip lookup when AVRD is down 14.1.2.5, 15.0.1.3, 15.1.0.2
863069-3 4-Minor BT863069 Avrmail timeout is too small 14.1.2.5, 15.0.1.3, 15.1.0.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
879401-3 2-Critical K90423190, BT879401 Memory corruption during APM SAML SSO 14.1.2.5, 15.1.3
871761-4 2-Critical BT871761 Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
788593-2 2-Critical K43404365, BT788593 APM logs may contain additional data 14.1.2.5, 15.0.1.3
884797-2 3-Major BT884797 Portal Access: in some cases data is not delivered via WebSocket connection 14.1.2.5, 15.1.0.5
866685-3 3-Major BT866685 Empty HSTS headers when HSTS mode for HTTP profile is disabled 14.1.2.5, 15.0.1.3, 15.1.0.2
866161-3 3-Major BT866161 Client port reuse causes RST when the security service attempts server connection reuse. 14.1.2.5, 15.0.1.3, 15.1.0.2
852313-2 3-Major BT852313 VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured 14.1.2.5, 15.0.1.3, 15.1.0.2
832569-2 3-Major BT832569 APM end-user connection reset 14.1.2.5, 15.0.1.3, 15.1.0.2
831781-5 3-Major BT831781 AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode 14.1.2.5, 15.0.1.3, 15.1.0.2
798261-2 3-Major BT798261 APMD fails to create session variables if spanning is enabled on SWG transparent virtual server 13.1.3.2, 14.1.2.5, 15.0.1.3
771905-2 3-Major BT771905 JWT token rejected due to unknown JOSE header parameters 14.1.2.5
768025-4 3-Major BT768025 SAML requests/responses fail with "failed to find certificate" 13.1.3.2, 14.1.2.5, 15.0.1.3
749036-2 3-Major BT749036 Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM 14.1.2.5
747725-3 3-Major BT747725 Kerberos Auth agent may override settings that manually made to krb5.conf 12.1.4.1, 13.1.3, 14.1.2.5
747624-2 3-Major BT747624 RADIUS Authentication over RSA SecureID is not working in challenge mode 14.1.2.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
811105-1 2-Critical BT811105 MRF SIP-ALG drops SIP 183 and 200 OK messages 13.1.3.4, 14.1.2.5, 15.0.1.4
781725-2 2-Critical BT781725 BIG-IP systems might not complete a short ICAP request with a body beyond the preview 14.1.2.5
882273 3-Major BT882273 MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow 13.1.3.4, 14.1.2.5
876077-3 3-Major BT876077 MRF DIAMETER: stale pending retransmission entries may not be cleaned up 14.1.2.5, 15.0.1.4, 15.1.0.5
868381-3 3-Major BT868381 MRF DIAMETER: Retransmission queue unable to delete stale entries 14.1.2.5, 15.0.1.4, 15.1.0.5
866021-3 3-Major BT866021 Diameter Mirror connection lost on the standby due to "process ingress error" 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
853545-3 3-Major BT853545 MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event 14.1.2.5, 15.1.0.2
824149-3 3-Major BT824149 SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
815877-1 3-Major BT815877 Information Elements with zero-length value are rejected by the GTP parser 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
811033-2 3-Major BT811033 MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used 13.1.3.4, 14.1.2.5
788093 3-Major BT788093 MRF iRule command MR::restore with no argument causes tmm to crash 14.1.2.5
859721-3 4-Minor BT859721 Using GENERICMESSAGE create together with reject inside periodic after may cause core 14.1.2.5, 15.1.0.2
836357-3 4-Minor BT836357 SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
788005-2 4-Minor BT788005 Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP) 14.1.2.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
778869-3 2-Critical K72423000, BT778869 ACLs and other AFM features (e.g., IPI) may not function as designed 13.1.3.2, 14.0.1.1, 14.1.2.5
751292-1 2-Critical BT751292 mcpd core after changing parent netflow to use version9 14.1.2.5
852289-2 3-Major K23278332, BT852289 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector 13.1.3.4, 14.1.2.5, 15.1.1
771173-3 3-Major BT771173 FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly. 13.1.3, 14.1.2.5, 15.0.1.3


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
857725 3-Major BT857725 Anti-Fraud/DataSafe Logging Settings page not found 14.1.2.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
761199-1 2-Critical BT761199 Wr_urldbd might crash while system is in a restarting loop. 14.1.2.5
816529-2 3-Major BT816529 If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart. 12.1.5.2, 14.1.2.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
839597-4 3-Major BT839597 Restjavad fails to start if provision.extramb has a large value 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
815649-1 3-Major BT815649 Named.config entry getting overwriting on SSL Orchestrator deployment 14.1.2.5, 15.0.1.3


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
852557-1 2-Critical BT852557 Tmm core while using service chaining for SSL Orchestrator 14.1.2.5, 15.0.1.3, 15.1.0.2
759191-1 2-Critical BT759191 While using explicit or transparent http type service on SSL Orchestrator, TMM cores. 14.1.2.5
864329-1 3-Major BT864329 Client port reuse causes RST when the backend server-side connection is open 14.1.2.5, 15.0.1.3, 15.1.0.2
852481-1 3-Major BT852481 Failure to check virtual-server context when closing server-side connection 14.1.2.5, 15.0.1.3, 15.1.0.2
852477-1 3-Major BT852477 Tmm core when SSL Orchestrator is enabled 14.1.2.5, 15.0.1.3, 15.1.0.2
886713-3 4-Minor BT886713 Error log seen in case of SSL Orchestrator configured with http service during connection close. 14.1.2.5, 15.1.0.5



Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release


Functional Change Fixes

None


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
867413-2 2-Critical BT867413 The allow-only-in-enterprise LAN feature on Mac OS not working after reboot 14.1.2.4



Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
849761-1 CVE-2019-6675 K55655944, BT849761 CVE-2019-6675: LDAP vulnerability 14.1.2.3, 15.1.0
846365-3 CVE-2020-5878 K35750231, BT846365 TMM may crash while processing IP traffic 14.1.2.3, 15.0.1.2, 15.1.0.2
818709-2 CVE-2020-5858 K36814487, BT818709 TMSH does not follow current best practices 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.4
818429-4 CVE-2020-5857 K70275209, BT818429 TMM may crash while processing HTTP traffic 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1
808301-2 CVE-2019-6678 K04897373, BT808301 TMM may crash while processing IP traffic 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
757357-3 CVE-2019-6676 K92002212, BT757357 TMM may crash while processing traffic 13.1.3.2, 14.1.2.3, 15.0.1.1
782529-2 CVE-2019-6685 K30215839, BT782529 iRules does not follow current design best practices 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3
761144-4 CVE-2019-6684 K95117754, BT761144 Broadcast frames may be dropped 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
761112-3 CVE-2019-6683 K76328112, BT761112 TMM may consume excessive resources when processing FastL4 traffic 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.3, 15.0.1.4
725551-2 CVE-2019-6682 K40452417, BT725551 ASM may consume excessive resources 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.4
846157-3 CVE-2020-5862 K01054113, BT846157 TMM may crash while processing traffic on AWS 14.1.2.3, 15.0.1.2, 15.1.0.2
817917-1 CVE-2020-5856 K00025388, BT817917 TMM may crash when sending TCP packets 14.1.2.3, 15.0.1.2
789893-2 CVE-2019-6679 K54336216, BT789893 SCP file transfer hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
749324-1 CVE-2012-6708 K62532311, BT749324 jQuery Vulnerability: CVE-2012-6708 12.1.5.2, 13.1.3.2, 14.1.2.3
738236-7 CVE-2019-6688 K25607522, BT738236 UCS does not follow current best practices 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
819397-1 1-Blocking K50375550, BT819397 TMM does not enforce RFC compliance when processing HTTP traffic 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
769193-5 3-Major BT769193 Added support for faster congestion window increase in slow-start for stretch ACKs 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
760234-1 4-Minor BT760234 Configuring Advanced shell for Resource Administrator User has no effect 12.1.5.3, 14.1.2.3, 15.0.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
806093-1 2-Critical BT806093 Unwanted LDAP referrals slow or prevent administrative login 14.1.2.3, 15.0.1.1
789169-2 2-Critical BT789169 Unable to create virtual servers with port-lists from the GUI 14.1.2.3, 15.0.1.4
780817-5 2-Critical BT780817 TMM can crash on certain vCMP hosts after modifications to VLANs and guests. 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
762385 2-Critical BT762385 Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later 14.1.2.3
762205-2 2-Critical BT762205 IKEv2 rekey fails to recognize VENDOR_ID payload when it appears 13.1.3.4, 14.1.2.3, 15.0.1.4
809205 3-Major   CVE-2019-3855: libssh2 Vulnerability 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2
794501-2 3-Major BT794501 Duplicate if_indexes and OIDs between interfaces and tunnels 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
785741-1 3-Major K19131357, BT785741 Unable to login using LDAP with 'user-template' configuration 14.1.2.3, 15.0.1.4, 15.1.0.5
778125-1 3-Major BT778125 LDAP remote authentication passwords are limited to fewer than 64 bytes 14.1.2.3, 15.0.1.4
760439-4 3-Major BT760439 After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
760259-3 3-Major BT760259 Qkview silently fails to capture qkviews from other blades 14.1.2.3
759654-1 3-Major BT759654 LDAP remote authentication with remote roles and user-template failing 14.1.2.3, 15.0.1.4
759499-2 3-Major BT759499 Upgrade from version 12.1.x to version 13.1.x and later failing with error 14.1.2.3, 15.0.1.1
758781-3 3-Major BT758781 iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates 13.1.3.2, 14.1.2.3, 15.0.1.1
758527-2 3-Major K39604784, BT758527 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.0.5, 14.1.2.3, 15.0.1.3
757519-1 3-Major K92525101, BT757519 Unable to logon using LDAP authentication with a user-template 14.1.2.3, 15.0.1.4
756450-1 3-Major BT756450 Traffic using route entry that's more specific than existing blackhole route can cause core 11.6.5.1, 12.1.5, 13.1.3, 14.1.2.3
754691-1 3-Major BT754691 During failover, an OSPF routing daemon may crash. 14.1.2.3, 15.0.1.4
750318-3 3-Major BT750318 HTTPS monitor does not appear to be using cert from server-ssl profile 13.1.1.5, 14.1.2.3
746266-3 3-Major BT746266 A vCMP guest VLAN MAC mismatch across blades. 12.1.5, 13.1.3, 14.1.2.3
738943-3 3-Major BT738943 imish command hangs when ospfd is enabled 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
705037-7 3-Major K32332000, BT705037 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart 12.1.4, 13.1.3, 14.0.1.1, 14.1.2.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
816273-2 1-Blocking BT816273 L7 Policies may execute CONTAINS operands incorrectly. 13.1.3.4, 14.1.2.3, 15.0.1.1
826601-5 2-Critical BT826601 Prevent receive window shrinkage for looped flows that use a SYN cookie 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.3
817417-1 2-Critical BT817417 Blade software installation stalled at Waiting for product image 14.1.2.3, 15.0.1.4
816625-1 2-Critical BT816625 The TMM may crash in a rare scenario involving HTTP unchunking, and plugins. 14.1.2.3, 15.0.1.1
800369-2 2-Critical BT800369 The fix for ID 770797 may cause a TMM crash 14.1.2.3, 15.0.1.1
800305-2 2-Critical BT800305 VDI::cmp_redirect generates flow with random client port 13.1.3.2, 14.1.2.3, 15.0.1.1
791057-1 2-Critical BT791057 MCP may crash when traffic matching criteria is updated 14.1.2.3, 15.0.1.3
770797-1 2-Critical BT770797 HTTP2 streams may get stuck in rare situations 14.1.2.3
836661 3-Major BT836661 Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet. 14.1.2.3, 15.1.0.2
834373-3 3-Major BT834373 Possible handshake failure with TLS 1.3 early data 14.1.2.3, 15.0.1.1
830797-2 3-Major BT830797 Standby high availability (HA) device passes traffic through virtual wire 14.1.2.3, 15.0.1.1, 15.1.1
815449-2 3-Major BT815449 BIG-IP closes connection when an unsized response is served to a HEAD request 14.1.2.3, 15.0.1.1
814761-2 3-Major BT814761 PostgreSQL monitor fails on second ping with count != 1 12.1.5.3, 13.1.3.6, 14.1.2.3, 15.0.1.3
797977-1 3-Major BT797977 Self-IP traffic does not preserve the TTL from the Linux host 14.1.2.3, 15.0.1.4
789365-1 3-Major BT789365 pkcs11d CPU usage increases after running nethsm self validation test 14.1.2.3
772545-3 3-Major BT772545 Tmm core in SSLO environment 13.1.3.6, 14.1.2.3, 15.0.1.1
765517-1 3-Major BT765517 Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN 14.1.2.3, 15.0.1.4
761185-2 3-Major K50375550, BT761185 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
760771-1 3-Major BT760771 FastL4-steered traffic might cause SSL resume handshake delay 13.1.3, 14.1.2.3
758992-2 3-Major BT758992 The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address 13.1.3.2, 14.1.2.3, 15.0.1.3
758872-3 3-Major BT758872 TMM memory leak 12.1.5, 13.1.3.4, 14.1.2.3
758655-1 3-Major BT758655 TMC does not allow inline addresses with non-zero Route-domain. 14.1.2.3
753514-3 3-Major BT753514 Large configurations containing LTM Policies load slowly 13.1.3, 14.0.1.1, 14.1.2.3
749689-2 3-Major BT749689 HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart 13.1.1.5, 14.1.2.3
726176-2 3-Major BT726176 Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve 13.1.3.2, 14.1.2.3, 15.0.1.1
712919-2 3-Major K54802336, BT712919 Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. 13.1.3, 14.0.1.1, 14.1.2.3
687887-3 3-Major BT687887 Unexpected result from multiple changes to a monitor-related object in a single transaction 12.1.5.3, 13.1.3.2, 14.1.2.3
824365-3 4-Minor BT824365 Need informative messages for HTTP iRule runtime validation errors 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2
806085-2 4-Minor BT806085 In-TMM MQTT monitor is not working as expected 14.1.2.3, 15.0.1.1
791337-1 4-Minor BT791337 Traffic matching criteria fails when using shared port-list with virtual servers 14.1.2.3
769309-2 4-Minor BT769309 DB monitor reconnects to server on every probe when count = 0 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
754003-3 4-Minor K73202036, BT754003 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate 13.1.3.2, 14.1.2.3, 15.0.1.3
747628-1 4-Minor BT747628 BIG-IP sends spurious ICMP PMTU message to server 13.1.3.2, 14.1.2.3, 15.0.1.1
744210-2 4-Minor BT744210 DHCPv6 does not have the ability to override the hop limit from the client. 13.1.3.2, 14.1.2.3


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
776133-1 2-Critical BT776133 RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices 14.1.2.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
761032-2 3-Major K36328238, BT761032 TMSH displays TSIG keys 13.1.3.2, 14.0.1.1, 14.1.2.3
760471-3 3-Major BT760471 GTM iQuery connections may be reset during SSL key renegotiation. 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
813945-3 2-Critical BT813945 PB core dump while processing many entities 13.1.3.2, 14.1.2.3
813389-1 2-Critical BT813389 TMM Crashes upon failure in Bot Defense Client-Side code 14.1.2.3
791669 2-Critical BT791669 TMM might crash when Bot Defense is configured for multiple domains 14.1.2.3, 15.1.4, 16.0.1.2
790349-2 2-Critical BT790349 merged crash with a core file 14.1.2.3
756108-1 2-Critical BT756108 BD crash on specific cases 14.1.2.3
754109-1 2-Critical BT754109 ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive 13.1.3.4, 14.1.2.3
832857 3-Major BT832857 Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log 14.1.2.3
832205 3-Major BT832205 ASU cannot be completed after Signature Systems database corruption following binary Policy import 12.1.5.1, 14.1.2.3
831661-2 3-Major BT831661 ASMConfig Handler undergoes frequent restarts 12.1.5.1, 14.1.2.3
824101-1 3-Major BT824101 Request Log export file is not visible for requests including binary data 14.1.2.3
824037-2 3-Major BT824037 Bot Defense whitelists do not apply for IP 'Any' when using route domains 14.1.2.3
812341-2 3-Major BT812341 Patch or Delete commands take a long time to complete when modifying an ASM signature set. 13.1.3.2, 14.1.2.3
805353-1 3-Major BT805353 ASM reporting for WebSocket frames has empty username field 14.1.2.3
800453-3 3-Major K72252057, BT800453 False positive virus violations 13.1.3.2, 14.1.2.3, 15.0.1.3
793017-1 3-Major BT793017 Files left behind by failed Attack Signature updates are not cleaned 14.1.2.3, 15.1.0.2
786913-2 3-Major BT786913 Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7 14.1.2.3
783513-2 3-Major BT783513 ASU is very slow on device with hundreds of policies due to logging profile handling 13.1.3.2, 14.1.2.3
781021-2 3-Major BT781021 ASM modifies cookie header causing it to be non-compliant with RFC6265 14.1.2.3
778681-2 3-Major BT778681 Factory-included Bot Signature update file cannot be installed without subscription 14.1.2.3, 15.0.1.1
754841-1 3-Major BT754841 Policy updates stall and never complete 14.1.2.3
754425-1 3-Major BT754425 Exported requests cannot be opened in Internet Explorer or Edge browser 14.1.2.3
739618-2 3-Major BT739618 When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy 13.1.3.2, 14.1.2.3, 15.1.0.2
734228 3-Major BT734228 False-positive illegal-length violation can appear 13.1.1.4, 14.0.1.1, 14.1.2.3
795769-3 4-Minor BT795769 Incorrect value of Systems in system-supplied signature sets 14.1.2.3, 15.0.1.1
789817-1 4-Minor BT789817 In rare conditions info fly-out not shown 14.1.2.3, 15.0.1.4
760462-1 4-Minor BT760462 Live update notification is shown only for provisioned/licensed modules 14.1.2.3
758459-1 4-Minor BT758459 Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection 14.1.2.3
620301-1 4-Minor BT620301 Policy import fails due to missing signature System in associated Signature Set 12.1.5.1, 14.1.2.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
781581-3 3-Major BT781581 Monpd uses excessive memory on requests for network_log data 13.1.3.2, 14.1.2.3, 15.0.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757782-1 2-Critical BT757782 OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default 14.0.1.1, 14.1.2.3
825805-1 3-Major BT825805 NTLM Auth may fail due to incorrect handling of EPM response 14.1.2.3, 15.0.1.3
766577-2 3-Major BT766577 APMD fails to send response to client and it already closed connection. 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
756363-1 3-Major BT756363 SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset 14.1.2.3
741222-2 3-Major BT741222 Install epsec1.0.0 into software partition. 14.1.2.3, 15.0.1.3
643935-4 3-Major BT643935 Rewriting may cause an infinite loop while processing some objects 13.1.3.2, 14.0.1.1, 14.1.2.3


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
833213-3 3-Major BT833213 Conditional requests are served incorrectly with AAM policy in webacceleration profile 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
802865-1 3-Major BT802865 The iControl REST query request returning empty list for DoS Protected Objects 14.1.2.3
761345-3 3-Major BT761345 Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode 13.1.3.2, 14.1.2.3
738284-2 3-Major BT738284 Creating or deleting rule list results in warning message: Schema object encode failed 13.1.3.2, 14.1.2.3, 15.0.1.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
821133-2 3-Major BT821133 Wrong wildcard URL matching when none of the configured URLS include QS 14.0.1.1, 14.1.2.3, 15.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748813-3 2-Critical BT748813 tmm cores under stress test on virtual server with DoS profile with admd enabled 13.1.1.4, 14.0.0.5, 14.1.2.3
767045-2 3-Major BT767045 TMM cores while applying policy 13.1.3.2, 14.1.2.3


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
787845 4-Minor BT787845 Tmsh command 'show running-config' fails when Protocol Inspection is not licensed. 14.1.2.3


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
777241-2 3-Major BT777241 smtps partial_conncount issues and unexpected resets 14.1.2.3



Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
741163-3 CVE-2018-3693 K54252492, BT741163 RHEL7: Kernel CVE-2018-3693 14.1.2.2
740755-6 CVE-2018-3620 K95275140, BT740755 Kernel vulnerability: CVE-2018-3620 14.1.2.2
721319-1 CVE-2018-3639 K29146534, BT721319 CVE-2018-3639 14.1.2.2


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
815689-3 3-Major BT815689 Azure walinuxagent has been updated to v2.2.42. 14.1.2.2
760574 3-Major BT760574 Updating BIG-IP 14.1.x Linux kernel to RHEL7.5 14.1.2.2
760468 3-Major BT760468 Route domains cause diskmonitor errors in logs 14.1.2.2



Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
795437-4 CVE-2019-6677 K06747393, BT795437 Improve handling of TCP traffic for iRules 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
795197-1 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426, BT795197 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
781377-2 CVE-2019-6681 K93417064, BT781377 tmrouted may crash while processing Multicast Forwarding Cache messages 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
778077-3 CVE-2019-6680 K53183580, BT778077 Virtual to virtual chain can cause TMM to crash 11.6.5.1, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.1, 15.0.1.1
771873-5 CVE-2019-6642 K40378764, BT771873 TMSH Hardening 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
767653-1 CVE-2019-6660 K23860356, BT767653 Malformed HTTP request can result in endless loop in an iRule script 13.1.3, 14.0.1.1, 14.1.2.1
636400-3 CVE-2019-6665 K26462555, BT636400 CPB (BIG-IP->BIGIQ log node) Hardening 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2
810657-2 CVE-2019-6674 K21135478, BT810657 Tmm core while using service chaining for SSLO 14.1.2.1, 15.0.1.1
809165-2 CVE-2020-5854 K50046200, BT809165 TMM may crash will processing connector traffic 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
808525-2 CVE-2019-6686 K55812535, BT808525 TMM may crash while processing Diameter traffic 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
795797-2 CVE-2019-6658 K21121741, BT795797 AFM WebUI Hardening 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
788773-2 CVE-2019-9515 K50233772, BT788773 HTTP/2 Vulnerability: CVE-2019-9515 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
788769-2 CVE-2019-9514 K01988340, BT788769 HTTP/2 Vulnerability: CVE-2019-9514 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
788033 CVE-2020-5851 K91171450, BT788033 tpm-status may return "Invalid" after engineering hotfix installation 14.0.1.1, 14.1.2.1, 15.0.1.1
781449-2 CVE-2019-6672 K14703097, BT781449 Increase efficiency of sPVA DoS protection on wildcard virtual servers 13.1.3.2, 14.1.2.1, 15.0.1.1
777737-3 CVE-2019-6671 K39225055, BT777737 TMM may consume excessive resources when processing IP traffic 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
773673-2 CVE-2019-9512 K98053339, BT773673 HTTP/2 Vulnerability: CVE-2019-9512 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
768981-2 CVE-2019-6670 K05765031, BT768981 VCMP Hypervisor Hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
761014-2 CVE-2019-6669 K11447758, BT761014 TMM may crash while processing local traffic 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
758018-5 CVE-2019-6661 K61705126, BT758018 APD/APMD may consume excessive resources 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
756458-3 CVE-2018-18559 K28241423, BT756458 Linux kernel vulnerability: CVE-2018-18559 13.1.3.4, 14.1.2.1, 15.0.1.4
756218-1 CVE-2019-6654 K45644893, BT756218 Improve default management port firewall 14.1.2.1
751152-1 CVE-2018-5407 K49711130, BT751152 OpenSSL Vulnerability: CVE-2018-5407 14.1.2.1
751143-1 CVE-2018-5407 K49711130, BT751143 OpenSSL Vulnerability: CVE-2018-5407 14.1.2.1
745103-6 CVE-2018-7159 K27228191, BT745103 NodeJS Vulnerability: CVE-2018-7159 13.1.3.4, 14.1.2.1, 15.0.1.3
798249-2 CVE-2019-6673 K81557381, BT798249 TMM may crash while processing HTTP/2 requests 14.1.2.1, 15.0.1.1
779177-2 CVE-2019-19150 K37890841, BT779177 Apmd logs "client-session-id" when access-policy debug log level is enabled 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3
759536-2 CVE-2019-8912 K31739796, BT759536 Linux kernel vulnerability: CVE-2019-8912 13.1.3.4, 14.1.2.1, 15.0.1.1
757617-1 CVE-2018-16864
CVE-2018-16865
K06044762, BT757617 Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865 14.1.2.1, 15.0.1.4


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
759135-2 3-Major BT759135 AVR report limits are locked at 1000 transactions 13.1.3.2, 14.1.2.1, 15.0.1.1
714292-3 3-Major BT714292 Transparent forwarding mode across multiple VLAN groups or virtual-wire 14.1.2.1
788269-3 4-Minor BT788269 Adding toggle to disable AVR widgets on device-groups 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
793045-2 2-Critical BT793045 File descriptor leak in net-snmpd while reading /shared/db/cluster.conf 14.1.2.1, 15.0.1.1
770953 2-Critical BT770953 'smbclient' executable does not work 14.1.2.1
767877-3 2-Critical BT767877 TMM core with Bandwidth Control on flows egressing on a VLAN group 14.1.2.1, 15.0.1.1
765533-2 2-Critical K58243048, BT765533 Sensitive information logged when DEBUG logging enabled 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.1
760475-1 2-Critical BT760475 Apache spawns more processes than the configured limit, causing system low memory condition 14.1.2.1
755575-1 2-Critical BT755575 In MOS, the 'image2disk' utility with the '-format' option does not function properly 14.1.2.1
726240-1 2-Critical BT726240 'Cannot find disk information' message when running Configuration Utility 14.1.2.1
788557-5 3-Major BT788557 BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior 11.6.5.2, 13.1.3.2, 14.1.2.1, 15.0.1.1
788301-5 3-Major K58243048, BT788301 SNMPv3 Hardening 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777261-4 3-Major BT777261 When SNMP cannot locate a file it logs messages repeatedly 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
766873 3-Major BT766873 Omission of lower-layer types from sFlow packet samples 14.1.2.1
761993-2 3-Major BT761993 The nsm process may crash if it detects a nexthop mismatch 13.1.3.2, 14.1.2.1, 15.0.1.1
761933-1 3-Major BT761933 Reboot with 'tmsh reboot' does not log message in /var/log/audit 14.1.2.1
761160-2 3-Major   OpenSSL vulnerability: CVE-2019-1559 14.1.2.1, 15.0.1.1
760998-1 3-Major BT760998 F5.ip_forwarding iAPP fails to deploy 14.1.2.1
759814-1 3-Major BT759814 Unable to view iApp component view 14.1.2.1
758119-6 3-Major K58243048, BT758119 qkview may contain sensitive information 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
747592-1 3-Major   PHP vulnerability CVE-2018-17082 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
724109-2 3-Major BT724109 Manual config-sync fails after pool with FQDN pool members is deleted 12.1.5.3, 13.1.3.2, 14.1.2.1, 15.0.1.1
680917-5 3-Major BT680917 Invalid monitor rule instance identifier 12.1.5.3, 13.1.3.2, 14.1.2.1
648621-6 3-Major BT648621 SCTP: Multihome connections may not expire 11.6.5.3, 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.4
776073-1 4-Minor BT776073 OOM killer killing tmm in system low memory condition as process OOM score is high 14.1.2.1, 15.0.1.1
760680-1 4-Minor K36350541, BT760680 TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed. 14.1.2.1, 15.0.1.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759968-3 1-Blocking BT759968 Distinct vCMP guests are able to cluster with each other. 12.1.5, 13.1.3, 14.1.2.1, 15.0.1.1
803845-2 2-Critical BT803845 When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown 14.1.2.1
787825-2 2-Critical K58243048, BT787825 Database monitors debug logs have plaintext password printed in the log file 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
774913-1 2-Critical BT774913 IP-based bypass can fail if SSL ClientHello is not accepted 14.1.2.1, 15.0.1.3
760078-1 2-Critical BT760078 Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet. 14.1.2.1
758714-1 2-Critical BT758714 Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports. 14.1.2.1
757578-2 2-Critical BT757578 RAM cache is not compatible with verify-accept 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.1
757441-4 2-Critical BT757441 Specific sequence of packets causes Fast Open to be effectively disabled 13.1.3, 14.0.1.1, 14.1.2.1
755585-1 2-Critical BT755585 mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction 13.1.3, 14.1.2.1
747858-2 2-Critical BT747858 OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires 14.1.2.1
746710-1 2-Critical BT746710 Use of HTTP::cookie after HTTP:disable causes TMM core 13.1.3, 14.1.2.1
737985-2 2-Critical BT737985 BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode. 14.1.2.1
734551-3 2-Critical BT734551 L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server 14.1.2.1
801497-2 3-Major BT801497 Virtual wire with LACP pinning to one link in trunk. 14.1.2.1, 15.1.1
798105-1 3-Major BT798105 Node Connection Limit Not Honored 14.1.2.1, 15.0.1.4
794581 3-Major BT794581 Transfer might stall for an object served from WAM cache 14.1.2.1
788325-2 3-Major K39794285, BT788325 Header continuation rule is applied to request/response line 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
787433-3 3-Major BT787433 SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed 14.1.2.1
784713-3 3-Major BT784713 When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct 14.1.2.1
773821-1 3-Major BT773821 Certain plaintext traffic may cause SSLO to hang 14.1.2.1, 15.0.1.3
773421-1 3-Major BT773421 Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
769801-1 3-Major BT769801 Internal tmm UDP filter does not set checksum 14.1.2.1, 15.0.1.1, 15.0.1.3
761385-1 3-Major BT761385 Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire. 14.1.2.1
761381-1 3-Major BT761381 Incorrect MAC Address observed in L2 asymmetric virtual wire 14.1.2.1
754525-1 3-Major BT754525 Disabled virtual server accepts and serves traffic after restart 14.1.2.1, 15.0.1.1
748891-2 3-Major BT748891 Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system. 14.1.2.1
742237-4 3-Major BT742237 CPU spikes appear wider than actual in graphs 12.1.5, 13.1.3.2, 14.1.2.1
719300-3 3-Major BT719300 ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address 14.1.2.1
689361-4 3-Major BT689361 Configsync can change the status of a monitored pool member 12.1.5.2, 13.1.3.2, 14.1.2.1
751586 4-Minor BT751586 Http2 virtual does not honour translate-address disabled 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4
747585-3 4-Minor BT747585 TCP Analytics supports ANY protocol number 12.1.5, 13.1.3.4, 14.1.2.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
783849-2 3-Major BT783849 DNSSEC Key Generations are not imported to secondary FIPS card 14.1.2.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
781637-2 3-Major BT781637 ASM brute force counts unnecessary failed logins for NTLM 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
781605-3 3-Major BT781605 Fix RFC issue with the multipart parser 11.6.5.3, 12.1.6, 13.1.3, 14.1.2.1, 15.0.1.1
781069-2 3-Major BT781069 Bot Defense challenge blocks requests with long Referer headers 13.1.3, 14.1.2.1, 15.0.1.1
773553-2 3-Major BT773553 ASM JSON parser false positive. 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
769997-1 3-Major BT769997 ASM removes double quotation characters on cookies 14.1.2.1, 15.0.1.1
769981-2 3-Major BT769981 bd crashes in a specific scenario 13.1.3, 14.1.2.1, 15.0.1.1
764373-3 3-Major BT764373 'Modified domain cookie' violation with multiple enforced domain cookies with different paths 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
753711-1 3-Major BT753711 Copied policy does not retain signature staging 14.1.2.1
751710-4 3-Major BT751710 False positive cookie hijacking violation 13.1.1.5, 14.0.0.5, 14.1.2.1
746394-1 3-Major BT746394 With ASM CORS set to 'Disabled' it strips all CORS headers in response. 14.0.1.1, 14.1.2.1
745802-1 3-Major BT745802 Brute Force CAPTCHA response page truncates last digit in the support id 13.1.1.4, 14.0.0.5, 14.1.2.1
727107-4 3-Major BT727107 Request Logs are not stored locally due to shmem pipe blockage 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
803445-3 4-Minor BT803445 When adding several mitigation exceptions, the previously configured actions revert to the default action 14.1.2.1, 15.0.1.1
772473-3 4-Minor BT772473 Request reconstruct issue after challenge 14.0.1.1, 14.1.2.1, 15.0.1.1
761088-1 4-Minor BT761088 Remove policy editing restriction in the GUI while auto-detect language is set 14.1.2.1, 15.0.1.1
695878-2 4-Minor BT695878 Signature enforcement issue on specific requests 11.5.6, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
761749-2 2-Critical BT761749 Security pages unavailable after switching RT mode on off few times 14.1.2.1
797785-2 3-Major BT797785 AVR reports no ASM-Anomalies data. 13.1.3.2, 14.1.2.1, 15.0.1.3
792265-3 3-Major BT792265 Traffic logs does not include the BIG-IQ tags 13.1.3.2, 14.1.2.1, 15.0.1.3
773925-2 3-Major BT773925 Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files 14.1.2.1
765785-3 3-Major BT765785 Monpd core upon "bigstart stop monpd" while Real Time reporting is running 14.1.2.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
811145-2 2-Critical BT811145 VMware View resources with SAML SSO are not working 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
797541-1 2-Critical BT797541 NTLM Auth may fail when user's information contains SIDS array 14.1.2.1, 15.0.1.1
784989-2 2-Critical BT784989 TMM may crash with panic message: Assertion 'cookie name exists' failed 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777173-2 2-Critical BT777173 Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
821369 3-Major BT821369 Incomplete Action 'Deny' does not take effect for HTTP-Connect 14.1.2.1
788417-2 3-Major BT788417 Remote Desktop client on macOS may show resource auth token on credentials prompt 13.1.3.2, 14.1.2.1, 15.0.1.1
787477-2 3-Major BT787477 Export fails from partitions with '-' as second character 13.1.3.2, 14.1.2.1
786173-1 3-Major BT786173 UI becomes unresponsive when accessing Access active session information 14.1.2.1, 15.0.1.1
783817-2 3-Major BT783817 UI becomes unresponsive when accessing Access active session information 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
782569-1 3-Major BT782569 SWG limited session limits on SSLO deployments 14.1.2.1, 15.0.1.1
775621-2 3-Major BT775621 urldb memory grows past the expected ~3.5GB 13.1.3, 14.1.2.1, 15.0.1.3
769853-2 3-Major K24241590, BT769853 Access Profile option to restrict connections from a single client IP is not honored for native RDP resources 14.0.1.1, 14.1.2.1, 15.0.1.1
756777-1 3-Major BT756777 VDI plugin might crash on process shutdown during RDG connections handling 14.1.2.1
750823-1 3-Major BT750823 Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD 13.1.3, 14.1.2.1
749161-2 3-Major   Problem sync policy contains non-ASCII characters 13.1.3, 14.1.2.1
746768-4 3-Major BT746768 APMD leaks memory if access policy policy contains variable/resource assign policy items 12.1.4.1, 13.1.1.4, 14.1.2.1
697590-2 3-Major BT697590 APM iRule ACCESS::session remove fails outside of Access events 13.1.3.2, 14.1.2.1, 15.0.1.1
781445-1 4-Minor BT781445 Named or dnscached cannot bind to IPv6 address 14.1.2.1
759579-1 4-Minor BT759579 Full Webtop: 'URL Entry' field is available again 14.1.2.1
756019-1 4-Minor BT756019 OAuth JWT Issuer claim requires URI format 14.1.2.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
811745-2 3-Major BT811745 Failover between clustered DIAMETER devices can cause mirror connections to be disconnected 13.1.3.2, 14.1.2.1, 15.0.1.1
804313-2 3-Major BT804313 MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. 13.1.3.4, 14.1.2.1, 15.0.1.2
761685-3 3-Major BT761685 Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set 14.0.1.1, 14.1.2.1, 15.0.1.4
750431-1 3-Major BT750431 Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout' 14.1.2.1
748253-1 3-Major BT748253 Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection 13.1.3, 14.1.2.1
786565-2 4-Minor BT786565 MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded 14.1.2.1, 15.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
938149-3 3-Major BT938149 Port Block Update log message is missing the "Start time" field 14.1.2.1, 15.1.2, 16.0.1.1
800209-1 3-Major BT800209 The tmsh recursive list command includes DDoS GUI-specific data info 14.1.2.1
780837-1 3-Major BT780837 Firewall rule list configuration causes config load failure 14.1.2.1, 15.0.1.4
761234-2 3-Major BT761234 Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached 14.1.2.1, 15.0.1.1
760355 4-Minor BT760355 Firewall rule to block ICMP/DHCP from 'required' to 'default' 14.1.2.1, 15.0.1.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
760438-3 3-Major BT760438 PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions 13.1.3, 14.1.2.1
759192-3 3-Major BT759192 TMM core during display of PEM session under some specific conditions 13.1.3, 14.0.1.1, 14.1.2.1
756311-4 3-Major BT756311 High CPU during erroneous deletion 13.1.3, 14.0.1.1, 14.1.2.1
753163-4 3-Major BT753163 PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days 13.1.3, 14.1.2.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
804185-2 3-Major BT804185 Some WebSafe request signatures may not work as expected 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
783565-2 3-Major BT783565 Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP 14.1.2.1, 15.0.1.1
775013-2 3-Major BT775013 TIME EXCEEDED alert has insufficient data for analysis 13.1.3, 14.1.2.1, 15.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
803477-2 3-Major BT803477 BaDoS State file load failure when signature protection is off 13.1.3.2, 14.1.2.1, 15.0.1.1


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
759439-1 2-Critical BT759439 Unable to attach default SSL and FTP profiles to virtual server 14.0.1.1, 14.1.2.1, 15.0.1.1
781313-1 3-Major BT781313 AVR dashboard displays incorrect client/server bytes-in/bytes-out stats 14.1.2.1, 15.0.1.3



Cumulative fixes from BIG-IP v14.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
773649-6 CVE-2019-6656 K23876153, BT773649 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.2, 15.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
771705-1 3-Major BT771705 You may not be able to log into BIG-IP Cloud Edition if FSCK fails 14.1.2
754875-1 3-Major BT754875 Enable FIPS 140-2 Level 1 Compliant Mode in PAYG VE images on first boot 14.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
808129-1 2-Critical BT808129 Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS. 14.1.2, 15.0.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
753485-1 2-Critical K50285521, BT753485 AVR global settings are being overridden by high availability (HA) peers 13.1.3, 14.1.2, 15.0.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757306-3 3-Major BT757306 SNMP MIBS for AFM NAT do not yet exist 13.1.3, 14.1.2, 15.0.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
794285 1-Blocking K36191493, BT794285 BIG-IQ reading AFM configuration fails with status 400 14.1.2



Cumulative fixes from BIG-IP v14.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
807477-10 CVE-2019-6650 K04280042, BT807477 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
797885-2 CVE-2019-6649 K05123525, BT797885 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
796469-6 CVE-2019-6649 K05123525, BT796469 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
810557-8 CVE-2019-6649 K05123525, BT810557 ASM ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
809377-6 CVE-2019-6649 K05123525 AFM ConfigSync Hardening 13.1.3, 14.0.1, 14.1.2, 15.0.1
799617-2 CVE-2019-6649 K05123525, BT799617 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
799589-2 CVE-2019-6649 K05123525, BT799589 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
794389-6 CVE-2019-6651 K89509323, BT794389 iControl REST endpoint response inconsistency 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
794413-2 CVE-2019-6471 K10092301, BT794413 BIND vulnerability CVE-2019-6471 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
793937-1 CVE-2019-6664 K03126093, BT793937 Management Port Hardening 14.1.2, 15.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
744937-8 3-Major K00724442, BT744937 BIG-IP DNS and GTM DNSSEC security exposure 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
798949-3 3-Major BT798949 Config-Sync fails when Config-Sync IP configured to management IP 14.1.2, 15.0.1
760622-3 3-Major BT760622 Allow Device Certificate renewal from BIG-IP Configuration Utility 15.1.0.5
760363-1 3-Major BT760363 Update Alias Address field with default placeholder text 13.1.3.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
811333-2 3-Major BT811333 Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile 14.1.2, 15.0.1



Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
769361-2 CVE-2019-6630 K33444350, BT769361 TMM may crash while processing SSLO traffic 14.0.0.5, 14.1.0.6
767401-1 CVE-2019-6629 K95434410, BT767401 TMM may crash while processing TLS traffic 14.1.0.6
759343-6 CVE-2019-6668 K49827114, BT759343 MacOS Edge Client installer does not follow best security practices 11.6.5.1, 12.1.5.1, 14.0.0.5, 14.1.0.6, 15.0.1.1
758909-1 CVE-2019-6628 K04730051, BT758909 TMM may crash will processing PEM traffic 14.0.0.5, 14.1.0.6
758065-4 CVE-2019-6667 K82781208, BT758065 TMM may consume excessive resources while processing FIX traffic 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
757084-2 CVE-2019-6627 K00432398, BT757084 Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled 14.1.0.6
757023-2 CVE-2018-5743 K74009656, BT757023 BIND vulnerability CVE-2018-5743 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
756538-4 CVE-2019-6645 K15759349, BT756538 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
754944-1 CVE-2019-6626 K00432398, BT754944 AVR reporting UI does not follow best practices 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754345-2 CVE-2019-6625 K79902360, BT754345 WebUI does not follow best security practices 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754103-1 CVE-2019-6644 K75532331, BT754103 iRulesLX NodeJS daemon does not follow best security practices 12.1.4.1, 13.1.3, 14.0.0.5, 14.1.0.6
753975-2 CVE-2019-6666 K92411323, BT753975 TMM may crash while processing HTTP traffic with webacceleration profile 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1
753776-2 CVE-2019-6624 K07127032, BT753776 TMM may consume excessive resources when processing UDP traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
748502-1 CVE-2019-6623 K72335002, BT748502 TMM may crash when processing iSession traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
737731-6 CVE-2019-6622 K44885536, BT737731 iControl REST input sanitization 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
737574-6 CVE-2019-6621 K20541896, BT737574 iControl REST input sanitization 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
737565-6 CVE-2019-6620 K20445457, BT737565 iControl REST input sanitization 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
726393-2 CVE-2019-6643 K36228121, BT726393 DHCPRELAY6 can lead to a tmm crash 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
726327 CVE-2018-12120 K37111863, BT726327 NodeJS debugger accepts connections from any host 13.1.1.5, 14.1.0.6
757455-2 CVE-2019-6647 K87920510, BT757455 Excessive resource consumption when processing REST requests 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
753796-1 CVE-2019-6640 K40443301 SNMP does not follow best security practices 11.5.9, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750460-1 CVE-2019-6639 K61002104, BT750460 Subscriber management configuration GUI 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750298-1 CVE-2019-6638 K67825238, BT750298 iControl REST may fail while processing requests 14.0.0.5, 14.1.0.6
750187-1 CVE-2019-6637 K29149494, BT750187 ASM REST may consume excessive resources 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
745371-1 CVE-2019-6636 K68151373, BT745371 AFM GUI does not follow best security practices 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
745257-1 CVE-2018-14634 K20934447, BT745257 Linux kernel vulnerability: CVE-2018-14634 11.6.4, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
742226-6 CVE-2019-6635 K11330536, BT742226 TMSH platform_check utility does not follow best security practices 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
710857-5 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
702469-7 CVE-2019-6633 K73522927, BT702469 Appliance mode hardening in scp 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
673842-6 CVE-2019-6632 K01413496, BT673842 VCMP does not follow best security practices 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
773653-6 CVE-2019-6656 K23876153, BT773653 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
773641-6 CVE-2019-6656 K23876153, BT773641 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
773637-6 CVE-2019-6656 K23876153, BT773637 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
773633-6 CVE-2019-6656 K23876153, BT773633 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
773621-6 CVE-2019-6656 K23876153, BT773621 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
749704-2 4-Minor BT749704 GTPv2 Serving-Network field with mixed MNC digits 13.1.3, 14.0.1.1, 14.1.0.6


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
774445-1 1-Blocking K74921042, BT774445 BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 13.1.3, 14.0.0.5, 14.1.0.6
789993-1 2-Critical BT789993 Failure when upgrading to 15.0.0 with config move and static management-ip. 14.1.0.6, 15.0.1.4
773677-1 2-Critical K72255850, BT773677 BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase 14.1.0.6
769809-4 2-Critical BT769809 The vCMP guests 'INOPERATIVE' after upgrade 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
765801 2-Critical BT765801 WCCP service info field corrupted in upgrade to 14.1.0 final 14.1.0.6
760573-1 2-Critical K00730586, BT760573 TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0 14.1.0.6
760508-1 2-Critical K91444000, BT760508 On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist 14.1.0.6
760408-3 2-Critical BT760408 System Integrity Status: Invalid after BIOS update 13.1.3, 14.0.0.5, 14.1.0.6
760164-1 2-Critical BT760164 BIG-IP VE Compression Offload HA action requires modification of db variable 14.1.0.6, 15.0.1.1
757722-2 2-Critical BT757722 Unknown notify message types unsupported in IKEv2 13.1.3, 14.0.1.1, 14.1.0.6
756402-2 2-Critical BT756402 Re-transmitted IPsec packets can have garbled contents 13.1.3, 14.0.1.1, 14.1.0.6
756071-3 2-Critical BT756071 MCPD crash 13.1.3, 14.0.1.1, 14.1.0.6
755254-1 2-Critical K54339562, BT755254 Remote auth: PAM_LDAP buffer too small errors 14.1.0.6
753650-2 2-Critical BT753650 The BIG-IP system reports frequent kernel page allocation failures. 13.1.3, 14.0.1.1, 14.1.0.6
750586-2 2-Critical BT750586 HSL may incorrectly handle pending TCP connections with elongated handshake time. 12.1.5, 13.1.1.5, 14.1.0.6
743803-1 2-Critical BT743803 IKEv2 potential double free of object when async request queueing fails 12.1.5, 13.1.1.4, 14.0.0.3, 14.1.0.6
741503-1 2-Critical BT741503 The BIG-IP system fails to load base config file when upgrading with static IPv4 14.1.0.6
726487-4 2-Critical BT726487 MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
648270-1 2-Critical BT648270 mcpd can crash if viewing a fast-growing log file through the GUI 11.6.5.2, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6
766365-1 3-Major BT766365 Some trunks created on VE platform stay down even when the trunk's interfaces are up 14.1.0.6
766329-2 3-Major BT766329 SCTP connections do not reflect some SCTP profile settings 14.1.0.6, 15.0.1.3
765033 3-Major BT765033 Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions 11.6.5.1, 14.1.0.6
760597-1 3-Major BT760597 System integrity messages not logged 14.1.0.6
760594 3-Major BT760594 On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details. 14.1.0.6
758879 3-Major BT758879 BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot 14.1.0.6
748206-1 3-Major BT748206 Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position 13.1.1.4, 14.1.0.6
748187-4 3-Major BT748187 'Transaction Not Found' Error on PATCH after Transaction has been Created 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.6
746657-1 3-Major BT746657 tmsh help for FQDN node or pool member shows incorrect default for fqdn interval 14.1.0.6
745809-2 3-Major BT745809 The /var partition may become 100% full, requiring manual intervention to clear space 13.1.1.4, 14.0.0.5, 14.1.0.6
740543-1 3-Major BT740543 System hostname not display in console 14.1.0.6
725791-6 3-Major K44895409, BT725791 Potential HW/HSB issue detected 11.6.5.2, 12.1.5.2, 13.1.1.5, 14.1.0.6
718405-2 3-Major BT718405 RSA signature PAYLOAD_AUTH mismatch with certificates 13.1.1.4, 14.1.0.6
581921-5 3-Major K22327083, BT581921 Required files under /etc/ssh are not moved during a UCS restore 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
754500-2 4-Minor BT754500 GUI LTM Policy options disappearing 14.1.0.6
726317-6 4-Minor BT726317 Improved debugging output for mcpd 12.1.5, 13.1.3.4, 14.1.0.6


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759723-1 2-Critical BT759723 Abnormally terminated connections on server side may cause client side streams to stall 14.1.0.6
758465-1 2-Critical BT758465 TMM may crash or iRule processing might be incorrect 14.1.0.6
756356-2 2-Critical BT756356 External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long 14.1.0.6
753912-4 2-Critical K44385170, BT753912 UDP flows may not be swept 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
752930-3 2-Critical BT752930 Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
747727-1 2-Critical BT747727 HTTP Profile Request Header Insert Tcl error 14.1.0.6
747239-1 2-Critical BT747239 TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection 14.1.0.6
745533-6 2-Critical   NodeJS Vulnerability: CVE-2016-5325 13.1.1.5, 14.0.0.5, 14.1.0.6
741048-1 2-Critical BT741048 iRule execution order could change after editing the scripts 14.1.0.6
766293-1 3-Major BT766293 Monitor logging fails on v14.1.0.x releases 14.1.0.6
760550-5 3-Major BT760550 Retransmitted TCP packet has FIN bit set 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
758311-1 3-Major BT758311 Policy Compilation may cause MCPD to crash 14.1.0.6
757985-1 3-Major K79562045, BT757985 TMM memory leak 14.1.0.6
757698-1 3-Major BT757698 TMM crashes in certain situations of which iRule execution interleaves client side and server side flows 14.1.0.6
756270-4 3-Major BT756270 SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.1.0.6
754985-1 3-Major BT754985 Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic 14.1.0.6
752078-2 3-Major BT752078 Header Field Value String Corruption 13.1.1.4, 14.1.0.6
749414-4 3-Major BT749414 Invalid monitor rule instance identifier error 11.6.5.2, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
747907-2 3-Major BT747907 Persistence records leak while the high availability (HA) mirror connection is down 13.1.3.2, 14.1.0.6
742078-6 3-Major BT742078 Incoming SYNs are dropped and the connection does not time out. 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
740959-4 3-Major BT740959 User with manager rights cannot delete FQDN node on non-Common partition 12.1.5, 14.1.0.6
740345-3 3-Major BT740345 TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. 13.1.1.5, 14.0.0.5, 14.1.0.6
696755-3 3-Major BT696755 HTTP/2 may truncate a response body when served from cache 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2
696735-2 3-Major BT696735 TCP ToS Passthrough mode does not work correctly 14.1.0.6
504522-4 3-Major BT504522 Trailing space present after 'tmsh ltm pool members monitor' attribute value 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
747968-3 4-Minor BT747968 DNS64 stats not increasing when requests go through DNS cache resolver 11.6.5.3, 12.1.4.1, 13.1.1.5, 14.1.0.6


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
777937-3 1-Blocking BT777937 AWS ENA: packet drops due to bad checksum 14.1.0.6, 15.0.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
759721-2 3-Major K03332436, BT759721 DNS GUI does not follow best practices 13.1.3, 14.0.0.5, 14.1.0.6
749508-1 3-Major BT749508 LDNS and DNSSEC: Various OOM conditions need to be handled properly 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
749222-1 3-Major BT749222 dname compression offset overflow causes bad compression pointer 13.1.1.5, 14.0.0.5, 14.1.0.6
748902-5 3-Major BT748902 Incorrect handling of memory allocations while processing DNSSEC queries 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
746877-1 3-Major BT746877 Omitted check for success of memory allocation for DNSSEC resource record 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
744707-2 3-Major BT744707 Crash related to DNSSEC key rollover 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
723288-4 3-Major BT723288 DNS cache replication between TMMs does not always work for net dns-resolver 11.6.5.3, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
748177-1 4-Minor BT748177 Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character 12.1.4.1, 13.1.1.5, 14.1.0.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759360-2 2-Critical BT759360 Apply Policy fails due to policy corruption from previously enforced signature 13.1.1.5, 14.1.0.6
749912-1 2-Critical BT749912 [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement 14.1.0.6
723790-3 2-Critical BT723790 Idle asm_config_server handlers consumes a lot of memory 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
765449-1 3-Major   Update availability status may be inaccurate 14.1.0.6
763001-1 3-Major K70312000, BT763001 Web-socket enforcement might lead to a false negative 13.1.3, 14.0.1.1, 14.1.0.6
761941-1 3-Major BT761941 ASM does not remove CSRT token query parameter before forwarding a request to the backend server 13.1.3, 14.0.1.1, 14.1.0.6
761194-2 3-Major BT761194 param data type violation on an Integer parameter, if an integer value is sent via websocket JSON 14.1.0.6
760878-3 3-Major BT760878 Incorrect enforcement of explicit global parameters 12.1.5, 13.1.1.5, 14.1.0.6
759483-1 3-Major BT759483 Message about HTTP status code which are set by default disappeared from the UI 14.0.0.5, 14.1.0.6
758085-1 3-Major BT758085 CAPTCHA Custom Response fails when using certain characters 14.1.0.6
756418-1 3-Major BT756418 Live Update does not authenticate remote users 14.1.0.6
742558-1 3-Major BT742558 Request Log export document fails to show some UTF-8 characters 14.1.0.6
687759-3 3-Major BT687759 bd crash 12.1.3.6, 13.1.0.8, 14.0.0.5, 14.1.0.6
774941-1 4-Minor BT774941 GUI misspelling in Bot Defense logging profile 14.1.0.6
768761-2 4-Minor BT768761 Improved accept action description for suggestions to disable signature/enable metacharacter in policy 13.1.3, 14.0.1.1, 14.1.0.6
766357-1 4-Minor BT766357 Two simultaneously manual installations can cause live-update inconsistency 14.1.0.6
765413-1 4-Minor BT765413 ASM cluster syncs caused by PB ignored suggestions updates 14.0.0.5, 14.1.0.6, 15.0.1.1
761921-1 4-Minor BT761921 avrd high CPU utilization due to perpetual connection attempts 13.1.1.5, 14.0.0.5, 14.1.0.6
761553-2 4-Minor BT761553 Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic 13.1.3, 14.0.1.1, 14.1.0.6
761549-2 4-Minor BT761549 Traffic Learning: Accept and Stage action is shown only in case entity is not in staging 13.1.3, 14.0.1.1, 14.1.0.6
761231-2 4-Minor K79240502, BT761231 Bot Defense Search Engines getting blocked after configuring DNS correctly 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
759462-1 4-Minor BT759462 Site names and vulnerabilities cannot be retrieved from WhiteHat server 14.1.0.6
755005-1 4-Minor BT755005 Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations 12.1.5.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750689-3 4-Minor BT750689 Request Log: Accept Request button available when not needed 13.1.3, 14.0.1.1, 14.1.0.6
749184-2 4-Minor BT749184 Added description of subviolation for the suggestions that enabled/disabled them 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.3
747560-5 4-Minor BT747560 ASM REST: Unable to download Whitehat vulnerabilities 12.1.5.1, 13.1.3, 14.1.0.6
769061-2 5-Cosmetic BT769061 Improved details for learning suggestions to enable violation/sub-violation 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
763349-3 2-Critical BT763349 AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out 13.1.1.5, 14.0.0.5, 14.1.0.6
756205-1 2-Critical BT756205 TMSTAT offbox statistics are not continuous 13.1.1.5, 14.0.0.5, 14.1.0.6
756102-2 2-Critical BT756102 TMM can crash with core on ABORT signal due to non-responsive AVR code 13.1.3.2, 14.1.0.6, 15.0.1.1
771025-3 3-Major BT771025 AVR send domain names as an aggregate 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.3
764665-2 3-Major BT764665 AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change 13.1.1.5, 14.0.0.5, 14.1.0.6
763005-3 3-Major BT763005 Aggregated Domain Names in DNS statistics are shown as random domain name 13.1.1.5, 14.0.0.5, 14.1.0.6
760356-2 3-Major BT760356 Users with Application Security Administrator role cannot delete Scheduled Reports 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
770557-3 2-Critical BT770557 Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one 14.0.0.5, 14.1.0.6
769281-1 2-Critical BT769281 Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English 14.0.0.5, 14.1.0.6
755447-1 2-Critical BT755447 SSLO does not deliver content generated/originated from inline device 14.1.0.6
753370-3 2-Critical BT753370 RADIUS auth might not be working as configured when there is change in RADIUS auth config name. 13.1.3, 14.0.0.5, 14.1.0.6
774633-2 3-Major BT774633 Memory leak in tmm when session db variables are not cleaned up 14.1.0.6, 15.0.1.1
774213-1 3-Major BT774213 SWG session limits on SSLO deployments 14.1.0.6, 15.0.1.1
760410-1 3-Major BT760410 Connection reset is seen when Category lookup agent is used in per-req policy 14.1.0.6
760250 3-Major BT760250 'Unsupported SSO Method' error when requests sharing the same TCP session 14.1.0.6
759868-1 3-Major BT759868 TMM crash observed while rendering internal pages (like blocked page) for per-request policy 14.1.0.6
758764-2 3-Major BT758764 APMD Core when CRLDP Auth fails to download revoked certificate 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
758701-1 3-Major BT758701 APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install 14.1.0.6
757992-3 3-Major BT757992 RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup 13.1.1.5, 14.0.0.5, 14.1.0.6
757360-1 3-Major BT757360 Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO 14.1.0.6
755475-1 3-Major BT755475 Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync 13.1.1.5, 14.0.0.5, 14.1.0.6
755047-1 3-Major BT755047 Category lookup returns wrong category on CONNECT traffic through SSLO 14.1.0.6
754542-2 3-Major BT754542 TMM may crash when using RADIUS Accounting agent 13.1.3, 14.1.0.6
752875-2 3-Major BT752875 tmm core while using service chaining for SSLO 14.0.1.1, 14.1.0.6
751807-1 3-Major BT751807 SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel 14.1.0.6
751424-1 3-Major BT751424 HTTP Connect Category Lookup not working properly 14.1.0.6
749057-1 3-Major BT749057 VMware Horizon idle timeout is ignored when connecting via APM 13.1.1.5, 14.0.0.5, 14.1.0.6
745574-1 3-Major BT745574 URL is not removed from custom category when deleted 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.6
738430-3 3-Major BT738430 APM is not able to do compliance check on iOS devices running F5 Access VPN client 13.1.1.5, 14.0.0.5, 14.1.0.6
734291-1 3-Major BT734291 Logon page modification fails to sync to standby 13.1.1.5, 14.1.0.6
695985-4 3-Major BT695985 Access HUD filter has URL length limit (4096 bytes) 13.1.1.5, 14.0.0.5, 14.1.0.6
766761-2 4-Minor BT766761 Ant-server does not log requests that are excluded from scanning 14.1.0.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
766405-2 2-Critical BT766405 MRF SIP ALG with SNAT: Fix for potential crash on next-active device 13.1.3.4, 14.1.0.6
754615-2 2-Critical BT754615 Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup. 14.0.1.1, 14.1.0.6
763157-2 3-Major BT763157 MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped 14.0.1.1, 14.1.0.6, 15.0.1.4
760370-2 3-Major BT760370 MRF SIP ALG with SNAT: Next active ingress queue filling 14.0.1.1, 14.1.0.6, 15.0.1.4
759077-2 3-Major BT759077 MRF SIP filter queue sizes not configurable 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.4
755630-1 3-Major BT755630 MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes 14.0.1.1, 14.1.0.6
752822-1 3-Major BT752822 SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type 13.1.1.5, 14.0.1.1, 14.1.0.6
751179-1 3-Major BT751179 MRF: Race condition may create to many outgoing connections to a peer 11.6.5.2, 13.1.1.5, 14.1.0.6
746825-1 3-Major BT746825 MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls 14.0.1.1, 14.1.0.6
745947-2 3-Major BT745947 Add log events for MRF SIP registration/deregistration and media flow creation/deletion 14.1.0.6
745590-1 3-Major BT745590 SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added 14.0.1.1, 14.1.0.6
760930-2 4-Minor BT760930 MRF SIP ALG with SNAT: Added additional details to log events 14.0.1.1, 14.1.0.6, 15.0.1.4
747909-5 4-Minor BT747909 GTPv2 MEI and Serving-Network fields decoded incorrectly 11.6.5.1, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757524 1-Blocking BT757524 Data operation attempt on object that has not been loaded 14.1.0.6
757359-1 2-Critical BT757359 pccd crashes when deleting a nested Address List 13.1.3, 14.1.0.6
754805 2-Critical K97981358, BT754805 Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured 14.1.0.6
753028-2 3-Major BT753028 AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule 13.1.1.4, 14.1.0.6
756477-2 5-Cosmetic BT756477 Drop Redirect tab incorrectly named as 'Redirect Drop' 14.1.0.6


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
744516-4 2-Critical BT744516 TMM panics after a large number of LSN remote picks 12.1.4, 13.1.1.4, 14.1.0.6


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748121-3 2-Critical BT748121 admd livelock under CPU starvation 13.1.1.4, 14.0.0.5, 14.1.0.6
653573-6 2-Critical BT653573 ADMd not cleaning up child rsync processes 13.1.1.4, 14.0.0.5, 14.1.0.6, 14.1.2.3
756877-1 3-Major BT756877 Virtual server created with Guided Configuration is not visible in Grafana 14.0.0.5, 14.1.0.6


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
752803-1 2-Critical BT752803 CLASSIFICATION_DETECTED running reject can lead to a tmm core 13.1.3, 14.1.0.6
752047-1 2-Critical BT752047 iRule running reject in CLASSIFICATION_DETECTED event can cause core 13.1.1.5, 14.1.0.6


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
758818-2 2-Critical BT758818 While using explicit or transparent http type service on SSL Orchestrator, TMM cores. 14.0.1.1, 14.1.0.6
756167-1 3-Major BT756167 No URL category data on SSL Orchestrator dashboard and on SSL Orchestrator statistics page after upgrade 14.1.0.6
748252-2 3-Major BT748252 Connection reset seen with SSL bypass on a L2 wire setup 14.1.0.6



Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
755817 3-Major BT755817 v14.1.0.5 includes Guided Configuration 4.1 14.1.0.5
751824-1 3-Major BT751824 Restore old 'merge' functionally with new tmsh verb 'replace' 14.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
663819-1 3-Major BT663819 APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue) 14.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
761173-1 2-Critical BT761173 tmm crash after extended whitelist modification 14.1.0.5
751869-2 2-Critical BT751869 Possible tmm crash when using manual mode mitigation in DoS Profile 13.1.1.5, 14.1.0.5
760393 3-Major BT760393 GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes 14.1.0.5
750477-1 3-Major BT750477 LTM NAT does not forward ICMP traffic 14.1.0.5
737035-2 3-Major BT737035 New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup. 14.0.0.5, 14.1.0.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
757088-1 2-Critical BT757088 TMM clock advances and cluster failover happens during webroot db nightly updates 12.1.5, 13.1.1.5, 14.1.0.5
758536 3-Major BT758536 Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x 14.1.0.5


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
737558-1 2-Critical BT737558 Protocol Inspection user interface elements are active but do not work 14.1.0.5
774881 3-Major BT774881 Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed. 14.1.0.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
760278 2-Critical BT760278 F5 SSL Orchestrator may fail to install an RPM software package on BIG-IP systems running point release versions 14.1.0.5



Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
745783-1 3-Major BT745783 Anti-fraud: remote logging of login attempts 13.1.1.3, 14.1.0.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
758667-1 2-Critical BT758667 BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs 14.1.0.3
754541-2 2-Critical BT754541 Reconfiguring an iApp that uses a client SSL profile fails 14.1.0.3
760222 3-Major BT760222 SCP fails unexpected when FIPS mode is enabled 13.1.1.5, 14.0.0.5, 14.1.0.3
725625-1 3-Major BT725625 BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK 14.1.0.3



Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
757025-1 CVE-2018-5744 K00040234, BT757025 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
756774-6 CVE-2019-6612 K24401914, BT756774 Aborted DNS queries to a cache may cause a TMM crash 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
750292-2 CVE-2019-6592 K54167061, BT750292 TMM may crash when processing TLS traffic 12.1.5.3, 13.1.3.4, 14.1.0.2
749879-2 CVE-2019-6611 K47527163, BT749879 Possible interruption while processing VPN traffic 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
744035-6 CVE-2018-15332 K12130880, BT744035 APM Client Vulnerability: CVE-2018-15332 11.6.5.1, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
757027-1 CVE-2019-6465 K01713115, BT757027 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
757026-1 CVE-2018-5745 K25244852, BT757026 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745713-4 CVE-2019-6619 K94563344, BT745713 TMM may crash when processing HTTP/2 traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745387-1 CVE-2019-6618 K07702240, BT745387 Resource-admin user roles can no longer get bash access 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745165-1 CVE-2019-6617 K38941195, BT745165 Users without Advanced Shell Access are not allowed SFTP access 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
737910-4 CVE-2019-6609 K18535734, BT737910 Security hardening on the following platforms 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
724680-6 CVE-2018-0732 K21665601, BT724680 OpenSSL Vulnerability: CVE-2018-0732 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.1.1, 14.1.0.2
703835-5 CVE-2019-6616 K82814400, BT703835 When using SCP into BIG-IP systems, you must specify the target filename 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
702472-7 CVE-2019-6615 K87659521, BT702472 Appliance Mode Security Hardening 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
698376-5 CVE-2019-6614 K46524395, BT698376 Non-admin users have limited bash commands and can only write to certain directories 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
713806-8 CVE-2018-0739 K08044291, BT713806 CVE-2018-0739: OpenSSL Vulnerability 14.1.0.2
699977-3 CVE-2016-7055 K43570545, BT699977 CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX 14.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
755641-1 2-Critical BT755641 Unstable asm_config_server after upgrade, 'Event dispatcher aborted' 14.1.0.2
744685-2 2-Critical BT744685 BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension 13.1.1.4, 14.0.1.1, 14.1.0.2
744188-1 2-Critical BT744188 First successful auth iControl REST requests will now be logged in audit and secure log files 13.1.1.4, 14.0.1.1, 14.1.0.2
739432 3-Major BT739432 F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems 14.1.0.2
738108-1 3-Major BT738108 SCTP multi-homing INIT address parameter doesn't include association's primary address 14.1.0.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
753642-1 2-Critical BT753642 iHealth may report false positive for Critical Malware 14.1.0.2
752835-2 2-Critical K46971044, BT752835 Mitigate mcpd out of memory error with auto-sync enabled. 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
750580-1 2-Critical BT750580 Installation using image2disk --format may fail after TMOS v14.1.0 is installed 14.1.0.2
707013-3 2-Critical BT707013 vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest 13.1.1.5, 14.0.1.1, 14.1.0.2
668041-4 2-Critical K27535157, BT668041 Config load fails when an iRule comment ends with backslash in a config where there is also a policy. 13.1.1.4, 14.0.0.5, 14.1.0.2
621260-2 2-Critical BT621260 mcpd core on iControl REST reference to non-existing pool 11.6.5.1, 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.2
753564-1 3-Major BT753564 Attempt to change password using /bin/passwd fails 14.1.0.2
751011-3 3-Major BT751011 ihealth.sh script and qkview locking mechanism not working 13.1.1.5, 14.1.0.2
751009-3 3-Major BT751009 Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out 13.1.1.4, 14.0.1.1, 14.1.0.2
750661 3-Major BT750661 URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied. 14.1.0.2
750447-3 3-Major BT750447 GUI VLAN list page loading slowly with 50 records per screen 13.1.1.5, 14.1.0.2
749382-1 3-Major BT749382 Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater 14.1.0.2
746873-1 3-Major BT746873 Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing 14.1.0.2
745825-1 3-Major BT745825 The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading 13.1.3.2, 14.1.0.2
737536-2 3-Major BT737536 Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. 13.1.1.4, 14.0.0.5, 14.1.0.2
721585-1 3-Major BT721585 mcpd core processing ltm monitors with deep level of inheritance 14.1.0.2
639619-7 3-Major BT639619 UCS may fail to load due to Master key decryption failure on EEPROM-less systems 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
751636-1 4-Minor BT751636 Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership 14.1.0.2
737423-2 4-Minor   Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033 14.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
754143-1 2-Critical K45456231, BT754143 TCP connection may hang after FIN 13.1.4.1, 14.1.0.2
747617-2 2-Critical BT747617 TMM core when processing invalid timer 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
742184-3 2-Critical BT742184 TMM memory leak 13.1.3, 14.1.0.2
738945-4 2-Critical BT738945 SSL persistence does not work when there are multiple handshakes present in a single record 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
716714-4 2-Critical BT716714 OCSP should be configured to avoid TMM crash. 13.1.1.4, 14.0.1.1, 14.1.0.2
750200-3 3-Major BT750200 DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode 13.1.1.5, 14.0.1.1, 14.1.0.2
749294-4 3-Major BT749294 TMM cores when query session index is out of boundary 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.0.2
746131-4 3-Major   OpenSSL Vulnerability: CVE-2018-0732 14.1.0.2
744686-2 3-Major BT744686 Wrong certificate can be chosen during SSL handshake 14.1.0.2
743900-1 3-Major BT743900 Custom DIAMETER monitor requests do not have their 'request' flag set 14.1.0.2
739963-4 3-Major BT739963 TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.2
739349-3 3-Major BT739349 LRO segments might be erroneously VLAN-tagged. 13.1.1.4, 14.0.1.1, 14.1.0.2
724327-2 3-Major BT724327 Changes to a cipher rule do not immediately have an effect 13.1.1.4, 14.1.0.2
720219-3 3-Major K13109068, BT720219 HSL::log command can fail to pick new pool member if last picked member is 'checking' 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.2
717896-4 3-Major BT717896 Monitor instances deleted in peer unit after sync 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
717100-1 3-Major BT717100 FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
716167-2 3-Major BT716167 The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp 13.1.3.4, 14.1.0.2
704450-5 3-Major BT704450 bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration 12.1.5.2, 13.1.3.2, 14.1.0.2
703593-1 3-Major BT703593 TMSH tab completion for adding profiles to virtual servers is not working as expected 14.1.0.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
756094-2 2-Critical BT756094 DNS express in restart loop, 'Error writing scratch database' in ltm log 12.1.4.1, 13.1.1.5, 14.1.0.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
752942-1 2-Critical BT752942 Live Update cannot be used by Administrator users other than 'admin' and 'root' 14.1.0.2
750922-1 2-Critical BT750922 BD crash when content profile used for login page has no parse parameters set 13.1.1.4, 14.0.0.5, 14.1.0.2
749136-1 2-Critical BT749136 Disk partition /var/log is low on free disk space 14.1.0.2
748321-1 2-Critical BT748321 bd crash with specific scenario 14.1.0.2
744347-4 2-Critical BT744347 Protocol Security logging profiles cause slow ASM upgrade and apply policy 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.2
721741-4 2-Critical BT721741 BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative 12.1.3.7, 13.1.1.2, 14.1.0.2
754420-1 3-Major BT754420 Missing policy name in exported ASM request details 14.0.0.5, 14.1.0.2
754066-1 3-Major BT754066 Newly added Systems are not added as part of installing a Server Technologies update file 14.1.0.2
753295-1 3-Major BT753295 ASM REST: All signatures being returned for policy Signatures regardless of signature sets 14.1.0.2
750973-1 3-Major BT750973 Import XML policy error 14.1.0.2
750793-2 3-Major BT750793 Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition 14.0.0.5, 14.1.0.2
750686-1 3-Major BT750686 ASE user cannot create or modify a bot signature. 14.1.0.2
750683-1 3-Major BT750683 REST Backwards Compatibility: Cannot modify enforcementMode of host-name 14.1.0.2
750668-1 3-Major BT750668 Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition 14.1.0.2
750666-1 3-Major BT750666 Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common' 14.1.0.2
750356-2 3-Major BT750356 Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted 13.1.1.4, 14.0.0.5, 14.1.0.2
749500-1 3-Major BT749500 Improved visibility for Accept on Microservice action in Traffic Learning 14.1.0.2
749109-3 3-Major BT749109 CSRF situation on BIGIP-ASM GUI 13.1.1.5, 14.0.0.5, 14.1.0.2
748999-3 3-Major BT748999 invalid inactivity timeout suggestion for cookies 13.1.1.4, 14.0.0.5, 14.1.0.2
748848-2 3-Major BT748848 Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers 14.0.0.5, 14.1.0.2
748409-2 3-Major BT748409 Illegal parameter violation when json parsing a parameter on a case-insensitive policy 14.0.0.5, 14.1.0.2
747977-1 3-Major BT747977 File manually uploaded information is not synced correctly between blades 14.1.0.2
747777-3 3-Major BT747777 Extractions are learned in manual learning mode 13.1.1.4, 14.0.0.5, 14.1.0.2
747550-3 3-Major BT747550 Error 'This Logout URL already exists!' when updating logout page via GUI 13.1.1.4, 14.0.0.5, 14.1.0.2
746750-1 3-Major BT746750 Search Engine get Device ID challenge when using the predefined profiles 14.1.0.2
746298-1 3-Major BT746298 Server Technologies logos all appear as default icon 14.1.0.2
745813-1 3-Major BT745813 Requests are reported to local log even if only Bot Defense remote log is configured 14.1.0.2
745624-1 3-Major BT745624 Tooltips for OWASP Bot Categories and Anomalies were added 14.1.0.2
745607-1 3-Major BT745607 Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly 14.1.0.2
745531-2 3-Major BT745531 Puffin Browser gets blocked by Bot Defense 13.1.1.4, 14.1.0.2
742852-1 3-Major BT742852 Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header 14.1.0.2
739945-4 3-Major BT739945 JavaScript challenge on POST with 307 breaks application 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.2
738676-1 3-Major BT738676 Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests 14.1.0.2
737866-2 3-Major BT737866 Rare condition memory corruption 14.1.0.2
754365-5 4-Minor BT754365 Updated flags for countries that changed their flags since 2010 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
721724-1 4-Minor BT721724 LONG_REQUEST notice print incorrect in BD log 14.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
746941-2 2-Critical BT746941 Memory leak in avrd when BIG-IQ fails to receive stats information 13.1.1.4, 14.0.0.5, 14.1.0.2
753446-2 3-Major BT753446 avrd process crash during shutdown if connected to BIG-IQ 13.1.1.5, 14.0.0.5, 14.1.0.2
749464-2 3-Major BT749464 Race condition while BIG-IQ updates common file 13.1.1.4, 14.0.0.5, 14.1.0.2
749461-2 3-Major BT749461 Race condition while modifying analytics global-settings 13.1.1.4, 14.0.0.5, 14.1.0.2
745027-2 3-Major BT745027 AVR is doing extra activity of DNS data collection even when it should not 13.1.1.4, 14.0.0.5, 14.1.0.2
744595-3 3-Major BT744595 DoS-related reports might not contain some of the activity that took place 13.1.1.4, 14.0.0.5, 14.1.0.2
744589-3 3-Major BT744589 Missing data for Firewall Events Statistics 13.1.1.4, 14.0.0.5, 14.1.0.2
715110-1 3-Major BT715110 AVR should report 'resolutions' in module GtmWideip 13.1.0.8, 14.1.0.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
752592-1 2-Critical BT752592 VMware Horizon PCoIP clients may fail to connect shortly after logout 13.1.1.5, 14.1.0.2
754346-2 3-Major BT754346 Access policy was not found while creating configuration snapshot. 13.1.1.4, 14.0.0.5, 14.1.0.2
746771-3 3-Major BT746771 APMD recreates config snapshots for all access profiles every minute 13.1.1.4, 14.1.0.2
745654-4 3-Major BT745654 Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
743437-3 3-Major BT743437 Portal Access: Issue with long 'data:' URL 13.1.1.4, 14.0.0.5, 14.1.0.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
749603-1 3-Major BT749603 MRF SIP ALG: Potential to end wrong call when BYE received 13.1.1.5, 14.0.1.1, 14.1.0.2
749227-1 3-Major BT749227 MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE 14.0.1.1, 14.1.0.2
748043-2 3-Major BT748043 MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP 13.1.1.5, 14.0.1.1, 14.1.0.2
747187-2 3-Major BT747187 SIP falsely detects media flow collision when SDP is in both 183 and 200 response 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
745715-2 3-Major BT745715 MRF SIP ALG now supports reading SDP from a mime multipart payload 14.1.0.2
745628-1 3-Major BT745628 MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message 13.1.3, 14.0.1.1, 14.1.0.2
745514-1 3-Major BT745514 MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message 13.1.3, 14.0.1.1, 14.1.0.2
745404-4 3-Major BT745404 MRF SIP ALG does not reparse SDP payload if replaced 12.1.5.2, 13.1.3, 14.0.1.1, 14.1.0.2
744949-1 3-Major BT744949 MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix 13.1.1.5, 14.0.1.1, 14.1.0.2
744275-1 3-Major BT744275 BIG-IP system sends Product-Name AVP in CER with Mandatory bit set 13.1.3.4, 14.1.0.2
742829-1 3-Major BT742829 SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 13.1.1.4, 14.0.1.1, 14.1.0.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
747104-1 1-Blocking K52868493, BT747104 LibSSH: CVE-2018-10933 12.1.4.1, 13.1.1.4, 14.1.0.2
752363-2 2-Critical BT752363 Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled 13.1.3, 14.1.0.2
749331-3 2-Critical BT749331 Global DNS DoS vector does not work in certain cases 14.1.0.2
747922-3 2-Critical BT747922 With AFM enabled, during bootup, there is a small possibility of a tmm crash 13.1.3.2, 14.1.0.2
748176-1 3-Major BT748176 BDoS Signature can wrongly match a DNS packet 14.1.0.2
748081-1 3-Major BT748081 Memory leak in Behavioral DoS module 13.1.1.5, 14.1.0.2
747926-2 3-Major BT747926 Rare TMM restart due to NULL pointer access during AFM ACL logging 13.1.1.4, 14.1.0.2


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726647-5 3-Major BT726647 PEM content insertion in a compressed response may truncate some data 12.1.4.1, 13.1.1.2, 14.0.0.3, 14.1.0.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
752782-1 3-Major BT752782 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' 13.1.1.5, 14.0.0.5, 14.1.0.2
741449-3 4-Minor BT741449 alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts 13.1.1.4, 14.0.0.5, 14.1.0.2
738677-1 4-Minor BT738677 Configured name of wildcard parameter is not sent in data integrity alerts 14.1.0.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
755378-1 2-Critical BT755378 HTTPS connection error from Chrome when BADOS TLS signatures configured 14.1.0.2
727136-1 3-Major BT727136 One dataset contains large number of variations of TLS hello messages on Chrome 14.1.0.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
745733-3 3-Major BT745733 TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup 13.1.3.5, 14.1.0.2



Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
745629 2-Critical BT745629 Ordering Symantec and Comodo certificates from BIG-IP 14.1.0.1
713817-1 3-Major BT713817 BIG-IP images are available in Alibaba Cloud 14.1.0.1
738891-1 4-Minor BT738891 TLS 1.3: Server SSL fails to increment key exchange method statistics 14.1.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
746424 2-Critical BT746424 Patched Cloud-Init to support AliYun Datasource 14.1.0.1
745851 3-Major BT745851 Changed Default Cloud-Init log level to INFO from DEBUG 14.1.0.1
742251-1 4-Minor BT742251 Add Alibaba Cloud support to Qkview 14.1.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
745774-1 3-Major BT745774 Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile 14.1.0.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
749774-5 3-Major BT749774 EDNS0 client subnet behavior inconsistent when DNS Caching is enabled 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1
749675-5 3-Major BT749675 DNS cache resolver may return a malformed truncated response with multiple OPT records 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1

 

Cumulative fix details for BIG-IP v14.1.4.6 that are included in this release

999933-4 : TMM may crash while processing DNS traffic on certain platforms

Links to More Info: K28042514, BT999933


999901-4 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.

Component: Local Traffic Manager

Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.

This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).

Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.

Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.

Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.

Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.

Fix:
TMM now loads LTM policies with external data-groups as expected.

Fixed Versions:
14.1.4.6


999125-3 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
14.1.4.6


999097-4 : SSL::profile may select profile with outdated configuration

Links to More Info: BT999097

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


998729 : Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries

Links to More Info: BT998729

Component: TMOS

Symptoms:
If there are hundreds of virtual addresses and hundreds of address entries spanning one or more address lists, mcpd might take seconds to reply to a query for virtual address statistics.

One of the more commonly visible signs of this is high CPU usage by mcpd if it's processing a large number of queries for virtual address statistics. It is also likely that snmpd responses will be severely delayed to SNMP agent requests.

Conditions:
-- Hundreds of virtual servers.
-- Hundreds of address entries spanning one or many address lists.
-- Running SNMP queries for virtual address statistics.

Impact:
-- High CPU usage by mcpd.
-- SNMP requests/polling timeouts occur because mcpd takes hundreds of milliseconds to respond.

Note: If the address lists that contain the entries are not used in traffic-matching-criteria (and therefore do not increase the size of the tmstat virtual_address_stat table), mcpd response time is in the tens of milliseconds.

Workaround:
None

Fix:
Improved performance for query for virtual address statistics when there are hundreds of virtual address and address lists entries.

Fixed Versions:
14.1.4.4


998221-4 : Accessing pool members from configuration utility is slow with large config

Links to More Info: BT998221

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2


997929-4 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic

Links to More Info: BT997929

Component: Local Traffic Manager

Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.

If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.

Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.

-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.

Impact:
The virtual server stops processing traffic.

Workaround:
To recover, you can do either of the following:

-- Restart tmm:
bigstart restart tmm

-- Change the virtual server's port back to 'any' (0).

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


997193-2 : TCP connections may fail when AFM global syncookies are in operation.

Links to More Info: K16101409, BT997193


997137-4 : CSRF token modification may allow WAF bypass on GET requests

Component: Application Security Manager

Symptoms:
Under certain conditions a parameter is not processed as expected.

Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter

Impact:
Malicious request will bypass signatures and will not raise any attack signature violation

Workaround:
N/A

Fix:
The parameter is now processed as expected.

Fixed Versions:
14.1.4.4, 15.1.4.1


996593-3 : Password change through REST or GUI not allowed if the password is expired

Links to More Info: BT996593

Component: TMOS

Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:

Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.

Impact:
Expired password cannot be updated through REST or the GUI.

Workaround:
Update password using tmsh:

tmsh modify auth password <username>

Fix:
You can now change an expired password through REST or the GUI.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2


996381-4 : ASM attack signature may not match as expected

Links to More Info: K41503304, BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


996113-4 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


996001-2 : AVR Inspection Dashboard 'Last Month' does not show all data points

Links to More Info: BT996001

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


995853-3 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.

Links to More Info: BT995853

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.

Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.

Impact:
GSLB Server object creation fails.

Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.

Fix:
GSLB Server object creation no longer fails.

Fixed Versions:
14.1.4.4, 15.1.4


995629-2 : Loading UCS files may hang if ASM is provisioned

Links to More Info: BT995629

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.

Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html

Fix:
Loading UCS files no longer hangs if ASM is provisioned.

Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2


995433-4 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT

Links to More Info: BT995433

Component: Advanced Firewall Manager

Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.

Conditions:
This is encountered when viewing PPTP log entries.

Impact:
IPV6 addresses in PPTP logs are truncated.

Workaround:
None

Fix:
The full IPv6 address is now logged in PPTP logs.

Fixed Versions:
14.1.4.5, 15.1.4.1


995029 : Configuration is not updated during auto-discovery

Links to More Info: BT995029

Component: Access Policy Manager

Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:

-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token

Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).

Impact:
JWT auto-discovery fails and the configuration is not updated.

Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.

Fix:
Fixed an issue with auto-discovery and JWKs.

Fixed Versions:
14.1.4.2, 15.1.4


994985-1 : CGNAT GUI shows blank page when applying SIP profile

Links to More Info: BT994985

Component: Carrier-Grade NAT

Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.

Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.

Impact:
The virtual server properties page does not display the configuration.

Workaround:
None.

Fix:
The GUI shows virtual server config page with all config values

Fixed Versions:
14.1.4.2, 15.1.4


994801-4 : SCP file transfer system

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.

Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.

Workaround:
None

Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2


993981-4 : TMM may crash when ePVA is enabled

Component: Local Traffic Manager

Symptoms:
When ePVA is enabled on the BIG-IP system, Increased CMP redirections can cause tmm to core and report an error:
tmm SIGFPE "nexthop ref valid".

Conditions:
-- ePVA acceleration is enabled on the BIG-IP system.
-- High rate of CMP redirections.

Impact:
Traffic disrupted while TMM restarts, and systems configured as part of a high availability (HA) group may failover.

Workaround:
Disable ePVA acceleration option.

Note: Performing this procedure may increase CPU use because TCP connections are subsequently processed in software by the Traffic Management Microkernel (TMM).

Fix:
TMM now operates as expected with ePVA enabled.

Fixed Versions:
14.1.4.6


993913-1 : TMM SIGSEGV core in Message Routing Framework

Links to More Info: BT993913

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


993613-4 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


993489-4 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


993457-3 : TMM core with ACCESS::policy evaluate iRule

Links to More Info: BT993457

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


992213-1 : Protocol Any displayed as HOPTOPT in AFM policy view

Links to More Info: BT992213

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.

Fixed Versions:
14.1.4.2, 15.1.4, 16.1.1


992073-1 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Component: Access Policy Manager

Symptoms:
End user clients frequently get a prompt to enter credentials when they should not.

Conditions:
APM Access Profile with NTLM authentication enabled.

Impact:
NTLM handshake failure causing user authentication failures.

Workaround:
N/A

Fix:
APM now processes NTLM requests as expected.

Fixed Versions:
14.1.4.6


991037-1 : MR::message can cause tmm crash

Links to More Info: BT991037

Component: Service Provider

Symptoms:
The iRule command MR::message drop can occasionally trigger a memory corruption and tmm crash.

Conditions:
The iRule command MR::message drop is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.3


990849-3 : Loading UCS with platform-migrate option hangs and requires exiting from the command

Links to More Info: BT990849

Component: TMOS

Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration.

Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html

Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

Workaround:
None.

Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2


990461-2 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

Fixed Versions:
14.1.4.4


990333-4 : APM may return unexpected content when processing HTTP requests

Links to More Info: K75540265, BT990333


989753-3 : In HA setup, standby fails to establish connection to server

Links to More Info: BT989753

Component: Service Provider

Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:

err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config

Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.

Impact:
Standby BIG-IP system fails to establish a connection to the server.

Workaround:
None.

Fix:
Standby is now able to establish a connection to the server.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


989701-4 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373, BT989701


989637-4 : TMM may crash while processing SSL traffic

Links to More Info: K08476614, BT989637


989009-4 : BD daemon may crash while processing WebSocket traffic

Links to More Info: K05314769, BT989009


988549-4 : CVE-2020-29573: glibc vulnerability

Links to More Info: K27238230, BT988549


988533-3 : GRE-encapsulated MPLS packet support

Links to More Info: BT988533

Component: TMOS

Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).

Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.

Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.

Workaround:
None

Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.

Fixed Versions:
14.1.4.5, 15.1.4.1


988005-3 : Zero active rules counters in GUI

Links to More Info: BT988005

Component: Advanced Firewall Manager

Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).

Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules

Impact:
Incorrect information on active rules count is seen in the UI.

Workaround:
Disable firewall inline editor.

Fix:
The active rules count column now displays the correct number of times a rule has been hit.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


987077-4 : TLS1.3 with client authentication handshake failure

Links to More Info: BT987077

Component: Local Traffic Manager

Symptoms:
SSL handshakes are failing, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
A handshake failure occurs.

Workaround:
Use TLS1.2 or use TLS1.3 without LTM authentication profile.

Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Fixed Versions:
14.1.4.6


985953-2 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


984765-4 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)

Links to More Info: BT984765

Component: Access Policy Manager

Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.

Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.

Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.

Workaround:
To resolve the issue temporarily, use either of the following:

-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.

-- Run the command:
bigstart restart nlad

The problem can reappear after a week, so you must repeat these steps each time the issue occurs.

Fixed Versions:
14.1.4.4, 15.1.4


984593-3 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


982869-3 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0

Links to More Info: BT982869

Component: Service Provider

Symptoms:
Tmm may crash.

Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes under these conditions.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


982757-6 : APM Access Guided Configuration hardening

Component: Guided Configuration

Symptoms:
APM Guided Configuration does not follow current best practices

Conditions:
- APM provisioned
- Authenticated administrative user

Impact:
Guided Configuration does not follow current best practices.

Workaround:
N/A

Fix:
Guided Configuration now follows current best practices.

Fixed Versions:
14.1.4.6


982697-4 : ICMP hardening

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM does not follow current best practices for ICMP traffic.

Conditions:
- ICMP traffic
- DNS in use

Impact:
TMM does not follow current best practices.

Workaround:
N/A

Fix:
TMM now follows current best practices while processing ICMP traffic.

Behavior Change:
The change randomly adjusts the BIG-IP's ICMP rate limit to within 1/8% of the configured rate. While the average rate will remain the same, the number of ICMP packets issued second-to-second will vary randomly.

Fixed Versions:
14.1.4.6


982341-4 : iControl REST endpoint hardening

Component: TMOS

Symptoms:
iControl REST endpoints do not apply current best practices.

Conditions:
- Authenticated administrative user
- Request to iControl endpoint

Impact:
iControl REST endpoints do not follow current best practices.

Workaround:
N/A

Fix:
iControl REST endpoints now follow current best practices.

Fixed Versions:
14.1.4.6


981785-2 : Incorrect incident severity in Event Correlation statistics

Links to More Info: BT981785

Component: Application Security Manager

Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".

Conditions:
Usually happens for the first incident after ASM startup.

Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.

Workaround:
Use severity info from the Incidents list.

Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2


981693-2 : TMM may consume excessive resources while processing IPSec ALG traffic

Links to More Info: K54892865, BT981693


981689-1 : TMM memory leak with IPsec ALG

Links to More Info: BT981689

Component: Carrier-Grade NAT

Symptoms:
TMM crash due to out of memory.

Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.

Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm memory leak related to IPsec ALG connections.

Fixed Versions:
14.1.4.2, 15.1.4.1


981461-3 : Unspecified DNS responses cause TMM crash

Links to More Info: K45407662, BT981461


981385-4 : AVRD does not send HTTP events to BIG-IQ DCD

Links to More Info: BT981385

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2


981169-3 : F5 TMUI XSS vulnerability CVE-2021-22994

Links to More Info: K66851119, BT981169


980821-1 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.

Links to More Info: BT980821

Component: Local Traffic Manager

Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.

Conditions:
There are two virtual servers configured:
  - One with a specific port and ip-protocol 'any'
  - One with port any and a specific ip-protocol

Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.

Workaround:
Create individual listeners for specific protocols.

For example, given the configuration:
  ltm virtual vs-port80-protoAny {
    destination 10.1.1.1:80
    ip-protocol any
    ...
  }
  ltm virtual vs-portAny-protoTCP {
    destination 10.1.1.1:0
    ip-protocol TCP
    ...
  }

Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
  ltm virtual vs-port80-protoTCP {
    destination 10.1.1.1:80
    ip-protocol TCP
    ...
  }
  ltm virtual vs-port80-protoUDP {
    destination 10.1.1.1:80
    ip-protcol UDP
    ...
  }

Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.

Fixed Versions:
14.1.4.2, 15.1.3.1, 16.0.1.2


980809-3 : ASM REST Signature Rule Keywords Tool Hardening

Links to More Info: K41351250, BT980809


980325-4 : Chmand core due to memory leak from dossier requests.

Links to More Info: BT980325

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4


980125-4 : BD Daemon may crash while processing WebSocket traffic

Links to More Info: K42051445, BT980125


978833-3 : Use of CRL-based Certificate Monitoring Causes Memory Leak

Links to More Info: BT978833

Component: Local Traffic Manager

Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.

Conditions:
CRL certificate validator is configured.

Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.

Workaround:
None.

Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.

Fixed Versions:
14.1.4.4, 15.1.4.1


978393 : GUI screen shows blank screen while importing a certificate

Links to More Info: BT978393

Component: TMOS

Symptoms:
When you click the import button of an existing certificate, the screen goes blank.

Go to:
1. System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: existing_certificate.crt ::
2. Click the 'Import' button at the bottom of the page.

Conditions:
-- Device is upgraded from 13.1.x to 14.1.x.
-- Attempting to import a certificate that was created prior to the upgrade.

Impact:
You are unable to import from a certificate using the GUI.

Workaround:
There are three workarounds:

-- Use the GUI to download and reimport:
1. Download the cert and key.
2. Delete the cert and key from system.
3. Import it back.


-- Use the GUI to rename and save:
1. Rename the cert and key, removing extensions from the file.
2. Update the config file accordingly. The Import button works successfully.

-- Use tmsh to update the certs.

Fix:
Certificates can now be imported via the GUI after upgrade.

Fixed Versions:
14.1.4.1


977053-3 : TMM crash on standby due to invalid MR router instance

Links to More Info: BT977053

Component: Service Provider

Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.

Conditions:
-- HA environment.
-- Connection mirroring is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM on the standby device no longer crashes under these conditions.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


977005-2 : Network Firewall Policy rules-list showing incorrect 'Any' for source column

Links to More Info: BT977005

Component: Advanced Firewall Manager

Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.

Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.

Impact:
GUI shows 'Any' extra text under the source column

Workaround:
None

Fix:
The GUI no longer shows extra text

Fixed Versions:
14.1.4.2, 15.1.4


976925-3 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT976925


976669-3 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Links to More Info: BT976669

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/

Fix:
Critical files are not deleted during secondary blade reboot.

Fixed Versions:
14.1.4.6


976505-1 : Rotated restnoded logs will fail logintegrity verification.

Links to More Info: BT976505

Component: TMOS

Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restnoded logs fail logintegrity verification.

Workaround:
None

Fix:
Restnoded logs are now verified successfully by the logintegrity utility.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


976501-3 : Failed to establish VPN connection

Links to More Info: BT976501

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3


976365-1 : Traffic Classification hardening

Links to More Info: BT976365

Component: Traffic Classification Engine

Symptoms:
Traffic Classification IM packages do not follow current best practices.

Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user

Impact:
Traffic Classification IM packages do not follow current best practices.

Workaround:
No Workaround

Fix:
Traffic Classification IM packages now follow current best practices.

Fixed Versions:
14.1.4.3, 15.1.3.1


975809-2 : Rotated restjavad logs fail logintegrity verification.

Links to More Info: BT975809

Component: TMOS

Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restjavad logs fail logintegrity verification.

Workaround:
None

Fix:
Restjavad logs are now verified successfully by the logintegrity utility.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


975593-2 : TMM may crash while processing IPSec traffic

Component: Carrier-Grade NAT

Symptoms:
Under certain conditions, TMM may crash while processing IPSec traffic.

Conditions:
-IPSecAGL enabled

Impact:
TMM crash leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes IPSec traffic as expected.

Fixed Versions:
14.1.4.5


975589-2 : CVE-2020-8277 Node.js vulnerability

Links to More Info: K07944249, BT975589


975233-3 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Links to More Info: K52510511, BT975233


974881-1 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic

Links to More Info: BT974881

Component: Service Provider

Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.

Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to handling certain events in an iRule.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


974341-3 : REST API: File upload

Links to More Info: K08402414, BT974341


974205-2 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
12.1.6, 14.1.4.4, 15.1.4


973661 : Two different 'Attack Signature' updates shown as 'Currently Installed'

Links to More Info: BT973661

Component: Application Security Manager

Symptoms:
After upgrade system to version 14.1.x the system shows 2 different 'Attack Signature' update packages as 'Currently Installed'

Conditions:
Upgrade from version 12.1.x to version 14.1.x.

Impact:
Additional BIG-IP system restart is required.

Workaround:
None

Fixed Versions:
14.1.4.6


973409-4 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409


973333-3 : TMM buffer-overflow vulnerability CVE-2021-22991

Links to More Info: K56715231, BT973333


973261-4 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Links to More Info: BT973261

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


973201 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions

Links to More Info: BT973201

Component: TMOS

Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.

Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.

Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.

Workaround:
None

Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.

Fixed Versions:
14.1.4, 15.1.4


971297-3 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade

Links to More Info: BT971297

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.

Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded

Impact:
The keys are stored locally following the upgrade.

Workaround:
None.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


970829-4 : iSeries LCD incorrectly displays secure mode

Links to More Info: K03310534, BT970829

Component: Device Management

Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.

Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.

Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:

-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.


The restjavad-audit.*.log may contain similar messages

[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}

Workaround:
None

Fix:
The LCD now functions normally, and no authentication errors appear in the logs.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


970329-4 : ASM hardening

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


969637-3 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade

Links to More Info: BT969637

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"

Conditions:
-- A small subset of the following BIG-IP platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Configuration load fails and the device does not come online.

Fixed Versions:
14.1.4.4, 15.1.4


969509-3 : Possible memory corruption due to DOS vector reset

Links to More Info: BT969509

Component: Advanced Firewall Manager

Symptoms:
Unpredictable result due to possible memory corruption

Conditions:
DOS vector configuration change

Impact:
Memory corruption

Fix:
Added correct logic to reset DOS vector.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


969317-2 : "Restrict to Single Client IP" option is ignored for vmware VDI

Links to More Info: BT969317

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1


969213-2 : VMware: management IP cannot be customized via net.mgmt.addr property

Links to More Info: BT969213

Component: TMOS

Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.

Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.

Impact:
Management IP cannot be customized in VMware during the VM setup.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


969105-1 : HA failover connections via the management address do not work on vCMP guests running on VIPRION

Links to More Info: BT969105

Component: TMOS

Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.

BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.

HA failover connections using self IPs are unaffected.

Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)

Impact:
Failover state determination over the management port is permanently down.

Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).

To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid


The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.

Add this line to the end of /config/startup:

(sleep 120; touch /var/run/chmand.pid) &

Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.


Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:

#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready

# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.

You may also request an Engineering Hotfix from F5.

Fixed Versions:
14.1.4.4, 15.1.4


968733-5 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Links to More Info: K42202505, BT968733


968641-1 : Fix for zero LACP priority

Links to More Info: BT968641

Component: Local Traffic Manager

Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.

Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.

Impact:
BIG-IP may be unable to connect to Cisco trunks.

Workaround:
None.

Fix:
Eliminate LACP priority equal 0

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


968421-4 : ASM attack signature doesn't matched

Links to More Info: K30291321, BT968421

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2


968349-1 : TMM crashes with unspecified message

Links to More Info: K19012930, BT968349


967905-3 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


967889-2 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)

Links to More Info: BT967889

Component: Advanced Firewall Manager

Symptoms:
Custom signature of virtual server shows incorrect attack information.

Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)

Impact:
GUI shows incorrect information for custom signature

Fix:
GUI shows correct information for custom signature

Fixed Versions:
14.1.4, 15.1.3


967745-2 : Last resort pool error for the modify command for Wide IP

Links to More Info: BT967745

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1


967101-3 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.

Links to More Info: BT967101

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)

Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.

Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
14.1.4.6


966901-3 : CVE-2020-14364: Qemu Vulnerability

Links to More Info: K09081535, BT966901


966701-3 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP

Links to More Info: BT966701

Component: Service Provider

Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.

Conditions:
-- SCTP transport profile
-- MRF generic msg router profile

Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing

Fix:
Enable the return type in generic msg filter when data received over SCTP transport

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


966681-2 : NAT translation failures while using SP-DAG in a multi-blade chassis

Links to More Info: BT966681

Component: Carrier-Grade NAT

Symptoms:
NAT translation fails

Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans

Impact:
Traffic failure, performance degraded

Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096

Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


966277-3 : BFD down on multi-blade system

Links to More Info: BT966277

Component: TMOS

Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.

Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots

Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


965853-1 : IM package file hardening

Component: Protocol Inspection

Symptoms:
IM package file uploads do not follow current best practices.

Conditions:
- IM package file uploaded to BIG-IP

Impact:
IM package file uploads do not follow current best practices.

Workaround:
N/A

Fix:
IM package file uploads now follow current best practices.

Fixed Versions:
14.1.4.6


965785-3 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine

Links to More Info: BT965785

Component: Application Security Manager

Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.

Conditions:
There is no specific condition, the problem occurs rarely.

Impact:
Sync process requires an additional ASM restart

Workaround:
Restart ASM after sync process finished

Fixed Versions:
14.1.4.6


965617-1 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode

Links to More Info: BT965617

Component: Advanced Firewall Manager

Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB

Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support

Impact:
More resources loading during DDoS attack

Fix:
Correct free spot search with offloading to HSB

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


965581 : Statistics are not reported to BIG-IQ

Links to More Info: BT965581

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.

Conditions:
A BIG-IP system is attached to BIG-IQ.

Impact:
No statistics collected.

Fix:
The avrd process no longer fails, and statistics are collected as expected.

Fixed Versions:
14.1.4, 15.1.4


965537 : SSL filter does not re-initialize when OCSP validator is modified

Links to More Info: BT965537

Component: Local Traffic Manager

Symptoms:
The client SSL or server SSL profile can specify an OCSP object for client or server certificate status validation.
After modifying the DNS resolver of the OCSP object, the new nameserver is never picked up. In other words, an incorrect OCSP responder will be contacted.

Conditions:
OCSP object is configured in Client Certificate Constrained Delegation (C3D) client SSL or in server SSL and is later modified.

Impact:
The incorrect (or the original) OCSP responder is contacted to get the peer certificate revocation status.

Workaround:
None

Fix:
When an OCSP validator is modified, the system now reloads the SSL profile to pick up the new DNS resolver.

Fixed Versions:
14.1.4


965485-2 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Links to More Info: K41523201


965229-3 : ASM Load hangs after upgrade

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


965205-3 : BIG-IP dashboard downloads unused widgets

Links to More Info: BT965205

Component: TMOS

Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.

Conditions:
This occurs when viewing the BIG-IP dashboard.

Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1


964897-4 : Live Update - Indication of "Update Available" when there is no available update

Links to More Info: BT964897

Component: Application Security Manager

Symptoms:
Live Update notifies you that an update is available even though there is no available update.

Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status

Impact:
Live Update erroneously indicates that an update is available.

Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat

Fix:
Fixed an issue with Live Update notification.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


964585-4 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update

Links to More Info: BT964585

Component: Protocol Inspection

Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.

Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.

Impact:
- The error message does not accurately explain the cause of the problem.

Workaround:
None.

Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


964577-1 : IPS automatic IM download not working as expected

Links to More Info: BT964577

Component: Protocol Inspection

Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.

IPS automatic IM download considers the BIG-IP software major and minor version numbers.

However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.

Conditions:
Auto download of IM package for IPS.

Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.

Workaround:
Manually download the IM package and upload it onto the BIG-IP system.

Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


964489-3 : Protocol Inspection IM package hardening

Component: Protocol Inspection

Symptoms:
Protocol Inspection IM packages do not follow current best practices.

Conditions:
- Authenticated administrative user
- Protocol Inspection IM packages uploaded to BIG-IP

Impact:
Protocol Inspection IM packages do not follow current best practices.

Workaround:
N/A

Fix:
Protocol Inspection IM packages now follows current best practices.

Fixed Versions:
14.1.4.6


964245-3 : ASM reports and enforces username always

Links to More Info: BT964245

Component: Application Security Manager

Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.

Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.

Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.

Workaround:
None

Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.

Fixed Versions:
14.1.4.4, 15.1.4


963705-2 : Proxy ssl server response not forwarded

Links to More Info: BT963705

Component: Local Traffic Manager

Symptoms:
A server response may not be forwarded after TLS renegotiation.

Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs

Impact:
Server response may not be not forwarded

Fix:
Proxy ssl will now forward server response after renegotiation

Fixed Versions:
14.1.4.5, 15.1.4.1


963237-1 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.

Links to More Info: BT963237

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.

Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server

Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


963017-3 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed

Links to More Info: BT963017

Component: TMOS

Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):

err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid

In addition, a message similar to the following may appear on the serial console while the system is booting:

[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid

Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:

# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
   Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since <...>
 Main PID: #### (code=exited, status=1/FAILURE)

<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.


However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.

Conditions:
This may occur under the following conditions:

-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
   - BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
   - VIPRION B4450 blades

Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.

This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.

Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check

Fix:
This incorrect status reporting has been corrected.

Fixed Versions:
14.1.4, 15.1.3


962589-1 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Links to More Info: BT962589

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


962497-4 : BD crash after ICAP response

Links to More Info: BT962497

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


962433-3 : HTTP::retry for a HEAD request fails to create new connection

Links to More Info: BT962433

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4


962341-4 : BD crash while processing JSON content

Links to More Info: K00602225, BT962341


962177-3 : Results of POLICY::names and POLICY::rules commands may be incorrect

Links to More Info: BT962177

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2


962069-1 : Excessive resource consumption while processing OSCP requests via APM

Links to More Info: K79428827, BT962069


961509-4 : ASM blocks WebSocket frames with signature matched but Transparent policy

Links to More Info: BT961509

Component: Application Security Manager

Symptoms:
WebSocket frames receive a close frame

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled

Impact:
WebSocket frame blocked in transparent mode

Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No

Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.

Fixed Versions:
14.1.4.6


960749-3 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Links to More Info: BT960749

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1


960437-3 : The BIG-IP system may initially fail to resolve some DNS queries

Links to More Info: BT960437

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1


960369-3 : Negative value suggested in Traffic Learning as max value

Links to More Info: BT960369

Component: Application Security Manager

Symptoms:
Negative value suggested in Traffic Learning as max value

Conditions:
A huge parameter value is seen in traffic

Impact:
Wrong learning suggestion issued

Workaround:
Manually change maximum allowed value on the parameter to ANY

Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


959889-1 : Cannot update firewall rule with ip-protocol property as 'any'

Links to More Info: BT959889

Component: TMOS

Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.

Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update

Impact:
Cannot update the firewall rule from GUI.

Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.

Fixed Versions:
14.1.4, 15.1.3


959629-3 : Logintegrity script for restjavad/restnoded fails

Links to More Info: BT959629

Component: TMOS

Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:

find: '14232restnoded_log_pattern': No such file or directory.

Conditions:
When the logintegrity script runs.

Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.

Workaround:
Modify the script file /usr/bin/rest_logintegrity:

1. mount -o remount,rw /usr

2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original

3. vi /usr/bin/rest_logintegrity

4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log

With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log

5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)

With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)

6. mount -o remount,ro /usr

Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


959121-2 : Not following best practices in Guided Configuration Bundle Install worker

Links to More Info: K74151369, BT959121


958465-3 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization

Links to More Info: BT958465

Component: TMOS

Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):

MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.

The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.

Fixed Versions:
14.1.4.4, 15.1.3.1, 16.0.1.2


958353-3 : Restarting the mcpd messaging service renders the PAYG VE license invalid.

Links to More Info: BT958353

Component: TMOS

Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.

Conditions:
Restarting the mcpd messaging service.

Impact:
The license becomes expired. A message is displayed in the console:

mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).

Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).

Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


958093-2 : IPv6 routes missing after BGP graceful restart

Links to More Info: BT958093

Component: TMOS

Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.

Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.

Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.

Fixed Versions:
14.1.4.5, 15.1.4.1


958085-2 : IM installation fails with error: Spec file not found

Links to More Info: BT958085

Component: Traffic Classification Engine

Symptoms:
IM installation fails with an error message:

ERROR Error during switching: Spec file not found

Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.

Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.

Workaround:
None.

Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.

Fixed Versions:
14.1.4.4, 15.1.4


957905-3 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.

Links to More Info: BT957905

Component: Service Provider

Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.

SIP Responses that don't contain a content_length header are accepted and forwarded to the client.

The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.

Conditions:
SIP request / response without content_length header.

Impact:
RFC 6731 non compliance.

Workaround:
N/A

Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.

content_length header is treated as optional for UDP and SCTP.

Fixed Versions:
14.1.4.6


957897-2 : Unable to modify gateway-ICMP monitor fields in the GUI

Links to More Info: BT957897

Component: TMOS

Symptoms:
While modifying a gateway-ICMP monitor you see the following error:

01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.

Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.

Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.

Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]

For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description

Fix:
You can now update the Gateway-ICMP monitor fields via the GUI.

Fixed Versions:
14.1.4.6


957337-4 : Tab complete in 'mgmt' tree is broken

Links to More Info: BT957337

Component: TMOS

Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:

(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"

Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete

Impact:
You are unable to configure objects in mgmt.

This issue also prevents users with the admin role from accessing the following REST endpoints:

shared/authz/users
shared/echo-js

The error returned was HTTP/1.1 401 F5 Authorization Required

Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


956645-1 : Per-request policy execution may timeout.

Links to More Info: BT956645

Component: Access Policy Manager

Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.

Impact:
Some clients will fail to connect to their destination.

Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).

Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.

Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.

Fixed Versions:
14.1.4.5


956589-2 : The tmrouted daemon restarts and produces a core file

Links to More Info: BT956589

Component: TMOS

Symptoms:
The tmrouted daemon restarts and produces a core file.

Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover

Impact:
Traffic disrupted while tmrouted restarts.

Workaround:
None

Fix:
Tmrouted daemon should not restart during blade reset

Fixed Versions:
14.1.4.6, 15.1.2.1


956373-3 : ASM sync files not cleaned up immediately after processing

Links to More Info: BT956373

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


956293-1 : High CPU from analytics-related REST calls - Dashboard TMUI

Links to More Info: BT956293

Component: TMOS

Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.

Conditions:
Leaving UI dashboard page left open.

Impact:
System performance is impacted if the dashboard page is kept open.

Fixed Versions:
14.1.4.4, 15.1.4


956133-4 : MAC address might be displayed as 'none' after upgrading.

Links to More Info: BT956133

Component: Local Traffic Manager

Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.

Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.

Impact:
Traffic disrupted when the MAC address is set to 'none'.

Workaround:
N/A

Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.

Fixed Versions:
14.1.4.4, 15.1.4


956013 : System reports{{validation_errors}}

Links to More Info: BT956013

Component: Policy Enforcement Manager

Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses

Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.

Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


955617-6 : Cannot modify properties of a monitor that is already in use by a pool

Links to More Info: BT955617

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.

Fixed Versions:
14.1.4.6


955145-3 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT955145


955017-4 : Excessive CPU consumption by asm_config_event_handler

Links to More Info: BT955017

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2


954429-3 : User authorization changes for live update

Links to More Info: K23203045, BT954429


954425-3 : Hardening of Live-Update

Links to More Info: K61112120, BT954425


954381-3 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT954381


954025 : "switchboot -b HD1.1" fails to reboot chassis

Links to More Info: BT954025

Component: TMOS

Symptoms:
Changing the default boot image with "switchboot -b HD1.1" fails to reboot the chassis.

Conditions:
-- Install 14.1.x-tmos-bugs 14.1.2.8 Build 434.0 on HD1.2 of a chassis with two blades and boot to HD1.2 .
-- Execute switchboot -b HD1.1

Impact:
Switchboot command does not work and you are unable to change the default boot image.

Fix:
You can now change the default boot image.

Fixed Versions:
14.1.3.1


953845-4 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Links to More Info: BT953845

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.

Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1


953729-3 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Links to More Info: K56142644 K45056101, BT953729


953677-3 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188, BT953677


952557-1 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com

Links to More Info: BT952557

Component: Access Policy Manager

Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.

Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.

Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.

Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.

For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.

Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.

Fixed Versions:
14.1.4, 15.1.3


952545-3 : 'Current Sessions' statistics of HTTP2 pool may be incorrect

Links to More Info: BT952545

Component: Service Provider

Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552

Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.

Workaround:
None.

Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


952509-1 : Cross origin AJAX requests are blocked in case there is no Origin header

Links to More Info: BT952509

Component: Application Security Manager

Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.

Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.

Impact:
Request is blocked.

Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix:
Check referrer header also when modifying CORS headers.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


951705-3 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT951705


951257-1 : FTP active data channels are not established

Component: Local Traffic Manager

Symptoms:
Under certain conditions FTP active data channels may not be established as expected.

Conditions:
-- The FTP profile has "allow-active-mode" enabled and "port" set to a non-zero value.

Impact:
FTP transfers with active data channels are not processed as expected.

Workaround:
- Disable 'active' FTP and only use passive FTP or
- Use a custom FTP profile with port set to '0' on FTP virtual servers.

Fix:
FTP active data channels are now established as expected.

Fixed Versions:
14.1.4.6


951133-1 : Live Update does not work properly after upgrade

Links to More Info: BT951133

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


951033-2 : Virtual server resets all the connections for rstcause 'VIP disabled (administrative)'

Links to More Info: BT951033

Component: Local Traffic Manager

Symptoms:
Virtual server resets all the connections for rstcause 'VIP disabled (administrative)', after all the conditions are met.

Once it happens, the virtual server starts resetting all the incoming connections for rstcause 'VIP disabled (administrative)'. This continues even after the connection limit is deactivated.

Conditions:
-- There is at least one pool member that is DISABLED.
-- Other pool members have a connection limit configured.
-- A configuration change occurs while the connection limit is activated, and the change lowers the connection limit value, for example, the value is changed from 10 to 5.

Impact:
A virtual server continues resetting new connections.

Workaround:
Use Forced offline instead of disabled to prevent this issue.

Fix:
The BIG-IP system no longer continually resets new connections when the connection limit is lowered while it is being enforced.

Fixed Versions:
13.1.3.5, 14.1.3.1


950917-2 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Links to More Info: BT950917

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4


950849-2 : B4450N blades report page allocation failure.

Links to More Info: BT950849

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This occurs on B4450N blades regardless of configuration.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You must perform the workaround on each blade installed in the system.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands:

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures on B4450 (A114) blades.

Fixed Versions:
14.1.4.4, 15.1.3.1


950077-3 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188, BT950077


950017-3 : TMM may crash while processing SCTP traffic

Links to More Info: K94941221, BT950017


949933-2 : BIG-IP APM CTU vulnerability CVE-2021-22980

Links to More Info: K29282483, BT949933


949889-2 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Links to More Info: K04107324, BT949889


949593-2 : Unable to load config if AVR widgets were created under '[All]' partition

Links to More Info: BT949593

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2


949477-2 : NTLM RPC exception: Failed to verify checksum of the packet

Links to More Info: BT949477

Component: Access Policy Manager

Symptoms:
NTLM authentication fails with the error:

RPC exception: Failed to verify checksum of the packet.

Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.

Impact:
User authentication fails.

Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.

2. Disable encryption for nlad:
   # vim /etc/bigstart/startup/nlad

   change:
   exec /usr/bin/${service} -use-log-tag 01620000

   to:
   exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no

3. Restart nlad to make the change effective, and to force the schannel to be re-established:
   # bigstart restart nlad

Fixed Versions:
14.1.4.4, 15.1.4.1


949145-4 : Improve TCP's response to partial ACKs during loss recovery

Links to More Info: BT949145

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


948805-3 : False positive "Null in Request"

Links to More Info: BT948805

Component: Application Security Manager

Symptoms:
A false positive violation "Null in Request" is thrown erroneously.

Conditions:
-- BIG-IP receives a query string in the "Referrer" header

Impact:
False positive violation "Null in Request" is thrown

Workaround:
None

Fix:
Fixed a false positive violation.

Fixed Versions:
14.1.4.5, 15.1.4.1


948769-4 : TMM panic with SCTP traffic

Links to More Info: K05300051, BT948769


948757-3 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

Links to More Info: BT948757

Component: Local Traffic Manager

Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.

Conditions:
A snat-translation address is configured with ARP enabled.

Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.

Workaround:
None.

Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1


948573-2 : Wr_urldbd list of valid TLDs needs to be updated

Links to More Info: BT948573

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


948113-4 : User-defined report scheduling fails

Links to More Info: BT948113

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


947925-4 : TMM may crash when executing L7 Protocol Lookup per-request policy agent

Links to More Info: BT947925

Component: SSL Orchestrator

Symptoms:
TMM may crash when executing the L7 Protocol Lookup per-request policy agent.

Conditions:
-- APM or SSL Orchestrator is licensed and provisioned.
-- L7 Protocol Lookup agent is included in the per-request policy for APM/SWG use cases.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not crash anymore when executing the L7 Protocol Lookup agent in the per-request policy.

Fixed Versions:
14.1.4.3, 15.1.4


947865-3 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read

Links to More Info: BT947865

Component: TMOS

Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:

err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer

Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.

Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.

Fixed Versions:
14.1.4, 15.1.3


947529-1 : Security tab in virtual server menu renders slowly

Links to More Info: BT947529

Component: TMOS

Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.

Conditions:
Large number of virtual servers using the same ASM policy

Impact:
Loading of Security tab of a virtual server takes a long time

Workaround:
NA

Fix:
Security tab of a virtual server loads fast

Fixed Versions:
14.1.4.4, 15.1.4.1


947341-3 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.

Links to More Info: BT947341

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.

Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

2. To identify the empty partitions, look into:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"

3. For every partition that is empty, manually (or via shell script) execute this sql:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"

   Note: <empty_partition_name> must be substituted with the partition name, for example p100001.


4. Increase 'open_files_limit' to '10000'.
--------------------------------

   In the /etc/my.cnf file:
   1. Change the value of the 'open_files_limit' parameter to 10000.
   2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5. pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases the default 'open_files_limit' to '10000'.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2


946745-3 : 'System Integrity: Invalid' after Engineering Hotfix installation

Links to More Info: BT946745

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.

Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.

Fixed Versions:
14.1.4, 15.1.3


946581-3 : TMM vulnerability CVE-2020-27713

Links to More Info: K37960100, BT946581


946481-3 : Virtual Edition FIPS not compatible with TLS 1.3

Links to More Info: BT946481

Component: Local Traffic Manager

Symptoms:
A TLS 1.3 handshake failure occurs when using openssl's AES-GCM cipher in FIPS mode.

Conditions:
FIPS mode and attempting TLS 1.3 with cipher AES-GCM

Impact:
Handshake failure for TLS 1.3

Workaround:
Disable FIPS mode, or alternately use non AES-GCM cipher for TLS 1.3.

Fix:
TLS 1.3 AES-GCM in FIPS mode now works correctly.

Fixed Versions:
14.1.4.6


946377-3 : HSM WebUI Hardening

Links to More Info: K24301698, BT946377


946325-3 : PEM subscriber GUI hardening

Component: Policy Enforcement Manager

Symptoms:
The PEM subscriber GUI does not follow current best practices.

Conditions:
- Authenticated administrative user
- PEM GUI request

Impact:
PEM subscriber GUI does not follow current best practices.

Workaround:
N/A

Fix:
PEM subscriber GUI now follows current best practices.

Fixed Versions:
14.1.4.6


946185-4 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'

Links to More Info: BT946185

Component: iApp Technology

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:

An error has occurred while trying to process your request.

Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.

Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List

2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.

Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2


946125-1 : Tmm restart adds 'Revoked' tokens to 'Active' token count

Links to More Info: BT946125

Component: Access Policy Manager

Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)

Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm

Impact:
User is denied access even though token limit per user is not reached

Fix:
Fixed an issue where users were unable to log in after a tmm restart.

Fixed Versions:
14.1.4.4, 15.1.4


946089-1 : BIG-IP might send excessive multicast/broadcast traffic.

Links to More Info: BT946089

Component: TMOS

Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.

Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.

Impact:
Excessive multicast/broadcast traffic.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


946081-3 : Getcrc tool help displays directory structure instead of version

Links to More Info: BT946081

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.

Fix:
Getcrc utility help now displays version information.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


945997-3 : LTM policy applied to HTTP/2 traffic may crash TMM

Links to More Info: BT945997

Component: Local Traffic Manager

Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.

Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


945265-3 : BGP may advertise default route with incorrect parameters

Links to More Info: BT945265

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>

Fix:
BGP suppresses a route advertisement between BGP speakers configured in the same AS with the same router-id.

Behavior Change:
BGP now suppresses a route advertisement between BGP speakers configured in the same AS with the same router-id.

Previously, the route was not acceptable to peers until the BGP session was cleared, resulting in potentially incorrect parameters.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


945109-4 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Links to More Info: K46641512, BT945109


944785-1 : Admd restarting constantly. Out of memory due to loading malformed state file

Links to More Info: BT944785

Component: Anomaly Detection Services

Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.

Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.

Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption

Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD

If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD

Fix:
No more memory corruption, no OOM nor ADMD restarts.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.2


944641-3 : HTTP2 send RST_STREAM when exceeding max streams

Links to More Info: BT944641

Component: Local Traffic Manager

Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.

Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.

Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.

Workaround:
None.

Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.

Fixed Versions:
14.1.4, 15.1.4, 16.0.1.1


944513-1 : Apache configuration file hardening

Links to More Info: BT944513

Component: TMOS

Symptoms:
Apache configuration file did not follow security best practice.

Conditions:
Normal system operation with httpd enabled.

Impact:
Apache configuration file did not follow security best practice.

Workaround:
None

Fix:
Apache configuration file has been hardened to follow security best practice.

Fixed Versions:
14.1.4.6, 15.1.4


944441-3 : BD_XML logs memory usage at TS_DEBUG level

Links to More Info: BT944441

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None

Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


944121-3 : Missing SNI information when using non-default domain https monitor running in TMM mode.

Links to More Info: BT944121

Component: In-tmm monitors

Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

In-TMM monitors do not send any packet when TLS1.3 monitor is used.

Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

 - Another Condition :

TLS1.3 Monitor is used

Impact:
The TLS connection might fail in case of SNI

No SYN packet is sent in case of TLS1.3 monitor

Workaround:
N/A

Fix:
N/A

Fixed Versions:
14.1.4.6


943913-4 : ASM attack signature does not match

Links to More Info: K30150004, BT943913

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.<