Supplemental Document : BIG-IP 14.1.5.1 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.5

BIG-IP APM

  • 14.1.5

BIG-IP Analytics

  • 14.1.5

BIG-IP Link Controller

  • 14.1.5

BIG-IP LTM

  • 14.1.5

BIG-IP PEM

  • 14.1.5

BIG-IP AFM

  • 14.1.5

BIG-IP DNS

  • 14.1.5

BIG-IP FPS

  • 14.1.5

BIG-IP ASM

  • 14.1.5
Updated Date: 09/12/2022

BIG-IP Release Information

Version: 14.1.5.1
Build: 6.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v14.1.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x

Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1036057-3 3-Major BT1036057 Add support for line folding in multipart parser. 14.1.5.1
1006921-4 3-Major   iRules Hardening 14.1.5.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
957637-3 2-Critical BT957637 The pfmand daemon can crash when it starts. 14.1.5.1
940225-3 2-Critical BT940225 Not able to add more than 6 NICs on VE running in Azure 14.1.5.1, 16.1.3
1108181-4 2-Critical BT1108181 iControl REST call with token fails with 401 Unauthorized 14.1.5.1, 16.1.3
1079817-3 2-Critical BT1079817 Java null pointer exception when saving UCS with iAppsLX installed&start; 14.1.5.1, 16.1.3
1076921-3 2-Critical BT1076921 Log hostname should be consistent when it contains ' . ' 14.1.5.1
992121-2 3-Major BT992121 REST "/mgmt/tm/services" endpoint is not accessible 14.1.5.1
958833-3 3-Major BT958833 After mgmt ip change via GUI, brower is not redirected to new address 14.1.5.1
919357-6 3-Major   iControl REST hardening 14.1.5.1
886649-3 3-Major BT886649 Connections stall when dynamic BWC policy is changed via GUI and TMSH 14.1.5.1, 16.1.3
865225-4 3-Major BT865225 100G modules may not work properly in i15000 and i15800 platforms 13.1.3.4, 14.1.5.1, 15.1.0.2
862693-2 3-Major BT862693 PAM_RHOST not set when authenticating BIG-IP using iControl REST 14.1.5.1
1102849-1 3-Major BT1102849 Less-privileged users (guest, operator, etc) are unable to run top level commands 14.1.5.1
1091345-4 3-Major BT1091345 The /root/.bash_history file is not carried forward by default during installations. 14.1.5.1
1075729 3-Major BT1075729 Virtual server may not properly exit from hardware SYN Cookie mode 14.1.5.1, 15.1.5.1
1066673-3 3-Major   BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions 14.1.5.1
1025261-1 3-Major BT1025261 When restjavad.useextramb is set, java immediately uses more resident memory in control plane 14.1.5.1
1024661-1 3-Major   SCTP forwarding flows based on VTAG for bigproto 14.1.5.1
740321-3 4-Minor   iControl SOAP API does not follow current best practices 14.1.5.1
1080317-1 4-Minor BT1080317 Logged hostname not consistent when hostname contains "." 14.1.5.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
881809-4 2-Critical   serverssl profile hardening 14.1.5.1
831161-3 2-Critical BT831161 An iRule before HTTP_REQUEST calling persist none can crash tmm 14.1.5.1
1074517-3 2-Critical BT1074517 Tmm may core while adding/modifying traffic-class attached to a virtual server 14.1.5.1
1073609-2 2-Critical BT1073609 Tmm may core while using reject iRule command in LB_SELECTED event. 14.1.5.1
780857-3 3-Major BT780857 HA failover network disruption when cluster management IP is not in the list of unicast addresses 14.1.5.1
748886-2 3-Major BT748886 Virtual server stops passing traffic after modification 14.1.5.1
1099229-2 3-Major BT1099229 SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present 14.1.5.1
1091761-3 3-Major   Mqtt_message memory leaks when iRules are used 14.1.5.1
1084013-2 3-Major   TMM does not follow TCP best practices 14.1.5.1
1082225-2 3-Major BT1082225 Tmm may core while Adding/modifying traffic-class attached to a virtual server. 14.1.5.1
1076397-3 3-Major   TMSH hardening 14.1.5.1
1074505-3 3-Major BT1074505 Traffic classes are not attached to virtual server at TMM start 14.1.5.1
1073549-3 3-Major   TMSH hardening 14.1.5.1
1068445-3 3-Major BT1068445 TCP duplicate acks are observed in speed tests for larger requests 14.1.5.1
1053149-3 3-Major BT1053149 A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. 14.1.5.1
1043805-1 3-Major BT1043805 ICMP traffic over NAT does not work properly. 14.1.5.1
1036169-2 3-Major BT1036169 VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". 14.1.5.1
1017721-2 3-Major BT1017721 WebSocket does not close cleanly when SSL enabled. 14.1.5.1, 16.1.2.2
1006157-5 3-Major BT1006157 FQDN nodes not repopulated immediately after 'load sys config' 14.1.5.1
987885-3 4-Minor BT987885 Half-open unclean SSL termination might not close the connection properly 14.1.5.1
787905-4 4-Minor BT787905 Improve initializing TCP analytics for FastL4 14.1.5.1, 15.0.1.1
1063637-2 4-Minor   NTLM library hardening 14.1.5.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
993921-1 2-Critical BT993921 TMM SIGSEGV 14.1.5.1
1077701-3 2-Critical BT1077701 GTM "require M from N" monitor rules do not report when the number of "up" responses change 14.1.5.1
1091249-4 3-Major BT1091249 BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. 14.1.5.1
1071301-3 3-Major BT1071301 GTM server does not get updated even when the virtual server status changes. 14.1.5.1
1071233-3 3-Major BT1071233 GTM Pool Members may not be updated accurately when multiple identical database monitors are configured 14.1.5.1
1084673-4 4-Minor BT1084673 GTM Monitor "require M from N" status change log message does not print pool name 14.1.5.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1096477 2-Critical   URL parameter is treated as a Base64 encoded value 14.1.5.1
886533-1 3-Major BT886533 Icap server connection adjustments 14.1.5.1
1083913-3 3-Major BT1083913 Missing error check in ICAP handling 14.1.5.1
1030133-4 3-Major   BD core on XML out of memory 14.1.5.1
948241-1 4-Minor   Count Stateful anomalies based only on Device ID 14.1.5.1
797821-1 4-Minor BT797821 Logging profiles on /Common cannot be configured with publishers on other folders 14.1.5.1
747905-4 4-Minor BT747905 'Illegal Query String Length' violation displays wrong length 13.1.1.4, 14.0.1.1, 14.1.5.1
744226-1 4-Minor BT744226 DoSL7-related logs are not throttled 14.1.5.1
1073625-4 4-Minor BT1073625 Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. 14.1.5.1
1040513-2 4-Minor BT1040513 The counter for "FTP commands" is always 0. 14.1.5.1
1014573-3 4-Minor   Several large arrays/objects in JSON payload may core the enforcer 14.1.5.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1024029-4 2-Critical   TMM may crash when processing traffic with per-session APM Access Policy 14.1.5.1
979877-6 3-Major   CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information 14.1.5.1
1043217-3 3-Major BT1043217 NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform 14.1.5.1
1010597-3 3-Major BT1010597 Traffic disruption when virtual server is assigned to a non-default route domain&start; 14.1.5.1
1063641-2 4-Minor   NTLM library hardening 14.1.5.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1093621-3 2-Critical   Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP 14.1.5.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1074465 3-Major BT1074465 TMM SIGSEGV crash 14.1.5.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1090649-2 3-Major BT1090649 PEM errors when configuring IPv6 flow filter via GUI 14.1.5.1


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
1094177-2 1-Blocking BT1094177 Analytics iApp installation fails 14.1.5.1, 16.1.3



Cumulative fixes from BIG-IP v14.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
981273-3 CVE-2021-23054 K41997459, BT981273 APM webtop hardening 13.1.5, 14.1.5, 15.1.4
968725-4 CVE-2017-10661 K04337834, BT968725 Linux Kernel Vulnerability CVE-2017-10661 14.1.5, 15.1.5.1
1063389-4 CVE-2015-5191 K84583382, BT1063389 open-vm-tools vulnerability: CVE-2015-5191 14.1.5, 16.1.2.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1078821-3 2-Critical BT1078821 Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit 14.1.5, 16.1.3
972489-3 3-Major   BIG-IP Appliance Mode iControl hardening 14.1.5, 15.1.5.1, 16.1.3
971217-3 3-Major BT971217 AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations. 14.1.5
874941-3 3-Major BT874941 HTTP authentication in the access policy times out after 60 seconds 14.1.5, 16.1.2.2
669046-4 3-Major BT669046 Handling large replies to MCP audit_request messages 14.1.5, 16.1.2.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050969-4 1-Blocking BT1050969 After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid 14.1.5, 15.1.5.1, 16.1.2.2
992097-1 2-Critical BT992097 Incorrect hostname is seen in logging files 14.1.5
987113-2 2-Critical BT987113 CMP state degraded while under heavy traffic 14.1.5, 15.1.4
943109-3 2-Critical BT943109 Mcpd crash when bulk deleting Bot Defense profiles 14.1.5, 16.1.3
1075905 2-Critical BT1075905 TCP connections may fail when hardware SYN Cookie is active 14.1.5, 15.1.5.1
977657-1 3-Major BT977657 SELinux errors when deploying a vCMP guest. 14.1.5
943653-3 3-Major BT943653 Allow 32-bit processes to use larger area of virtual address space 14.1.5
907549-3 3-Major BT907549 Memory leak in BWC::Measure 14.1.5, 15.1.0.5, 16.1.2.2
894133-3 3-Major BT894133 After ISO upgrade the SSL Orchestrator guided configuration user interface is not available.&start; 14.1.5, 15.1.5.1
752994-1 3-Major BT752994 Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod 14.1.5
742753-4 3-Major BT742753 Accessing the BIG-IP system's WebUI via special proxy solutions may fail 14.1.5, 16.1.2.2
738881-3 3-Major BT738881 Qkview does not collect any data under certain conditions that cause a timeout 13.1.3.4, 14.1.5
724653-2 3-Major BT724653 In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. 14.1.5, 16.1.3
1064461-2 3-Major BT1064461 PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. 14.1.5, 16.1.2.2
1063473-3 3-Major BT1063473 While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly 14.1.5, 15.1.5.1
1060009-2 3-Major BT1060009 Platform Agent may run out of file descriptors 14.1.5
1072237-3 4-Minor BT1072237 Retrieval of policy action stats causes memory leak 14.1.5, 16.1.2.2
1062333-3 4-Minor   Linux kernel vulnerability: CVE-2019-19523 14.1.5, 16.1.2.2
1034329-3 4-Minor BT1034329 SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com 14.1.5, 16.1.2.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
937777-3 2-Critical   HTTP::payload may cause the TMM to crash 14.1.5, 16.0.1.1
841469-4 2-Critical BT841469 Application traffic may fail after an internal interface failure on a VIPRION system. 13.1.3.4, 14.1.5, 15.1.2.1
1073841-3 2-Critical   URI normalization does not function as expected 14.1.5
1071593-2 2-Critical   TMM may crash while processing TLS traffic 14.1.5, 16.1.2.2
1071449-2 2-Critical BT1071449 Statsd memory leak on platforms with license disabled processors. 14.1.5, 16.1.2.2
1069629-2 2-Critical   TMM may crash while processing TLS traffic 14.1.5, 15.1.5.1, 16.1.2.2
1055737-3 2-Critical   TMM may consume excessive resources while processing HTTP/2 traffic 14.1.5, 16.1.2.2
1047581-1 2-Critical BT1047581 Ramcache can crash when serving files from the hot cache 14.1.5, 16.1.2.2
993517-4 3-Major BT993517 Loading an upgraded config can result in a file object error in some cases 14.1.5, 16.1.2.2
976525-2 3-Major BT976525 Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled 14.1.5
972517-3 3-Major   Appliance mode hardening 14.1.5
953601-2 3-Major BT953601 HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions 14.1.5, 16.1.2.2
936441-3 3-Major BT936441 Nitrox5 SDK driver logging messages 14.1.5, 15.1.5.1, 16.1.2.2
934697-2 3-Major BT934697 Route domain not reachable (strict mode) 14.1.5, 16.1.3
927713-5 3-Major BT927713 Clsh reboot hangs when executed from the primary blade. 14.1.5, 15.1.5.1
883049-4 3-Major BT883049 Statsd can deadlock with rrdshim if an rrd file is invalid 14.1.5, 16.1.2.2
813673-2 3-Major BT813673 The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets. 13.1.3.2, 14.1.5
794385-2 3-Major BT794385 BGP sessions may be reset after CMP state change 14.1.5, 15.1.5.1, 16.1.2.2
1083989-3 3-Major BT1083989 TMM may restart if abort arrives during MBLB iRule execution 14.1.5, 16.1.2.2
1073357-4 3-Major   TMM may crash while processing HTTP traffic 14.1.5
1072953-1 3-Major BT1072953 Memory leak in traffic management interface. 14.1.5, 16.1.2.2
1063453-3 3-Major BT1063453 FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. 14.1.5, 16.1.2.2
1042913-1 3-Major BT1042913 Pkcs11d CPU utilization jumps to 100% 14.1.5, 16.1.2.2
1024225-2 3-Major BT1024225 BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request 14.1.5, 16.1.2.2
1004689-2 3-Major BT1004689 TMM might crash when pool routes with recursive nexthops and reselect option are used. 14.1.5, 16.1.2.2
1081201-3 4-Minor   MCPD certification import hardening 14.1.5, 16.1.3
1080341-2 4-Minor BT1080341 Changing an L2-forward virtual to any other virtual type might not update the configuration. 14.1.5, 16.1.2.2
1064669-3 4-Minor BT1064669 Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. 14.1.5, 15.1.5.1, 16.1.2.2
1032513-1 4-Minor   TMM may consume excessive resources while processing MRF traffic 14.1.5, 16.1.2.2
1026005-3 4-Minor BT1026005 BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. 14.1.5, 15.1.5.1, 16.1.2.2
968581-3 5-Cosmetic BT968581 TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description 14.1.5, 15.1.5.1, 16.1.2.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1027657-2 2-Critical BT1027657 Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. 14.1.5, 15.1.5.1, 16.1.2.2
996233-3 3-Major   Tomcat may crash while processing TMUI requests 14.1.5, 16.1.3
1076401-2 3-Major BT1076401 Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. 14.1.5, 16.1.2.2
1046785-4 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded. 13.1.5, 14.1.5, 15.1.5.1, 16.1.2.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1069501-3 2-Critical   ASM may not match certain signatures 14.1.5, 16.1.2.2
1068237-3 2-Critical BT1068237 Some attack signatures added to policies are not used. 14.1.5, 16.1.2.2
1000789-3 2-Critical BT1000789 ASM-related iRule keywords may not work as expected 14.1.5, 16.1.2.2
923221-1 3-Major BT923221 BD does not use all the CPU cores 14.1.5, 16.1.2.2
874185-3 3-Major BT874185 Incorrect Alarm/Block flags displayed for Signature with previously enforced rule 14.1.5
1070073-1 3-Major   ASM Signature Set accuracy filter is wrong on GUI. 14.1.5
1069133-2 3-Major BT1069133 ASMConfig memory leak. 14.1.5, 16.1.2.2
1061617-2 3-Major BT1061617 Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". 14.1.5, 16.1.2.2
1056365-4 3-Major BT1056365 Bot Defense injection does not follow best SOP practice. 14.1.5, 16.1.2.2
1033017-5 3-Major BT1033017 Policy changes learning mode to automatic after upload and sync 14.1.5, 16.1.2.2
1028473-3 3-Major BT1028473 URL sent with trailing slash might not be matched in ASM policy 14.1.5, 16.1.2.2
842029-1 4-Minor BT842029 Unable to create policy: Inherited values may not be changed. 14.1.5, 15.1.5.1
1035361-5 4-Minor BT1035361 Illegal cross-origin after successful CAPTCHA 14.1.5, 15.1.5.1, 16.1.2.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
987341-3 2-Critical BT987341 BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. 14.1.5
858005-3 3-Major   When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" 14.1.5, 16.1.2.2
470916-4 3-Major BT470916 Using native View clients, cannot launch desktops and applications from multiple VMware back-ends 14.1.5
1097821-4 3-Major BT1097821 Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified 14.1.5, 16.1.3
1053309-3 3-Major BT1053309 Localdbmgr leaks memory while syncing data to sessiondb and mysql. 14.1.5, 16.1.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1082885-3 3-Major BT1082885 MR::message route virtual asserts when configuration changes during ongoing traffic 14.1.5, 15.1.6, 16.1.2.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
998781 3-Major BT998781 When large no of feed list URLs are configured, BIG-IP takes long time to sync IP list 14.1.5
964625-2 3-Major BT964625 Improper processing of firewall-rule metadata 14.1.5, 16.1.2.2
1076477 3-Major BT1076477 AFM allows deletion of a firewall policy even if it's being used in a route domain. 14.1.5
1012581-4 3-Major BT1012581 Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered 14.1.5, 16.1.3


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1081153-6 3-Major   TMM may crash while processing administrative requests 14.1.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1064217-3 3-Major BT1064217 Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. 14.1.5, 16.1.2.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1071181 3-Major BT1071181 Improving Signature Detection Accuracy 14.1.5, 16.1.2.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
947057-3 3-Major   Traffic intelligence feeds to do not follow best practices 12.1.6, 14.1.5


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1072733-2 2-Critical   Protocol Inspection IM package hardening 14.1.5, 16.1.2.2
1070677-2 3-Major BT1070677 Learning phase does not take traffic into account - dropping all. 14.1.5, 16.1.2.2


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
854129-4 3-Major BT854129 SSL monitor continues to send previously configured server SSL configuration after removal 14.1.5, 16.1.2.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1079505-1 2-Critical   TMM may consume excessive resources while processing SSL Orchestrator traffic 14.1.5, 16.1.3



Cumulative fixes from BIG-IP v14.1.4.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
965853-1 CVE-2022-28695 K08510472, BT965853 IM package file hardening&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
964489-3 CVE-2022-28695 K08510472, BT964489 Protocol Inspection IM package hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1051561-3 CVE-2022-1388 K23605346, BT1051561 BIG-IP iControl REST vulnerability CVE-2022-1388 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
993981-4 CVE-2022-28705 K52340447, BT993981 TMM may crash when ePVA is enabled 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
982697-4 CVE-2022-26071 K41440465, BT982697 ICMP hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
951257-1 CVE-2022-26130 K82034427, BT951257 FTP active data channels are not established 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
946325-3 CVE-2022-28716 K25451853, BT946325 PEM subscriber GUI hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
830361-4 CVE-2012-6711 K05122252, BT830361 CVE-2012-6711 Bash Vulnerability 14.1.4.6, 15.1.5.1, 16.1.2.2
818169-3 CVE-2022-26372 K23454411, BT818169 TMM may consume excessive resources when processing DNS profiles with DNS queing enabled 13.1.5, 14.1.4.6, 15.1.0.2
1087201-4 CVE-2022-0778 K31323265, BT1087201 OpenSSL Vulnerability: CVE-2022-0778 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1078721-4 CVE-2022-27189 K16187341, BT1078721 TMM may consume excessive resources while processing ICAP traffic 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1067993-6 CVE-2022-28714 K54460845, BT1067993 APM Windows Client installer hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1059185-3 CVE-2022-26415 K81952114, BT1059185 iControl REST Hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1057801-4 CVE-2022-28707 K70300233, BT1057801 TMUI does not follow current best practices 14.1.4.6, 15.1.5.1, 16.1.2.2
1056933-2 CVE-2022-26370 K51539421, BT1056933 TMM may crash while processing SIP traffic 14.1.4.6, 15.1.5, 16.1.2.2
1051797-3 CVE-2018-18281 K36462841, BT1051797 Linux kernel vulnerability: CVE-2018-18281 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1047053-1 CVE-2022-28691 K37155600, BT1047053 TMM may consume excessive resources while processing RTSP traffic 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2
1045101-2 CVE-2022-26890 K03442392, BT1045101 Bd may crash while processing ASM traffic 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.1
1019161-5 CVE-2022-29263 K33552735, BT1019161 Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1002565-4 CVE-2021-23840 K24624116, BT1002565 OpenSSL vulnerability CVE-2021-23840 14.1.4.6, 15.1.5.1, 16.1.2.2
992073-1 CVE-2022-27181 K93543114, BT992073 APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
982757-6 CVE-2022-26835 K53197140 APM Access Guided Configuration hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
982341-4 CVE-2022-26835 K53197140, BT982341 iControl REST endpoint hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
931677-4 CVE-2022-29479 K64124988, BT931677 IPv6 hardening 13.1.5, 14.1.4.6, 15.1.5.1
919249-3 CVE-2022-28859 K47662005, BT919249 NETHSM installation script hardening 14.1.4.6, 15.1.5.1
915981-2 CVE-2022-26340 K38271531, BT915981 BIG-IP SCP hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1071365-3 CVE-2022-29474 K59904248, BT1071365 iControl SOAP WSDL hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1057809-4 CVE-2022-27659 K41877405, BT1057809 Saved dashboard hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1047089-4 CVE-2022-29491 K14229426, BT1047089 TMM may terminate while processing TLS/DTLS traffic 14.1.4.6, 15.1.5, 16.1.2.2
1016657-4 CVE-2022-26517 K54082580, BT1016657 TMM may crash while processing LSN traffic 13.1.5, 14.1.4.6, 15.1.5.1
1009049-6 CVE-2022-27636 K57110035, BT1009049 browser based vpn did not follow best practices while logging.&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1000021-4 CVE-2022-27182 K31856317, BT1000021 TMM may consume excessive resources while processing packet filters 14.1.4.6, 15.1.5, 16.1.2.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050537-3 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1046669-3 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1033837-3 4-Minor K23605346, BT1033837 REST authentication tokens persist on reboot&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
976669-3 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade 14.1.4.6, 15.1.5.1, 16.1.2.2
957897-2 2-Critical BT957897 Unable to modify gateway-ICMP monitor fields in the GUI 13.1.5, 14.1.4.6, 15.1.5.1
944513-1 2-Critical BT944513 Apache configuration file hardening 14.1.4.6, 15.1.4
1048141-1 2-Critical BT1048141 Sorting pool members by 'Member' causes 'General database error' 14.1.4.6, 15.1.5.1, 16.1.2.2
999125-3 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
956589-2 3-Major BT956589 The tmrouted daemon restarts and produces a core file 13.1.5, 14.1.4.6, 15.1.2.1
943577-3 3-Major BT943577 Full sync failure for traffic-matching-criteria with port list under certain conditions 14.1.4.6, 15.1.5.1, 16.1.2.2
919317-3 3-Major BT919317 NSM consumes 100% CPU processing nexthops for recursive ECMP routes 13.1.5, 14.1.4.6, 15.1.5.1
918409-4 3-Major BT918409 BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures 13.1.5, 14.1.4.6, 15.1.5.1
901669-2 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. 14.1.4.6, 15.1.5.1, 16.1.2.2
755976-3 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
405329-2 3-Major   The imish utility cores while checking help strings for OSPF6 vertex-threshold 14.1.4.6, 15.1.0.5
1066285-1 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1056993-4 3-Major   404 error is raised on GUI when clicking "App IQ." 14.1.4.6, 15.1.5.1, 16.1.2.2
1047169-3 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1042009-3 3-Major BT1042009 Mcpd fails to reply if a request is proxied to another daemon and the connection to that daemon closes 13.1.5, 14.1.4.6, 16.1.2.2
1022637-3 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2
1020789-2 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use. 13.1.5, 14.1.4.6, 16.1.2.2
1019085-2 3-Major BT1019085 Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.&start; 13.1.5, 14.1.4.6, 15.1.5.1
1008269-4 3-Major BT1008269 Error: out of stack space 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
713614-4 4-Minor BT713614 Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) 13.1.5, 14.1.4.6, 15.1.0.5
528894-7 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2
1058677-3 4-Minor BT1058677 Not all SCTP connections are mirrored on the standby device when auto-init is enabled. 14.1.4.6, 15.1.5.1, 16.1.2.2
1046693-2 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1045549-2 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1040821-2 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1034589-3 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1031425-1 4-Minor BT1031425 Provide a configuration flag to disable BGP peer-id check. 14.1.4.6, 15.1.5.1, 16.1.2.2
1030645-2 4-Minor BT1030645 BGP session resets during traffic-group failover 14.1.4.6, 15.1.5.1, 16.1.2.2
1024621-2 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1002809-2 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
946481-3 2-Critical BT946481 Virtual Edition FIPS not compatible with TLS 1.3 14.1.4.6, 15.1.5.1
910213-4 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
757407-1 2-Critical BT757407 Error reading RRD file may induce processes to mutually wait for each other forever 13.1.5, 14.1.4.6
1064617-3 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
999901-4 3-Major K68816502, BT999901 Certain LTM policies may not execute correctly after a system reboot or TMM restart. 14.1.4.6, 15.1.5.1, 16.1.2.2
987077-4 3-Major BT987077 TLS1.3 with client authentication handshake failure 14.1.4.6, 15.1.5.1, 16.1.3
967101-3 3-Major BT967101 When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. 14.1.4.6, 15.1.5.1, 16.1.2.2
955617-6 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
939085-1 3-Major BT939085 /config/ssl/ssl.csr directory disappears after creating certificate archive 14.1.4.6, 15.1.5.1
912517-4 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
892485-1 3-Major BT892485 A wrong OCSP status cache may be looked up and re-used during SSL handshake. 14.1.4.6, 15.1.5.1
892073-1 3-Major BT892073 TLS1.3 LTM policy rule based on SSL SNI is not triggered 14.1.4.6, 15.1.5.1
838353-3 3-Major BT838353 MQTT monitor is not working in route domain. 14.1.4.6, 15.1.5.1
826349-2 3-Major BT826349 VXLAN tunnel might fail due to misbehaving NIC checksum offload 14.1.4.6
825245-2 3-Major BT825245 SSL::enable does not work for server side ssl 14.1.4.6, 15.1.5.1
803109-2 3-Major BT803109 Certain configuration may result in zombie forwarding flows 14.1.4.6, 15.1.5.1, 16.1.2.2
793929-1 3-Major BT793929 In-TMM monitor agent might crash during TMM shutdown 14.1.4.6
793669-1 3-Major BT793669 FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. 13.1.5, 14.1.4.6, 15.1.5.1
672963-3 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1058469-3 3-Major BT1058469 Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. 14.1.4.6, 15.1.5.1, 16.1.2.2
1052929-2 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1043357-2 3-Major BT1043357 SSL handshake may fail when using remote crypto client 14.1.4.6, 15.1.5.1, 16.1.2.2
1043017-2 3-Major BT1043017 Virtual-wire with standard-virtual fragmentation 14.1.4.6, 16.1.2.2
1029897-3 3-Major K63312282, BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1023341-3 3-Major   HSM hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.1
1017533-1 3-Major BT1017533 Using TMC might cause virtual server vlans-enabled configuration to be ignored 14.1.4.6, 16.1.2.2
1016449-1 3-Major BT1016449 After certain configuration tasks are performed, TMM may run with stale Self IP parameters. 14.1.4.6, 15.1.5.1, 16.1.2.2
1016049-3 3-Major BT1016049 EDNS query with CSUBNET dropped by protocol inspection 14.1.4.6, 15.1.5.1, 16.1.2.2
1008501-4 3-Major BT1008501 TMM core 14.1.4.6, 15.1.5.1, 16.1.2.2
838305-4 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow. 14.1.4.6, 15.1.5.1, 16.1.2.2
717806-3 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1026605-3 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1016441-2 4-Minor   RFC Enforcement Hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
873249-3 5-Cosmetic BT873249 Switching from fast_merge to slow_merge can result in incorrect tmm stats 13.1.5, 14.1.4.6, 15.1.5.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
741862-1 2-Critical BT741862 DNS GUI may generate error or display names with special characters incorrectly. 13.1.5, 14.1.4.6
1062513-2 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1044425-4 3-Major K85021277, BT1044425 NSEC3 record improvements for NXDOMAIN 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1039205-1 3-Major BT1039205 DNSSEC key stored on netHSM fails to generate if the key name length is > 24 14.1.4.6, 15.1.5.1
1018613-4 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1011285-3 3-Major BT1011285 The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. 13.1.5, 14.1.4.6, 15.1.5
753821-3 4-Minor BT753821 Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned 13.1.5, 14.1.4.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1079909-3 2-Critical K82724554, BT1079909 Bd core 13.1.5, 14.1.4.6, 16.1.2.2
1069449-3 2-Critical K39002226, BT1069449 ASM attack signatures may not match cookies as expected 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
965785-3 3-Major BT965785 Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine 14.1.4.6, 15.1.5.1, 16.1.2.2
961509-4 3-Major BT961509 ASM blocks WebSocket frames with signature matched but Transparent policy 14.1.4.6, 15.1.5.1, 16.1.2.2
926845-4 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
921697-4 3-Major BT921697 Attack signature updates fail to install with Installation Error.&start; 14.1.4.6, 15.1.5.1, 16.1.2.1
871881-1 3-Major BT871881 Apply Policy action is not synchronized after making bulk signature changes 13.1.5, 14.1.4.6
818889-3 3-Major BT818889 False positive malformed json or xml violation. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1072197-3 3-Major K94142349, BT1072197 Issue with input normalization in WebSocket. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1067285-3 3-Major BT1067285 Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1060933-3 3-Major   Issue with input normalization. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1051213-3 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1051209-3 3-Major K53593534, BT1051209 BD may not process certain HTTP payloads as expected 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1047389-1 3-Major BT1047389 Bot Defense challenge hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1043385-2 3-Major BT1043385 No Signature detected If Authorization header is missing padding. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1038733-2 3-Major BT1038733 Attack signature not detected for unsupported authorization types. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1037457-3 3-Major BT1037457 High CPU during specific dos mitigation 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1030853-3 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1023993-2 3-Major BT1023993 Brute Force is not blocking requests, even when auth failure happens multiple times 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1012221-3 3-Major BT1012221 Message: childInheritanceStatus is not compatible with parentInheritanceStatus&start; 14.1.4.6, 15.1.5.1, 16.1.2.2
1011069-4 3-Major BT1011069 Group/User R/W permissions should be changed for .pid and .cfg files. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
973661 4-Minor BT973661 Two different 'Attack Signature' updates shown as 'Currently Installed'&start; 14.1.4.6
844045-2 4-Minor BT844045 ASM Response event logging for "Illegal response" violations. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1055453 4-Minor BT1055453 Blocking page trims the last digit of the Support ID. 13.1.5, 14.1.4.6
1050697-2 4-Minor   Traffic learning page counts Disabled signatures when they are ready to be enforced 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1038741-2 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1036521-4 4-Minor BT1036521 TMM crash in certain cases 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1034941-3 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1020717-2 4-Minor BT1020717 Policy versions cleanup process sometimes removes newer versions 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1002385-4 4-Minor K67397230, BT1002385 Fixing issue with input normalization 14.1.4.6, 15.1.5, 16.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038913-2 3-Major   The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
868557-3 3-Major   Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity. 14.1.4.6
423519-2 3-Major K74302282, BT423519 Bypass disabling the redirection controls configuration of APM RDP Resource. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1029397-2 2-Critical BT1029397 Tmm may crash with SIP-ALG deployment in a particular race condition 14.1.4.6, 15.1.5, 16.1.2.2
1007109-4 2-Critical BT1007109 Flowmap entry is deleted before updating its timeout to INDEFINITE 14.1.4.6, 15.1.5.1
957905-3 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1058645-3 2-Critical BT1058645 ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. 14.1.4.6, 15.1.5.1
808893-2 3-Major BT808893 DNS DoS profile vectors do not function correctly&start; 14.1.4.6
808889-2 3-Major BT808889 DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold 14.1.4.6
1070033 3-Major BT1070033 Virtual server may not fully enter hardware SYN Cookie mode. 14.1.4.6
1008265-4 3-Major K92306170, BT1008265 DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond&start; 14.1.4.6, 15.1.5.1, 16.1.2.2
756457-2 4-Minor BT756457 tmsh command 'show security' returning a parsing error 14.1.4.6
1072057-3 4-Minor BT1072057 "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. 14.1.4.6, 15.1.5.1, 16.1.2.2
1069745 4-Minor BT1069745 GUI issues in Security->NetworkFirewall->Active Rules, rule movement to 101, 201 position. 14.1.4.6


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
756595-1 1-Blocking BT756595 Traffic redirection to an internal virtual server may fail. 13.1.5, 14.1.4.6


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019613-2 2-Critical BT1019613 Unknown subscriber in PBA deployment may cause CPU spike 14.1.4.6, 15.1.5.1, 16.1.2.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
873617-3 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1060409-4 4-Minor BT1060409 Behavioral DoS enable checkbox is wrong. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1052153-1 3-Major BT1052153 Signature downloads for traffic classification updates via proxy fail 14.1.4.6, 15.1.5.1, 16.1.2.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
940261-2 4-Minor BT940261 Support IPS package downloads via HTTP proxy. 14.1.4.6, 15.1.5.1, 16.1.2.2


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121-3 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2



Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
999933-4 CVE-2022-23017 K28042514, BT999933 TMM may crash while processing DNS traffic on certain platforms 13.1.5, 14.1.4.5, 15.1.4.1
989701-4 CVE-2020-25212 K42355373, BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
989637-4 CVE-2022-23015 K08476614, BT989637 TMM may crash while processing SSL traffic 14.1.4.5, 15.1.4.1
988549-4 CVE-2020-29573 K27238230, BT988549 CVE-2020-29573: glibc vulnerability 14.1.4.5, 15.1.4.1, 16.1.2
910517 CVE-2022-23012 K26310765, BT910517 TMM may crash while processing HTTP traffic 14.1.4.5, 15.1.4.1
1032405-4 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1028669-4 CVE-2019-9948 K28622040, BT1028669 Python vulnerability: CVE-2019-9948 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1028573-4 CVE-2020-10878 K40508224, BT1028573 Perl vulnerability: CVE-2020-10878 14.1.4.5, 15.1.4.1, 16.1.2
1028497-4 CVE-2019-15903 K05295469, BT1028497 libexpat vulnerability: CVE-2019-15903 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1012365-3 CVE-2021-20305 K33101555, BT1012365 Nettle cryptography library vulnerability CVE-2021-20305 14.1.4.5, 15.1.4.1, 16.1.2
1007489-4 CVE-2022-23018 K24358905, BT1007489 TMM may crash while handling specific HTTP requests&start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
997193-2 CVE-2022-23028 K16101409, BT997193 TCP connections may fail when AFM global syncookies are in operation. 13.1.5, 14.1.4.5, 15.1.5
975593-2 CVE-2022-29473 K06323049, BT975593 TMM may crash while processing IPSec traffic 13.1.5, 14.1.4.5, 15.1.5.1
974341-3 CVE-2022-23026 K08402414, BT974341 REST API: File upload 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
941649-4 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
940185-3 CVE-2022-23023 K11742742, BT940185 icrd_child may consume excessive resources while processing REST requests 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
823877-2 CVE-2019-10098
CVE-2020-1927
K25126370, BT823877 CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability 14.1.4.5, 15.1.5.1, 16.1.2.2
803965-2 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
1009725-4 CVE-2022-23030 K53442005, BT1009725 Excessive resource usage when ixlv drivers are enabled 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
713754-1 CVE-2017-15715 K27757011 Apache vulnerability: CVE-2017-15715 14.1.4.5, 15.1.5.1, 16.1.2.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
930633-1 3-Major BT930633 Delay in using new route updates by existing connections on BIG-IP. 14.1.4.5, 15.1.5.1
1015133-2 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
985953-2 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1042993-1 1-Blocking K19272127, BT1042993 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 13.1.5, 14.1.4.5, 15.1.4.1
1039049-1 1-Blocking BT1039049 Installing EHF on particular platforms fails with error "RPM transaction failure" 14.1.4.5, 15.1.4.1, 16.1.2
831821-3 2-Critical BT831821 Corrupted DAG packets causes bcm56xxd core on VCMP host 14.1.4.5, 15.1.4.1
1043277-2 2-Critical K06520200, BT1043277 'No access' error page displays for APM policy export and apply options. 13.1.5, 14.1.4.5, 15.1.4.1
1004929-4 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 13.1.5, 14.1.4.5, 15.1.5
996001-2 3-Major BT996001 AVR Inspection Dashboard 'Last Month' does not show all data points 14.1.4.5, 15.1.5, 16.1.2.1
958093-2 3-Major BT958093 IPv6 routes missing after BGP graceful restart 13.1.5, 14.1.4.5, 15.1.4.1
935801-3 3-Major BT935801 HSB diagnostics are not provided under certain types of failures 14.1.4.5, 15.1.2
922185-4 3-Major BT922185 LDAP referrals not supported for 'cert-ldap system-auth'&start; 14.1.4.5, 15.1.4.1, 16.1.2
900933-2 3-Major BT900933 IPsec interoperability problem with ECP PFS 14.1.4.5, 15.1.4.1, 16.0.1.2
881085-1 3-Major BT881085 Intermittent auth failures with remote LDAP auth for BIG-IP managment 14.1.4.5, 15.1.4.1, 16.1.2
1045421-3 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1032077-3 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1026549-4 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 14.1.4.5, 15.1.4.1, 16.1.2
1015093-4 3-Major BT1015093 The "iq" column is missing from the ndal_tx_stats table 14.1.4.5, 15.1.4.1
1003257-3 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
988533-3 4-Minor BT988533 GRE-encapsulated MPLS packet support 14.1.4.5, 15.1.4.1
889813-1 4-Minor BT889813 Show net bwc policy prints bytes-per-second instead of bits-per-second 14.1.4.5
1030845-3 4-Minor BT1030845 Time change from TMSH not logged in /var/log/audit. 14.1.4.5, 15.1.4.1, 16.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1005433 1-Blocking BT1005433 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured 13.1.5, 14.1.4.5
862885-1 2-Critical BT862885 Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error 14.1.4.5, 15.1.4.1
788813-1 2-Critical BT788813 TMM crash when deleting virtual-wire config 14.1.4.5
750702-1 2-Critical BT750702 TMM crashes while making changes to virtual wire configuration 14.1.4.5
1040361-3 2-Critical BT1040361 TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. 14.1.4.5, 15.1.5, 16.1.2
1019081-2 2-Critical K97045220, BT1019081 HTTP/2 hardening 13.1.5, 14.1.4.5, 15.1.3.1
1009161 2-Critical BT1009161 SSL mirroring protect for null sessions 14.1.4.5, 15.1.5.1
999097-4 3-Major BT999097 SSL::profile may select profile with outdated configuration 14.1.4.5, 15.1.5, 16.1.2.1
963705-2 3-Major BT963705 Proxy ssl server response not forwarded 13.1.5, 14.1.4.5, 15.1.4.1
904041-4 3-Major BT904041 Ephemeral pool members may be incorrect when modified via various actions 13.1.5, 14.1.4.5, 15.1.4.1
872721-1 3-Major BT872721 SSL connection mirroring intermittent failure with TLS1.3 14.1.4.5, 15.1.5.1
803629-2 3-Major BT803629 SQL monitor fails with 'Analyze Response failure' message even if recv string is correct 13.1.5, 14.1.4.5, 15.1.4.1, 16.0.1.1
761477-7 3-Major BT761477 Client authentication performance when large CRL is used 14.1.4.5
1038629-3 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1034365-1 3-Major BT1034365 DTLS handshake fails with DTLS1.2 client version 13.1.5, 14.1.4.5, 15.1.5
1020941-3 3-Major BT1020941 HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags 14.1.4.5, 15.1.4
1018577-2 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1017513-2 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking 13.1.5, 14.1.4.5, 15.1.5.1, 16.1.2.1
1015161-3 3-Major BT1015161 Ephemeral pool member may not be created when FQDN resolves to address that matches static node 13.1.5, 14.1.4.5, 15.1.5.1
1008017-1 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1008009-1 3-Major BT1008009 SSL mirroring null hs during session sync state 14.1.4.5, 15.1.5.1, 16.1.2.2
936557-3 4-Minor BT936557 Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. 13.1.5, 14.1.4.5, 15.1.4.1
890881-3 4-Minor BT890881 ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address 14.1.4.5, 15.1.4.1
1045913-4 4-Minor BT1045913 COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression 14.1.4.5, 15.1.5.1
1018493-3 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
1005109-1 4-Minor BT1005109 TMM crashes when changing traffic-group on IPv6 link-local address 14.1.4.5, 15.1.5, 16.1.2.1
1002945-1 4-Minor BT1002945 Some connections are dropped on chained IPv6 to IPv4 virtual servers. 14.1.4.5, 15.1.4.1, 16.1.2
898929-2 5-Cosmetic BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1035853-4 2-Critical K41415626, BT1035853 Transparent DNS Cache can consume excessive resources. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
1009037-4 2-Critical BT1009037 Tcl resume on invalid connection flow can cause tmm crash 14.1.4.5, 15.1.4.1, 16.1.2
863917-3 3-Major BT863917 The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2
756470-5 3-Major BT756470 Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. 13.1.3.4, 14.1.4.5
1024553-3 3-Major BT1024553 GTM Pool member set to monitor type "none" results in big3d: timed out 13.1.5, 14.1.4.5, 15.1.5
1021417-4 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1021061-2 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
993613-4 2-Critical BT993613 Device fails to request full sync 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
912149-4 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
879841-3 2-Critical BT879841 Domain cookie same-site option is missing the "None" as value in GUI and rest 13.1.5, 14.1.4.5, 15.1.4.1
1019853-3 2-Critical K30911244, BT1019853 Some signatures are not matched under specific conditions 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1011061-1 2-Critical K39002226, BT1011061 Certain attack signatures may not match in multipart content 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
984593-3 3-Major BT984593 BD crash 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
948805-3 3-Major BT948805 False positive "Null in Request" 14.1.4.5, 15.1.4.1
907025-1 3-Major BT907025 Live update error" 'Try to reload page' 14.1.4.5, 15.1.5, 16.1.2.1
886865-2 3-Major BT886865 P3P header is added for all browsers, but required only for Internet Explorer 14.1.4.5, 15.1.5
885765-4 3-Major BT885765 ASMConfig Handler undergoes frequent restarts 14.1.4.5, 15.1.5, 16.1.2.1
857633-2 3-Major BT857633 Attack Type (SSRF) appears incorrectly in REST result 13.1.5, 14.1.4.5, 15.1.4.1
842013-4 3-Major BT842013 ASM Configuration is Lost on License Reactivation&start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
785873-2 3-Major BT785873 ASM should treat 'Authorization: Negotiate TlR' as NTLM 13.1.5, 14.1.4.5
731168-1 3-Major BT731168 BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash. 13.1.5, 14.1.4.5
1042069-3 3-Major   Some signatures are not matched under specific conditions. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2.1
1017153-1 3-Major BT1017153 Asmlogd suddenly deletes all request log protobuf files and records from the database. 14.1.4.5, 15.1.4.1, 16.1.2
1005105-4 3-Major BT1005105 Requests are missing on traffic event logging 14.1.4.5, 15.1.4, 16.1.1
1004069-2 3-Major BT1004069 Brute force attack is detected too soon 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
883673-1 4-Minor   BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool 14.1.4.5
1031029 4-Minor BT1031029 "Use of uninitialized value" warning observed during UCS restore. 14.1.4.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
832805-1 3-Major BT832805 AVR should make sure file permissions are correct (tmstat_tables.xml) 13.1.5, 14.1.4.5, 15.1.4.1
787677-3 3-Major BT787677 AVRD stays at 100% CPU constantly on some systems 13.1.5, 14.1.4.5, 15.1.4.1
1035133-2 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
948113-4 4-Minor BT948113 User-defined report scheduling fails 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883889-1 2-Critical BT883889 Tmm might crash when under memory pressure 14.1.4.5, 15.1.5
860617-2 2-Critical BT860617 Radius sever pool without attaching the load balancing algorithm will result into core 14.1.4.5, 15.1.4.1
1006893-1 2-Critical BT1006893 Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 14.1.4.5, 15.1.4.1, 16.1.2
993457-3 3-Major BT993457 TMM core with ACCESS::policy evaluate iRule 14.1.4.5, 15.1.4.1, 16.1.2
969317-2 3-Major BT969317 "Restrict to Single Client IP" option is ignored for vmware VDI 14.1.4.5, 15.1.4.1, 16.1.2.1
956645-1 3-Major BT956645 Per-request policy execution may timeout. 14.1.4.5
941393 3-Major BT941393 Memory leak in SWG 14.1.4.5
932213-1 3-Major BT932213 Local user db not synced to standby device when it is comes online after forced offline state 14.1.4.5, 15.1.4.1
924857-4 3-Major BT924857 Logout URL with parameters resets TCP connection 14.1.4.5, 15.1.2, 16.0.1.2
915509-3 3-Major BT915509 RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true 14.1.4.5, 15.1.4.1
853325-3 3-Major BT853325 TMM Crash while parsing form parameters by SSO. 14.1.4.5, 15.0.1.3, 15.1.0.2
828761-3 3-Major BT828761 APM OAuth - Auth Server attached iRule works inconsistently 14.1.4.5, 15.1.5, 16.1.2.1
827393-1 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 13.1.5, 14.1.4.5, 15.1.5.1, 16.1.2.1
802381-2 3-Major BT802381 Localdb authentication fails 14.1.4.5, 15.0.1.3
738593-1 3-Major BT738593 Vmware Horizon session collaboration (shadow session) feature does not work through APM. 14.1.4.5, 15.1.5, 16.1.2.1
712857-3 3-Major BT712857 SWG-Explicit rejects large POST bodies during policy evaluation 12.1.3.6, 14.1.4.5
1045229-3 3-Major BT1045229 APMD leaks Tcl_Objs as part of the fix made for ID 1002557 14.1.4.5, 15.1.5.1, 16.1.2.2
1044121-1 3-Major BT1044121 APM logon page is not rendered if db variable "ipv6.enabled" is set to false 14.1.4.5, 15.1.5.1, 16.1.2.2
1021485-1 3-Major BT1021485 VDI desktops and apps freeze with Vmware and Citrix intermittently 14.1.4.5, 15.1.4.1, 16.1.2
1001337 3-Major BT1001337 Cannot read single sign-on configuration from GUI when logged in as guest 14.1.4.5, 15.1.4.1
942965-1 4-Minor BT942965 Local users database can sometimes take more than 5 minutes to sync to the standby device 14.1.4.5, 15.1.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1007113-4 2-Critical BT1007113 Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 14.1.4.5, 15.1.4.1, 16.1.2
1039329-3 3-Major BT1039329 MRF per peer mode is not working in vCMP guest. 14.1.4.5, 15.1.5, 16.1.2.1
1025529-3 3-Major BT1025529 TMM generates core when iRule executes a nexthop command and SIP traffic is sent 14.1.4.5, 15.1.4.1, 16.1.2.1
1003633-4 4-Minor BT1003633 There might be wrong memory handling when message routing feature is used 14.1.4.5, 15.1.4.1, 16.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1049229-3 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
995433-4 3-Major BT995433 IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT 14.1.4.5, 15.1.4.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956013 3-Major BT956013 System reports{{validation_errors}} 14.1.4.5, 15.1.5, 16.1.2.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
922665-1 3-Major BT922665 The admd process is terminated by watchdog on some heavy load configuration process 14.1.4.5, 15.1.5
1023437-4 3-Major   Buffer overflow during attack with large HTTP Headers 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1033829 2-Critical BT1033829 Unable to load Traffic Classification package 14.1.4.5, 15.1.5.1, 16.1.2.2
686783-3 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1032689-4 4-Minor BT1032689 UlrCat Custom db feedlist does not work for some URLs 14.1.4.5, 15.1.4.1, 16.1.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
873545-1 3-Major BT873545 SSL Orchestrator Configuration GUI freezes after management IP change. 14.1.4.5
761314-2 3-Major BT761314 OSPF Hello does not work for L2 wire 14.1.4.5



Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
981461-3 CVE-2021-23032 K45407662, BT981461 Unspecified DNS responses cause TMM crash 13.1.5, 14.1.4.4, 15.1.3.1
966901-3 CVE-2020-14364 K09081535, BT966901 CVE-2020-14364: Qemu Vulnerability 13.1.5, 14.1.4.4, 15.1.4.1
940317-3 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
937333-4 CVE-2022-23013 K29500533, BT937333 Incomplete validation of input in unspecified forms 13.1.5, 14.1.4.4, 15.1.4
550928-4 CVE-2022-23010 K34360320, BT550928 TMM may crash when processing HTTP traffic with a FastL4 virtual server 13.1.5, 14.1.4.4, 15.1.4.1
1030689-3 CVE-2022-23019 K82793463, BT1030689 TMM may consume excessive resources while processing Diameter traffic 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
1017973-3 CVE-2021-25215 K96223611, BT1017973 BIND Vulnerability CVE-2021-25215 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
1017965-3 CVE-2021-25214 K11426315, BT1017965 BIND Vulnerability CVE-2021-25214 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
1009029 CVE-2021-23035 K70415522, BT1009029 TMM may crash while processing HTTP requests 14.1.4.4
975589-2 CVE-2020-8277 K07944249, BT975589 CVE-2020-8277 Node.js vulnerability 14.1.4.4, 15.1.4.1
973409-4 CVE-2020-1971 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference 14.1.4.4, 15.1.4.1, 16.1.2
962069-1 CVE-2021-23047 K79428827, BT962069 Excessive resource consumption while processing OSCP requests via APM 13.1.5, 14.1.4.4, 15.1.3.1
954425-3 CVE-2022-23031 K61112120, BT954425 Hardening of Live-Update 14.1.4.4, 15.1.4, 16.1.1
887965-3 CVE-2022-23027 K30573026, BT887965 Virtual server may stop responding while processing TCP traffic 13.1.5, 14.1.4.4, 15.1.4
1013145-3 CVE-2021-23052 K32734107 APM Hardening 13.1.5, 14.1.4.4
1008561-5 CVE-2022-23025 K44110411, BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1008077-4 CVE-2022-23029 K50343028, BT1008077 TMM may crash while processing TCP traffic with a FastL4 VS 13.1.5, 14.1.4.4, 15.1.4.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
741869-1 2-Critical BT741869 Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups. 14.1.4.4
923301-1 3-Major BT923301 ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group 14.1.4.4, 15.1.4, 16.0.1.2
911141-4 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
866073-1 3-Major BT866073 Add option to exclude stats collection in qkview to avoid very large data files 14.1.4.4, 15.1.4, 16.0.1.2
754335-1 3-Major BT754335 Install ISO does not boot on BIG-IP VE&start; 14.1.4.4, 15.1.4.1
752542-4 3-Major BT752542 Automatic eviction of PEM URLCAT cloud cache 14.1.4.4
751032-3 4-Minor BT751032 TCP receive window may open too slowly after zero-window 14.1.4.4, 15.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1002109-4 1-Blocking BT1002109 Xen binaries do not follow security best practices 13.1.5, 14.1.4.4, 15.1.4
998729 2-Critical BT998729 Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries 14.1.4.4
980325-4 2-Critical BT980325 Chmand core due to memory leak from dossier requests. 13.1.5, 14.1.4.4, 15.1.4
942549-3 2-Critical BT942549 Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 14.1.4.4, 15.1.4.1
831549-1 2-Critical BT831549 Marketing name does not display properly for BIG-IP i10010 (C127) 13.1.3.2, 14.1.4.4
767013-3 2-Critical BT767013 Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.4.4
749332-3 2-Critical BT749332 Client-SSL Object's description can be updated using CLI and with REST PATCH operation 14.1.4.4, 15.1.5, 16.1.2.1
730852-3 2-Critical BT730852 The tmrouted repeatedly crashes and produces core when new peer device is added 14.1.4.4, 15.1.5.1
718573-1 2-Critical BT718573 Internal SessionDB invalid state 14.1.4.4, 15.1.5.1
1034449 2-Critical BT1034449 Excessive CPU consumption by platform_agent. 14.1.4.4
969105-1 3-Major BT969105 HA failover connections via the management address do not work on vCMP guests running on VIPRION 13.1.5, 14.1.4.4, 15.1.4
965205-3 3-Major BT965205 BIG-IP dashboard downloads unused widgets 14.1.4.4, 15.1.4.1
958465-3 3-Major BT958465 in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization 14.1.4.4, 15.1.3.1, 16.0.1.2
956293-1 3-Major BT956293 High CPU from analytics-related REST calls - Dashboard TMUI 14.1.4.4, 15.1.4
950849-2 3-Major BT950849 B4450N blades report page allocation failure.&start; 14.1.4.4, 15.1.3.1
947529-1 3-Major BT947529 Security tab in virtual server menu renders slowly 13.1.5, 14.1.4.4, 15.1.4.1
940885-3 3-Major BT940885 Add embedded SR-IOV support for Mellanox CX5 Ex adapter 14.1.4.4, 15.1.4.1
850193-2 3-Major BT850193 Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues 14.1.4.4, 15.1.4
827033-3 3-Major BT827033 Boot marker is being logged before shutdown logs 14.1.4.4, 15.1.4
809657-2 3-Major BT809657 HA Group score not computed correctly for an unmonitored pool when mcpd starts 13.1.5, 14.1.4.4, 15.1.4.1
787881-2 3-Major BT787881 TMSH displays TSIG keys 14.1.4.4
755027-1 3-Major BT755027 Timer processing taking too long 14.1.4.4
741702-3 3-Major BT741702 TMM crash 14.1.4.4, 15.1.5.1
1024877-1 3-Major BT1024877 Systemd[]: systemd-ask-password-serial.service failed. 14.1.4.4, 15.1.4.1
1010393-3 3-Major BT1010393 Unable to relax AS-path attribute in multi-path selection 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
1009949-1 3-Major BT1009949 High CPU usage when upgrading from previous version&start; 14.1.4.4, 15.1.4.1, 16.1.2
1008837-3 3-Major BT1008837 Control plane is sluggish when mcpd processes a query for virtual server and address statistics 14.1.4.4, 15.1.4, 16.1.2.2
898441-4 4-Minor BT898441 Enable logging of IKE keys 14.1.4.4, 15.1.4
884165-2 4-Minor BT884165 Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG 13.1.5, 14.1.4.4, 15.1.4.1
851393-3 4-Minor BT851393 Tmipsecd leaves a zombie rm process running after starting up 14.1.4.4, 15.1.0.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
846217-1 2-Critical BT846217 Translucent vlan-groups set local bit in destination MAC address 14.1.4.4, 15.1.2.1
837617-3 2-Critical BT837617 Tmm may crash while processing a compression context 14.1.4.4, 15.1.0.2
745589-6 2-Critical BT745589 In very rare situations, some filters may cause data-corruption. 14.1.4.4
997929-4 3-Major BT997929 Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic 14.1.4.4, 15.1.4, 16.0.1.2
978833-3 3-Major BT978833 Use of CRL-based Certificate Monitoring Causes Memory Leak 14.1.4.4, 15.1.4.1
969637-3 3-Major BT969637 Config may fail to load with "FIPS 140 operations not available on this system" after upgrade&start; 14.1.4.4, 15.1.4
956133-4 3-Major BT956133 MAC address might be displayed as 'none' after upgrading.&start; 14.1.4.4, 15.1.4
941481-3 3-Major BT941481 iRules LX - nodejs processes consuming excessive memory 14.1.4.4, 15.1.4
941257-2 3-Major BT941257 Occasional Nitrox3 ZIP engine hang 13.1.5, 14.1.4.4, 15.1.4
915773 3-Major BT915773 Restart of TMM after stale interface reference 14.1.4.4, 15.1.4.1, 16.1.2
912945-4 3-Major BT912945 A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed 14.1.4.4, 15.1.4, 16.1.1
910905-2 3-Major BT910905 TMM crash when processing virtual server traffic with TLS/SSL session cache enabled 14.1.4.4, 15.1.5.1
818833-3 3-Major BT818833 TCP re-transmission during SYN Cookie activation results in high latency 14.1.4.4, 15.1.4
778841-2 3-Major BT778841 Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother 14.1.4.4
749608-2 3-Major BT749608 HTTP Persistence cookies erroneously sent when cookie persistence turned off 14.1.4.4
723112-5 3-Major BT723112 LTM policies does not work if a condition has more than 127 matches 14.1.4.4, 15.1.4.1
714372-3 3-Major BT714372 Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari 14.1.4.4, 15.0.1.1, 15.1.0.2
1015209-1 3-Major BT1015209 Memory may be leaked when handling chunked responses 14.1.4.4
1015201-1 3-Major BT1015201 HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. 14.1.4.4, 15.1.5
1004897-3 3-Major BT1004897 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason 14.1.4.4, 16.1.2.2
936773-1 4-Minor BT936773 Improve logging for "double flow removal" TMM Oops 14.1.4.4, 15.1.4.1
753925-1 4-Minor BT753925 CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections 14.1.4.4


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
1030665 2-Critical BT1030665 Apmd crashes during shutdown under certain conditions 14.1.4.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
995853-3 2-Critical BT995853 Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. 13.1.5, 14.1.4.4, 15.1.4
850509-3 2-Critical BT850509 Zone Trusted Signature inadequately maintained, following change of master key 13.1.5, 14.1.4.4, 15.1.2
993489-4 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
864797-1 3-Major BT864797 Cached results for a record are sent following region modification 14.1.4.4, 15.1.4
847105-3 3-Major BT847105 The bigip_gtm.conf is reverted to default after rebooting with license expired&start; 13.1.5, 14.1.4.4, 15.1.4.1
816277-2 4-Minor BT816277 Extremely long nameserver name causes GUI Error 13.1.5, 14.1.4.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
997137-4 2-Critical K80945213, BT997137 CSRF token modification may allow WAF bypass on GET requests 13.1.5, 14.1.4.4, 15.1.4.1
996381-4 2-Critical K41503304, BT996381 ASM attack signature may not match as expected 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
970329-4 2-Critical K70134152, BT970329 ASM hardening 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
965229-3 2-Critical BT965229 ASM Load hangs after upgrade&start; 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
920197-2 2-Critical BT920197 Brute force mitigation can stop mitigating without a notification 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
964245-3 3-Major BT964245 ASM reports and enforces username always 13.1.5, 14.1.4.4, 15.1.4
962589-1 3-Major BT962589 Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 14.1.4.4, 15.1.4, 16.1.1
962497-4 3-Major BT962497 BD crash after ICAP response 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
955017-4 3-Major BT955017 Excessive CPU consumption by asm_config_event_handler 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
951133-1 3-Major BT951133 Live Update does not work properly after upgrade&start; 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
946081-3 3-Major BT946081 Getcrc tool help displays directory structure instead of version 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
932133-3 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
928717-1 3-Major BT928717 [ASM - AWS] - ASU fails to sync 14.1.4.4, 15.1.4
920149-2 3-Major BT920149 Live Update default factory file for Server Technologies cannot be reinstalled 14.1.4.4, 15.1.4.1, 16.1.1
914277-4 3-Major BT914277 [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU 14.1.4.4, 15.1.4.1, 16.0.1.2
904133-2 3-Major BT904133 Creating a user-defined signature via iControl REST occasionally fails with a 400 response code 14.1.4.4, 15.1.4.1
867825-2 3-Major BT867825 Export/Import on a parent policy leaves children in an inconsistent state 13.1.5, 14.1.4.4, 15.1.4
767057-2 3-Major BT767057 In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server 13.1.5, 14.1.4.4
753715-1 3-Major BT753715 False positive JSON max array length violation 13.1.5, 14.1.4.4, 15.1.4.1
712336-1 3-Major BT712336 bd daemon restart loop 12.1.5.3, 13.1.5, 14.1.4.4
1022269-3 3-Major BT1022269 False positive RFC compliant violation 13.1.5, 14.1.4.4, 15.1.4, 16.1.2
1000741-4 3-Major K67397230, BT1000741 Fixing issue with input normalization 14.1.4.4, 15.1.4, 16.1.1
952509-1 4-Minor BT952509 Cross origin AJAX requests are blocked in case there is no Origin header 14.1.4.4, 15.1.4, 16.0.1.2
944441-3 4-Minor BT944441 BD_XML logs memory usage at TS_DEBUG level 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
941249-4 4-Minor BT941249 Improvement to getcrc tool to print cookie names when cookie attributes are involved 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
746167-1 4-Minor BT746167 Memory pressure from nsyncd 14.1.4.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-4 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
926341-3 3-Major BT926341 RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start; 13.1.5, 14.1.4.4, 15.1.4
922105-4 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
909161-4 3-Major BT909161 A core file is generated upon avrd process restart or stop 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
1020705-3 4-Minor BT1020705 tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 14.1.4.4, 15.1.3.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
789085-2 2-Critical BT789085 When executing the ACCESS::session iRule command under a serverside event, tmm may crash 14.1.4.4
766921-1 2-Critical BT766921 Localdbmgr process crashes and generates a core 14.1.4.4
1020349-1 2-Critical BT1020349 APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL 14.1.4.4
984765-4 3-Major BT984765 APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)&start; 14.1.4.4, 15.1.4
949477-2 3-Major BT949477 NTLM RPC exception: Failed to verify checksum of the packet 14.1.4.4, 15.1.4.1
946125-1 3-Major BT946125 Tmm restart adds 'Revoked' tokens to 'Active' token count 14.1.4.4, 15.1.4
849029-3 3-Major BT849029 No configurable setting for maximum entries in CRLDP cache 14.1.4.4, 16.1.3
844781-1 3-Major BT844781 [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection 14.1.4.4, 15.0.1.3, 15.1.0.2
844281-1 3-Major BT844281 [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. 14.1.4.4, 15.0.1.3, 15.1.0.2
803825-3 3-Major BT803825 WebSSO does not support large NTLM target info length 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
744407-3 3-Major BT744407 While the client has been closed, iRule function should not try to check on a closed session 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
1007629-2 3-Major BT1007629 APM policy configured with many ACL policies can create APM memory pressure 13.1.5, 14.1.4.4, 15.1.4.1
1002557-3 3-Major BT1002557 Tcl free object list growth 13.1.5, 14.1.4.4, 15.1.4.1
1001041-2 3-Major BT1001041 Reset cause 'Illegal argument' 14.1.4.4, 15.1.4
939877-2 4-Minor BT939877 OAuth refresh token not found 14.1.4.4, 15.1.4, 16.1.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
993913-1 2-Critical BT993913 TMM SIGSEGV core in Message Routing Framework 14.1.4.4, 15.1.4, 16.1.1
1012721-2 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.1
996113-4 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
805821-4 3-Major BT805821 GTP log message contains no useful information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
919301-4 4-Minor BT919301 GTP::ie count does not work with -message option 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913413-4 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913409-4 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913393-4 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
990461-2 3-Major BT990461 Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start; 14.1.4.4, 16.1.3
744204-1 3-Major BT744204 PCCD may exhaust system memory when compiling 14.1.4.4
1012521-4 3-Major BT1012521 BIG-IP UI file permissions 14.1.4.4, 15.1.4, 16.0.1.2
926425 4-Minor BT926425 Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts 14.1.4.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
913453-3 2-Critical BT913453 URL Categorization: wr_urldbd cores while processing urlcat-query 14.1.4.4, 15.1.4
760961-3 2-Critical BT760961 TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts 13.1.1.5, 14.1.4.4
958085-2 3-Major BT958085 IM installation fails with error: Spec file not found&start; 14.1.4.4, 15.1.4
785605-2 3-Major BT785605 Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group 14.1.4.4
974205-2 4-Minor BT974205 Unconstrained wr_urldbd size causing box to OOM 12.1.6, 14.1.4.4, 15.1.4


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
970829-4 2-Critical K03310534, BT970829 iSeries LCD incorrectly displays secure mode 14.1.4.4, 15.1.4, 16.0.1.2
929213-3 3-Major BT929213 iAppLX packages not rolled forward after BIG-IP upgrade&start; 14.1.4.4, 15.1.4.1, 16.1.2


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
946185-4 3-Major BT946185 Unable to view iApp component due to error 'An error has occurred while trying to process your request.'&start; 14.1.4.4, 15.1.4.1, 16.1.2


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
822245-5 4-Minor BT822245 Large number of in-TMM monitors results in some monitors being marked down 14.1.4.4, 15.1.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
918317-3 3-Major BT918317 SSL Orchestrator resets subsequent requests when HTTP services are being used. 14.1.4.4, 15.1.4



Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
989009-4 CVE-2021-23033 K05314769, BT989009 BD daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
980125-4 CVE-2021-23030 K42051445, BT980125 BD Daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
946377-3 CVE-2021-23027 K24301698, BT946377 HSM WebUI Hardening 14.1.4.3, 15.1.3.1, 16.0.1.2
968349-1 CVE-2021-23048 K19012930, BT968349 TMM crashes with unspecified message 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
950017-3 CVE-2021-23045 K94941221, BT950017 TMM may crash while processing SCTP traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
797797-3 CVE-2019-11811 K01512680, BT797797 CVE-2019-11811 kernel: use-after-free in drivers 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.1
968733-5 CVE-2018-1120 K42202505, BT968733 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
939421-4 CVE-2020-10029 K38481791, BT939421 CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow 14.1.4.3, 15.1.4, 16.0.1.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
876937-1 3-Major BT876937 DNS Cache not functioning 14.1.4.3, 15.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
967905-3 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004517-3 2-Critical BT1004517 BIG-IP tenants on VELOS cannot install EHFs 14.1.4.3, 15.1.4
1000973-2 2-Critical BT1000973 Unanticipated restart of TMM due to heartbeat failure 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
998221-4 3-Major BT998221 Accessing pool members from configuration utility is slow with large config 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2
996593-3 3-Major BT996593 Password change through REST or GUI not allowed if the password is expired 14.1.4.3, 15.1.4, 16.0.1.2
994801-4 3-Major   SCP file transfer system 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
908601-4 3-Major BT908601 System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option 14.1.4.3, 15.1.4, 16.0.1.2
841277-5 3-Major BT841277 C4800 LCD fails to load after annunciator hot-swap 14.1.4.3, 15.1.4
804477-4 3-Major BT804477 Add HSB register logging when parts of the device becomes unresponsive 13.1.3.4, 14.1.4.3
819053-2 4-Minor   CVE-2019-13232 unzip: overlapping of files in ZIP container 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004417-1 4-Minor BT1004417 Provisioning error message during boot up&start; 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1007505 2-Critical BT1007505 TLS handshake times out if intermediate CA cert status cannot be determined 14.1.4.3
1001509-1 2-Critical K11162395, BT1001509 Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates 14.1.4.3, 15.1.3
882549-3 3-Major BT882549 Sock driver does not use multiple queues in unsupported environments 14.1.4.3, 15.1.4, 16.0.1.2
962433-3 4-Minor BT962433 HTTP::retry for a HEAD request fails to create new connection 13.1.4.1, 14.1.4.3, 15.1.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1017645-3 2-Critical BT1017645 False positive HTTP compliance violation 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
981785-2 3-Major BT981785 Incorrect incident severity in Event Correlation statistics 14.1.4.3, 15.1.4, 16.0.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
833113-3 3-Major BT833113 Avrd core when sending large messages via https 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
660913-3 2-Critical BT660913 For ActiveSync client type, browscap info provided is incorrect.&start; 12.1.4.1, 13.1.3.4, 14.1.4.3
924521-1 3-Major BT924521 OneConnect does not work when WEBSSO is enabled/configured. 14.1.4.3, 15.1.4
470346-2 3-Major BT470346 Some IPv6 client connections get RST when connecting to APM virtual 13.1.5, 14.1.4.3, 15.1.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
991037-1 3-Major BT991037 MR::message can cause tmm crash 14.1.4.3
788625-3 3-Major BT788625 A pool member is not marked up by the inband monitor even after successful connection to the pool member 14.1.4.3, 15.1.4, 16.0.1.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
874677 2-Critical BT874677 Traffic Classification auto signature update fails from GUI&start; 14.1.4.3, 15.1.3, 16.0.1.1
976365-1 3-Major BT976365 Traffic Classification hardening&start; 14.1.4.3, 15.1.3.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
795329-2 3-Major BT795329 IM installation fails if 'auto-add-new-inspections' enabled on profile&start; 14.1.4.3, 15.0.1.1


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
947925-4 3-Major BT947925 TMM may crash when executing L7 Protocol Lookup per-request policy agent 14.1.4.3, 15.1.4



Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
962341-4 CVE-2021-23028 K00602225, BT962341 BD crash while processing JSON content 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2
935433-4 CVE-2021-23026 K53854428, BT935433 iControl SOAP 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
981693-2 CVE-2022-23024 K54892865, BT981693 TMM may consume excessive resources while processing IPSec ALG traffic 13.1.5, 14.1.4.2, 15.1.4.1
965485-2 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
949889-2 CVE-2019-3900 K04107324, BT949889 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
942701-3 CVE-2021-23044 K35408374, BT942701 TMM may consume excessive resources while processing HTTP traffic 13.1.4.1, 14.1.4.2, 15.1.3.1
937365-4 CVE-2021-23041 K42526507, BT937365 LTM UI does not follow best practices 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907245-3 CVE-2021-23040 K94255403, BT907245 AFM UI Hardening 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
906377-4 CVE-2021-23038 K61643620, BT906377 iRulesLX hardening 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
803933-2 CVE-2018-20843 K51011533, BT803933 Expat XML parser vulnerability CVE-2018-20843 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
1003557-4 CVE-2021-23015 K74151369, BT1003557 Not following best practices in Guided Configuration Bundle Install worker 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1004833-1 1-Blocking BT1004833 NIST SP800-90B compliance 14.1.4.2, 15.1.4, 16.1.3
976505-1 3-Major BT976505 Rotated restnoded logs will fail logintegrity verification. 14.1.4.2, 15.1.4, 16.0.1.2
975809-2 3-Major BT975809 Rotated restjavad logs fail logintegrity verification. 14.1.4.2, 15.1.4, 16.0.1.2
959629-3 3-Major BT959629 Logintegrity script for restjavad/restnoded fails 14.1.4.2, 15.1.4, 16.0.1.2
958353-3 3-Major BT958353 Restarting the mcpd messaging service renders the PAYG VE license invalid. 14.1.4.2, 15.1.4, 16.0.1.2
946089-1 3-Major BT946089 BIG-IP might send excessive multicast/broadcast traffic. 14.1.4.2, 15.1.4, 16.0.1.2
932497-1 3-Major BT932497 Autoscale groups require multiple syncs of datasync-global-dg 14.1.4.2, 15.1.4, 16.0.1.2
913849 3-Major BT913849 Syslog-ng periodically logs nothing for 20 seconds 14.1.4.2, 15.1.4, 16.0.1.2
764873-2 3-Major BT764873 An accelerated flow may transmit packets to an unavailable pool member. 13.1.3.2, 14.1.4.2, 15.0.1.3
1009133 3-Major BT1009133 BIG-IP vCMP guests that have HA Groups configured to include trunk scoring may fail to upgrade properly&start; 14.1.4.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
945997-3 2-Critical BT945997 LTM policy applied to HTTP/2 traffic may crash TMM 14.1.4.2, 15.1.4, 16.0.1.2
980821-1 3-Major BT980821 Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. 14.1.4.2, 15.1.3.1, 16.0.1.2
895557-1 4-Minor BT895557 NTLM profile logs error when used with profiles that do redirect 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2
773253-3 4-Minor BT773253 The BIG-IP may send VLAN failsafe probes from a disabled blade 13.1.4, 14.1.4.2, 15.1.2.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918597-4 2-Critical BT918597 Under certain conditions, deleting a topology record can result in a crash. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
717306-1 2-Critical BT717306 Added ability to use Vip-targeting-Vip with DNS Cache server-side connections 14.1.4.2
973261-4 3-Major BT973261 GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
912001-4 3-Major BT912001 TMM cores on secondary blades of the Chassis system. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
835209-1 3-Major BT835209 External monitors mark objects down 14.1.4.2, 15.1.3
746719-1 3-Major BT746719 SERVFAIL when attempting to view or edit NS resource records in zonerunner 14.1.4.2
857953-3 4-Minor BT857953 Non-functional disable/enable buttons present in GTM wide IP members page 14.1.4.2, 15.1.4, 16.0.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968421-4 2-Critical K30291321, BT968421 ASM attack signature doesn't matched 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
943913-4 2-Critical K30150004, BT943913 ASM attack signature does not match 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
854001-4 2-Critical BT854001 TMM might crash in case of trusted bot signature and API protected url 14.1.4.2, 15.1.4, 16.0.1.2
810497-2 2-Critical BT810497 Pabnagd cores during device group settings changes 14.1.4.2
950917-2 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 13.1.4.1, 14.1.4.2, 15.1.4
928685-3 3-Major K49549213, BT928685 ASM Brute Force mitigation not triggered as expected 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
922261-4 3-Major BT922261 WebSocket server messages are logged even it is not configured 14.1.4.2, 15.1.4, 16.0.1.2
912089-3 3-Major BT912089 Some roles are missing necessary permission to perform Live Update 14.1.4.2, 15.1.4, 16.0.1.2
907337-4 3-Major BT907337 BD crash on specific scenario 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
888289-3 3-Major BT888289 Add option to skip percent characters during normalization 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
883853-1 3-Major BT883853 Bot Defense Profile with staged signatures prevents signature update&start; 14.1.4.2, 15.1.4
881757-2 3-Major BT881757 Unnecessary HTML response parsing and response payload is not compressed 14.1.4.2, 15.1.1, 16.0.1.2
846181-1 3-Major BT846181 Request samples for some of the learning suggestions are not visible 14.1.4.2, 15.1.4
830341-1 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1
792341-2 3-Major BT792341 Google Analytics shows incorrect stats. 13.1.4.1, 14.1.4.2
673272-4 3-Major BT673272 Search by "Signature ID is" does not return results for some signature IDs 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2
941929-1 4-Minor BT941929 Google Analytics shows incorrect stats, when Google link is redirected. 14.1.4.2, 15.1.4, 16.0.1.2
911729-1 4-Minor BT911729 Redundant learning suggestion to set a Maximum Length when parameter is already at that value 14.1.4.2, 15.1.4, 16.0.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
981385-4 3-Major BT981385 AVRD does not send HTTP events to BIG-IQ DCD 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
932485-2 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
913085-4 3-Major BT913085 Avrd core when avrd process is stopped or restarted 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
995029 2-Critical BT995029 Configuration is not updated during auto-discovery 14.1.4.2, 15.1.4
783233-2 2-Critical BT783233 OAuth puts quotation marks around claim values that are not string type 14.1.4.2
894885 3-Major BT894885 [SAML] SSO crash while processing client SSL request 14.1.4.2, 15.1.4
866109-1 3-Major BT866109 JWK keys frequency does not support fewer than 60 minutes 13.1.4.1, 14.1.4.2, 15.1.4
757781-3 3-Major BT757781 Portal Access: cookie exchange may be broken sometimes 13.1.1.5, 14.0.0.5, 14.1.4.2, 15.0.1.1
738865-3 3-Major BT738865 MCPD might enter into loop during APM config validation 14.1.4.2, 15.1.4
828773-1 4-Minor BT828773 Incomplete response to an internal request by Portal Access 14.1.4.2
766017-1 4-Minor BT766017 [APM][LocalDB] Local user database instance name length check inconsistencies&start; 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1
747234-5 4-Minor BT747234 Macro policy does not find corresponding access-profile directly 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
974881-1 2-Critical BT974881 Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic 14.1.4.2, 15.1.4, 16.0.1.2
868781-2 2-Critical BT868781 TMM crashes while processing MRF traffic 13.1.4.1, 14.1.4.2, 15.1.1
989753-3 3-Major BT989753 In HA setup, standby fails to establish connection to server 14.1.4.2, 15.1.4, 16.0.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
992213-1 3-Major BT992213 Protocol Any displayed as HOPTOPT in AFM policy view 14.1.4.2, 15.1.4, 16.1.1
988005-3 3-Major BT988005 Zero active rules counters in GUI 14.1.4.2, 15.1.4, 16.0.1.2
783217-1 3-Major BT783217 Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks 14.1.4.2
751116-1 3-Major BT751116 DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring 13.1.3.4, 14.1.4.2
716746-1 3-Major BT716746 Possible tmm restart when disabling single endpoint vector while attack is ongoing 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2
685904-2 3-Major BT685904 Firewall Rule hit counts are not auto-updated after a Reset is done 14.1.4.2, 15.1.4
977005-2 4-Minor BT977005 Network Firewall Policy rules-list showing incorrect 'Any' for source column 14.1.4.2, 15.1.4


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
981689-1 2-Critical BT981689 TMM memory leak with IPsec ALG 14.1.4.2, 15.1.4.1
994985-1 3-Major BT994985 CGNAT GUI shows blank page when applying SIP profile 14.1.4.2, 15.1.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
893721-1 2-Critical BT893721 PEM-provisioned systems may suffer random tmm crashes after upgrading&start; 14.1.4.2, 15.1.4
948573-2 3-Major BT948573 Wr_urldbd list of valid TLDs needs to be updated 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
846601-3 3-Major BT846601 Traffic classification does not update when an inactive slot becomes active after upgrade&start; 14.1.4.2, 15.1.4, 16.0.1.2


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
912425-1 3-Major BT912425 Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash 14.1.4.2, 15.1.4, 16.0.1.2



Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
980809-3 CVE-2021-23031 K41351250, BT980809 ASM REST Signature Rule Keywords Tool Hardening 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
990333-4 CVE-2021-23016 K75540265, BT990333 APM may return unexpected content when processing HTTP requests 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
945109-4 CVE-2015-9382 K46641512, BT945109 Freetype Parser Skip Token Vulnerability CVE-2015-9382 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
1002561-1 CVE-2021-23007 K37451543, BT1002561 TMM vulnerability CVE-2021-23007 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
933777-2 3-Major BT933777 Context use and syntax changes clarification 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
704552-2 3-Major BT704552 Support for ONAP site licensing 13.1.0.7, 14.0.0.2, 14.1.4.1
918097-1 4-Minor BT918097 Cookies set in the URI on Safari 14.1.4.1, 15.1.3, 16.0.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
995629-2 2-Critical BT995629 Loading UCS files may hang if ASM is provisioned&start; 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
876957-2 2-Critical BT876957 Reboot after tmsh load sys config changes sys FPGA firmware-config value 14.1.4.1, 15.1.1
978393 3-Major BT978393 GUI screen shows blank screen while importing a certificate&start; 14.1.4.1
969213-2 3-Major BT969213 VMware: management IP cannot be customized via net.mgmt.addr property 14.1.4.1, 15.1.3, 16.0.1.2
922297-3 3-Major BT922297 TMM does not start when using more than 11 interfaces with more than 11 vCPUs 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
914245-1 3-Major BT914245 Reboot after tmsh load sys config changes sys FPGA firmware-config value 14.1.4.1, 15.1.3, 16.0.1.2
841649-2 3-Major BT841649 Hardware accelerated connection mismatch resulting in tmm core 14.1.4.1, 15.1.2
839121-1 3-Major K74221031, BT839121 A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade&start; 14.1.4.1, 15.1.3, 16.0.1.2
829821-3 3-Major BT829821 Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
692218-3 3-Major BT692218 Audit log messages sent from the primary blade to the secondaries should not be logged. 14.1.4.1, 15.1.3, 16.0.1.2
675911-13 3-Major K13272442, BT675911 Different sections of the GUI can report incorrect CPU utilization 14.1.4.1, 15.1.3, 16.0.1.2
601220-3 3-Major BT601220 Multi-blade trunks seem to leak packets ingressed via one blade to a different blade 14.1.4.1
569859-5 3-Major BT569859 Password policy enforcement for root user when mcpd is not available 14.1.4.1, 15.1.3
879189-3 4-Minor BT879189 Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section 14.1.4.1, 15.1.3, 16.0.1.2
658943-2 4-Minor BT658943 Errors when platform-migrate loading UCS using trunks on vCMP guest 14.1.4.1
440599-1 4-Minor BT440599 Added DB Variable to configure 'difok' variable in password policy 14.1.4.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
908621-3 2-Critical BT908621 Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core 14.1.4.1, 15.1.2
738964-2 2-Critical   Instruction logger debugging enhancement 14.1.4.1, 15.1.3
888517-3 3-Major BT888517 Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.&start; 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
878925-3 3-Major BT878925 SSL connection mirroring failover at end of TLS handshake 14.1.4.1, 15.1.2
760406-3 3-Major BT760406 HA connection might stall on Active device when the SSL session cache becomes out-of-sync. 14.1.4.1, 15.1.5.1
756812-2 3-Major BT756812 Nitrox 3 instruction/request logger may fail due to SELinux permission error 14.1.4.1, 15.1.3
756817-1 4-Minor BT756817 ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks. 14.1.4.1, 15.0.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
971297-3 3-Major BT971297 DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade&start; 14.1.4.1, 15.1.3, 16.0.1.2
885201-3 4-Minor BT885201 BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log 14.1.4.1, 15.1.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956373-3 3-Major BT956373 ASM sync files not cleaned up immediately after processing 14.1.4.1, 15.1.3, 16.0.1.2
947341-3 3-Major BT947341 MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. 14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2
929001-4 3-Major K48321015, BT929001 ASM form handling improvements 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
767077-1 3-Major BT767077 Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error 14.1.4.1
824093-3 4-Minor BT824093 Parameters payload parser issue 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
869049-2 3-Major BT869049 Charts discrepancy in AVR reports 14.1.4.1, 15.1.3, 16.0.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883577-2 3-Major BT883577 ACCESS::session irule command does not work in HTTP_RESPONSE event 14.1.4.1, 15.1.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
750679-1 2-Critical BT750679 Tmm crash on standby device and Diameter stats issues 14.1.4.1
982869-3 3-Major BT982869 With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 14.1.4.1, 15.1.3, 16.0.1.2
977053-3 3-Major BT977053 TMM crash on standby due to invalid MR router instance 14.1.4.1, 15.1.3, 16.0.1.2
966701-3 3-Major BT966701 Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP 14.1.4.1, 15.1.3, 16.0.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
851745-1 2-Critical BT851745 High cpu consumption due when enabling large number of virtual servers 14.1.4.1, 15.1.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
914293-1 3-Major BT914293 TMM SIGSEGV and crash 14.1.4.1, 15.1.3, 16.0.1.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
964577-1 4-Minor BT964577 IPS automatic IM download not working as expected 14.1.4.1, 15.1.3, 16.0.1.2



Cumulative fixes from BIG-IP v14.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
975233-3 CVE-2021-22992 K52510511, BT975233 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
973333-3 CVE-2021-22991 K56715231, BT973333 TMM buffer-overflow vulnerability CVE-2021-22991 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
955145-3 CVE-2021-22986 K03009991, BT955145 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
954381-3 CVE-2021-22986 K03009991, BT954381 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
953677-3 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT953677 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
951705-3 CVE-2021-22986 K03009991, BT951705 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 14.1.4, 15.1.2.1, 16.0.1.1
981169-3 CVE-2021-22994 K66851119, BT981169 F5 TMUI XSS vulnerability CVE-2021-22994 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
959121-2 CVE-2021-23015 K74151369, BT959121 Not following best practices in Guided Configuration Bundle Install worker 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
953729-3 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101, BT953729 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
949933-2 CVE-2021-22980 K29282483, BT949933 BIG-IP APM CTU vulnerability CVE-2021-22980 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1
931837-5 CVE-2020-13817 K55376430, BT931837 NTP has predictable timestamps 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
882633-4 CVE-2021-23008 K51213246, BT882633 Active Directory authentication does not follow current best practices 12.1.6, 13.1.4, 14.1.4, 15.1.3
976925-3 CVE-2021-23002 K71891773, BT976925 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
954429-3 CVE-2021-23014 K23203045, BT954429 User authorization changes for live update 14.1.4, 15.1.3, 16.0.1.1
948769-4 CVE-2021-23013 K05300051, BT948769 TMM panic with SCTP traffic 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
946581-3 CVE-2020-27713 K37960100, BT946581 TMM vulnerability CVE-2020-27713 13.1.3.5, 14.1.4
938233-3 CVE-2021-23042 K93231374 An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
937637-4 CVE-2021-23002 K71891773, BT937637 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
935401-4 CVE-2021-23001 K06440657, BT935401 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
932697-2 CVE-2021-23000 K34441555, BT932697 BIG-IP TMM vulnerability CVE-2021-23000 12.1.5.3, 13.1.4, 14.1.4
903889 CVE-2021-22999 K02333782, BT903889 BIG-IP HTTP/2 vulnerability CVE-2021-22999 14.1.4
877109-3 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
743105-4 CVE-2021-22998 K31934524, BT743105 BIG-IP SNAT vulnerability CVE-2021-22998 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
718189-7 CVE-2021-23011 K10751325, BT718189 Unspecified IP traffic can cause low-memory conditions 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
912289-3 2-Critical BT912289 Cannot roll back after upgrading on certain platforms&start; 12.1.6, 13.1.4, 14.1.4, 15.1.1
945265-3 3-Major BT945265 BGP may advertise default route with incorrect parameters 14.1.4, 15.1.3, 16.0.1.1
913829-3 3-Major BT913829 i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
867793-3 3-Major BT867793 BIG-IP sending the wrong trap code for BGP peer state 14.1.4, 15.1.2.1
794417-1 3-Major BT794417 Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2, 16.1.3
742860-3 3-Major BT742860 VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. 13.1.3.6, 14.1.4
719338-2 4-Minor BT719338 Concurrent management SSH connections are unlimited 13.1.4, 14.1.4, 15.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
990849-3 2-Critical BT990849 Loading UCS with platform-migrate option hangs and requires exiting from the command&start; 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
940021-2 2-Critical BT940021 Syslog-ng hang may lead to unexpected reboot 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
932437-4 2-Critical BT932437 Loading SCF file does not restore files from tar file&start; 14.1.4, 15.1.2.1, 16.0.1.1
915305-3 2-Critical BT915305 Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
908517-1 2-Critical BT908517 LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' 14.1.4, 15.1.3, 16.0.1.1
888341-5 2-Critical BT888341 HA Group failover may fail to complete Active/Standby state transition 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
886693-2 2-Critical BT886693 System might become unresponsive after upgrading.&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
817085-4 2-Critical BT817085 Multicast Flood Can Cause the Host TMM to Restart 12.1.5.3, 14.1.4
811973-2 2-Critical BT811973 TMM may crash when shutting down 14.1.4
797221-1 2-Critical BT797221 BCM daemon can be killed by watchdog timeout during blade-to-blade failover 14.1.4
785017-1 2-Critical BT785017 Secondary blades go offline after new primary is elected 13.1.4, 14.1.4, 15.1.3
776393-2 2-Critical BT776393 Restjavad restarts frequently due to insufficient memory with relatively large configurations 14.1.4, 15.1.3, 16.0.1.1
751991-1 2-Critical BT751991 BIOS update fails with "flashrom not safe for BIOS updates yet" log message 14.1.4
739507-1 2-Critical BT739507 Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check 13.1.1.2, 14.1.4, 15.1.0.5
739505-2 2-Critical BT739505 Automatic ISO digital signature checking not required when FIPS license active&start; 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1
973201 3-Major BT973201 F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions&start; 14.1.4, 15.1.4
967745-2 3-Major BT967745 Last resort pool error for the modify command for Wide IP 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
963017-3 3-Major BT963017 The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed 14.1.4, 15.1.3
946745-3 3-Major BT946745 'System Integrity: Invalid' after Engineering Hotfix installation 14.1.4, 15.1.3
943793 3-Major BT943793 Neurond continuously restarting. 14.1.4, 15.1.5.1
939541-3 3-Major BT939541 TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE 14.1.4, 15.1.3, 16.0.1.1
930905-1 3-Major BT930905 Management route lost after reboot. 14.1.4, 15.1.2.1, 16.0.1.1
927941-3 3-Major BT927941 IPv6 static route BFD does not come up after OAMD restart 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
914081-3 3-Major BT914081 Engineering Hotfixes missing bug titles 14.1.4, 15.1.3
913433-1 3-Major BT913433 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
909197-5 3-Major BT909197 The mcpd process may become unresponsive 14.1.4, 15.1.4.1, 16.0.1.1
904785-3 3-Major BT904785 Remotely authenticated users may experience difficulty logging in over the serial console 14.1.4, 15.1.2.1, 16.0.1.1
896817-4 3-Major BT896817 iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb 14.1.4, 15.1.2.1, 16.0.1.1
896553-2 3-Major BT896553 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3
895837-1 3-Major BT895837 Mcpd crash when a traffic-matching-criteria destination-port-list is modified 14.1.4, 15.1.2.1, 16.0.1.1
893949 3-Major BT893949 Support TCP directional offload for hardware-accelerated connections 14.1.4
893885 3-Major BT893885 The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation 14.1.4, 15.1.3
891337-3 3-Major BT891337 'save_master_key(master): Not ready to save yet' errors in the logs 14.1.4, 15.1.3
889029-4 3-Major BT889029 Unable to login if LDAP user does not have search permissions 14.1.4, 15.1.3, 16.0.1.2
879829-3 3-Major BT879829 HA daemon sod cannot bind to ports numbered lower than 1024 14.1.4, 15.1.3, 16.0.1.2
876805-1 3-Major BT876805 Modifying address-list resets the route advertisement on virtual servers. 14.1.4, 15.1.3, 16.0.1.1
862937-2 3-Major BT862937 Running cpcfg after first boot can result in daemons stuck in restart loop&start; 14.1.4, 15.1.3, 16.0.1.2
838901-2 3-Major BT838901 TMM receives invalid rx descriptor from HSB hardware 13.1.4, 14.1.4, 15.1.2
830413-4 3-Major BT830413 Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure&start; 14.1.4, 15.1.2.1, 16.0.1.1
820845-2 3-Major BT820845 Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
814053-2 3-Major BT814053 Under heavy load, bcm56xxd can be killed by the watchdog 14.1.4
803237-4 3-Major BT803237 PVA does not validate interface MTU when setting MSS 14.1.4, 15.1.3
799001-3 3-Major BT799001 Sflow agent does not handle disconnect from SNMPD manager correctly 14.1.4, 15.1.3
787885-1 3-Major BT787885 The device status is falsely showing as forced offline on the network map while actual device status is not. 14.1.4, 15.1.3, 16.0.1.1
759596-2 3-Major BT759596 Tcl errors in iRules 'table' command 12.1.5.3, 13.1.3.6, 14.1.4
754132-2 3-Major BT754132 A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command 13.1.3.6, 14.1.4
751448-1 3-Major BT751448 TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart 14.1.4
751021-1 3-Major BT751021 One or more TMM instances may be left without dynamic routes. 13.1.3.5, 14.1.4
750194-4 3-Major   Moderate: net-snmp security update 13.1.3.5, 14.1.4
749007-2 3-Major BT749007 South Sudan is missing in the GTM region list 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
744252-2 3-Major BT744252 BGP route map community value: either component cannot be set to 65535 13.1.3.6, 14.1.4
719555-5 3-Major BT719555 Interface listed as 'disable' after SFP insertion and enable 13.1.5, 14.1.4, 15.1.1
661640-1 3-Major BT661640 Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair. 14.1.4
615934-4 3-Major BT615934 Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. 13.1.3.5, 14.1.4, 15.1.3
966277-3 4-Minor BT966277 BFD down on multi-blade system 14.1.4, 15.1.3, 16.0.1.1
959889-1 4-Minor BT959889 Cannot update firewall rule with ip-protocol property as 'any' 14.1.4, 15.1.3
947865-3 4-Minor BT947865 Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read 14.1.4, 15.1.3
774617-1 4-Minor BT774617 SNMP daemon reports integer truncation error for values greater than 32 bits 14.1.4, 15.1.0.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
926929-2 1-Blocking BT926929 RFC Compliance Enforcement lacks configuration availability 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
910653-3 2-Critical BT910653 iRule parking in clientside/serverside command may cause tmm restart 14.1.4, 15.1.3, 16.0.1.1
889209-1 2-Critical BT889209 Sflow receiver configuration may lead to egress traffic dropped after TMM starts. 14.1.4, 15.1.1
882157-2 2-Critical BT882157 One thread of pkcs11d consumes 100% without any traffic. 14.1.4, 15.1.3
876801-3 2-Critical BT876801 Tmm crash: invalid route type 13.1.4, 14.1.4, 15.1.2
812525-3 2-Critical K27551003, BT812525 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
968641-1 3-Major BT968641 Fix for zero LACP priority 14.1.4, 15.1.3, 16.0.1.2
965537 3-Major BT965537 SSL filter does not re-initialize when OCSP validator is modified 14.1.4
953845-4 3-Major BT953845 After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
944641-3 3-Major BT944641 HTTP2 send RST_STREAM when exceeding max streams 14.1.4, 15.1.4, 16.0.1.1
940209-1 3-Major BT940209 Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. 14.1.4, 15.1.2
932033-1 3-Major BT932033 Chunked response may have DATA frame with END_STREAM prematurely 14.1.4, 15.1.2
928857-3 3-Major BT928857 Use of OCSP responder may leak X509 store instances 14.1.4, 15.1.3
928805-3 3-Major BT928805 Use of OCSP responder may cause memory leakage 14.1.4, 15.1.3
928789-3 3-Major BT928789 Use of OCSP responder may leak SSL handshake instances 14.1.4, 15.1.3
921881-4 3-Major BT921881 Use of IPFIX log destination can result in increased CPU utilization 14.1.4, 15.1.3, 16.0.1.2
892941-4 3-Major K20105555, BT892941 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) 14.1.4, 15.1.2, 16.0.1.1
889601-1 3-Major K14903688, BT889601 OCSP revocation not properly checked 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
889165-1 3-Major BT889165 "http_process_state_cx_wait" errors in log and connection reset 14.1.4, 15.1.3
868209-1 3-Major BT868209 Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection 14.1.4, 15.1.2.1
858701-3 3-Major BT858701 Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
858301-3 3-Major K27551003, BT858301 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858297-3 3-Major K27551003, BT858297 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858289-3 3-Major K27551003, BT858289 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858285-3 3-Major K27551003, BT858285 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
845333-3 3-Major BT845333 An iRule with a proc referencing a datagroup cannot be assigned to Transport Config 14.1.4, 15.1.3, 16.0.1.1
825689-3 3-Major   Enhance FIPS crypto-user storage 12.1.6, 13.1.4, 14.1.4, 15.1.1
818109-3 3-Major BT818109 Certain plaintext traffic may cause SSL Orchestrator to hang 14.1.4, 15.1.2.1
795501-3 3-Major BT795501 Possible SSL crash during config sync 14.1.4
790845-2 3-Major BT790845 An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default 13.1.3.5, 14.1.4, 15.1.2
785877-2 3-Major BT785877 VLAN groups do not bridge non-link-local multicast traffic. 14.1.4, 15.1.3, 16.0.1.2
767341-3 3-Major BT767341 If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. 14.1.4, 15.1.3, 16.0.1.2
758099-1 3-Major BT758099 TMM may crash in busy environment when handling HTTP responses 14.1.4
757442-2 3-Major BT757442 A missed SYN cookie check causes crash at the standby TMM in HA mirroring system 13.1.3, 14.1.4
753383-4 3-Major BT753383 Deadlock While Attaching NDAL Devices 14.1.4
719304-1 3-Major BT719304 Inconsistent node ICMP monitor operation for IPv6 nodes 13.1.3, 14.1.4
714642-4 3-Major BT714642 Ephemeral pool-member state on the standby is down 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
962177-3 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
804157-1 4-Minor BT804157 ICMP replies are forwarded with incorrect checksums causing them to be dropped 14.1.4, 15.1.3, 16.0.1.2
772297-2 4-Minor BT772297 LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade 14.1.4
748333-4 4-Minor BT748333 DHCP Relay does not retain client source IP address for chained relay mode 14.1.4, 15.1.3, 16.0.1.1
743253-3 4-Minor BT743253 TSO in software re-segments L3 fragments. 14.1.4, 15.1.3, 16.0.1.2
738032-1 4-Minor BT738032 BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
960749-3 1-Blocking BT960749 TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
933405-3 1-Blocking K34257075, BT933405 Zonerunner GUI hangs when attempting to list Resource Records 14.1.4, 15.1.4.1, 16.0.1.1
960437-3 2-Critical BT960437 The BIG-IP system may initially fail to resolve some DNS queries 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
905557-6 2-Critical BT905557 Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure 13.1.5, 14.1.4, 15.1.2
921625-4 3-Major BT921625 The certs extend function does not work for GTM/DNS sync group 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
891093-3 3-Major BT891093 iqsyncer does not handle stale pidfile 14.1.4, 15.1.2.1, 16.0.1.1
858973-3 3-Major BT858973 DNS request matches less specific WideIP when adding new wildcard wideips 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
885869-4 4-Minor BT885869 Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime 14.1.4, 15.1.5.1
853585-2 4-Minor BT853585 REST Wide IP object presents an inconsistent lastResortPool value 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
846057-2 2-Critical BT846057 UCS backup archive may include unnecessary files 13.1.4, 14.1.4, 15.1.3
960369-3 3-Major BT960369 Negative value suggested in Traffic Learning as max value 14.1.4, 15.1.3, 16.0.1.2
941621-3 3-Major K91414704, BT941621 Brute Force breaks server's Post-Redirect-Get flow 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
929077-1 3-Major BT929077 Bot Defense allow list does not apply when using default Route Domain and XFF header 14.1.4, 15.1.3, 16.0.1.1
921677-4 3-Major BT921677 Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. 14.1.4, 15.1.3, 16.0.1.1
904053-4 3-Major BT904053 Unable to set ASM Main Cookie/Domain Cookie hashing to Never 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
867373-2 3-Major BT867373 Methods Missing From ASM Policy 14.1.4, 15.1.3
864677-3 3-Major BT864677 ASM causes high mcpd CPU usage 14.1.4, 15.1.3
964897-4 4-Minor BT964897 Live Update - Indication of "Update Available" when there is no available update 14.1.4, 15.1.3, 16.0.1.2
935293-3 4-Minor BT935293 'Detected Violation' Field for event logs not showing 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
922785-4 4-Minor BT922785 Live Update scheduled installation is not installing on set schedule 14.1.4, 15.1.3, 16.0.1.2
767941-1 4-Minor BT767941 Gracefully handle policy builder errors 13.1.3.6, 14.1.4
758336-3 4-Minor BT758336 Incorrect recommendation in Online Help of Proactive Bot Defense 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
965581 2-Critical BT965581 Statistics are not reported to BIG-IQ 14.1.4, 15.1.4
949593-2 3-Major BT949593 Unable to load config if AVR widgets were created under '[All]' partition&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
743826-1 3-Major BT743826 Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
648242-4 3-Major K73521040, BT648242 Administrator users unable to access all partition via TMSH for AVR reports 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
894565-2 2-Critical BT894565 Autodosd.default crash with SIGFPE 14.1.4, 15.1.3
976501-3 3-Major BT976501 Failed to establish VPN connection 13.1.3.6, 14.1.4, 15.1.3
952557-1 3-Major BT952557 Azure B2C Provider OAuth URLs are updated for B2Clogin.com 14.1.4, 15.1.3
925573-3 3-Major BT925573 SIGSEGV: receiving a sessiondb callback response after the flow is aborted 14.1.4, 15.1.3
916969-2 3-Major BT916969 Support of Microsoft Identity 2.0 platform 14.1.4, 15.1.3
892937-4 3-Major K20105555, BT892937 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) 14.1.4, 15.1.1, 16.0.1
850277-3 3-Major BT850277 Memory leak when using OAuth 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2
774301-4 3-Major BT774301 Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList 12.1.5, 14.1.4, 15.0.1.3
709126-1 3-Major BT709126 Localdb authentication may fail 14.1.4
833049-2 4-Minor BT833049 Category lookup tool in GUI may not match actual traffic categorization 13.1.3.5, 14.1.4, 15.1.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
952545-3 3-Major BT952545 'Current Sessions' statistics of HTTP2 pool may be incorrect 14.1.4, 15.1.3, 16.0.1.1
939529-3 3-Major BT939529 Branch parameter not parsed properly when topmost via header received with comma separated values 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
913373-3 3-Major BT913373 No connection error after failover with MRF, and no connection mirroring 14.1.4, 15.1.3, 16.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
969509-3 3-Major BT969509 Possible memory corruption due to DOS vector reset 14.1.4, 15.1.3, 16.0.1.2
965617-1 3-Major BT965617 HSB mitigation is not applied on BDoS signature with stress-based mitigation mode 14.1.4, 15.1.3, 16.0.1.1
963237-1 3-Major BT963237 Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. 14.1.4, 15.1.3, 16.0.1.1
910417-3 3-Major BT910417 TMM core may be seen when reattaching a vector to a DoS profile 14.1.4, 15.1.2, 16.0.1.2
903561-2 3-Major BT903561 Autodosd returns small bad destination detection value when the actual traffic is high 14.1.4, 15.1.3
887017-2 3-Major BT887017 The dwbld daemon consumes a large amount of memory 14.1.4, 15.1.3
840809-1 3-Major BT840809 If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged 14.1.4, 15.1.2
837233-1 3-Major BT837233 Application Security Administrator user role cannot use GUI to manage DoS profile 14.1.4, 15.1.3
819321-1 3-Major BT819321 DoS stats table shows drops count on tcp-half-open global vector for packets dropped by ltm syn cookie 14.1.4
789857-1 3-Major BT789857 "TCP half open' reports drops made by LTM syn-cookies mitigation. 14.1.4, 15.1.1
773773-2 3-Major BT773773 DoS auto-threshold detection values are not reloaded correctly after a reboot. 14.1.4
760497-1 3-Major BT760497 Invalid configuration parameters are visible when Dos Vector is in "Auto Detection/Multiplier Based Mitigation" 14.1.4
759004-2 3-Major BT759004 Autodosd history files not loaded correctly after software upgrade&start; 14.1.4
753141-2 3-Major BT753141 Hardware returning incorrect type of entry when notifying software might cause tmm crash 14.1.4
686043-1 3-Major BT686043 dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets 14.1.4
967889-2 4-Minor BT967889 Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) 14.1.4, 15.1.3
748561-1 4-Minor BT748561 Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context 14.1.4, 15.1.3


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
845313 2-Critical BT845313 Tmm crash under heavy load 14.1.4, 15.1.2.1
941169-1 3-Major BT941169 Subscriber Management is not working properly with IPv6 prefix flows. 14.1.4, 15.1.2.1
875401-3 3-Major BT875401 PEM subcriber lookup can fail for internet side new connections 14.1.4, 15.1.2.1
842989-7 3-Major BT842989 PEM: tmm could core when running iRules on overloaded systems 14.1.4, 15.1.2


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
928553-1 2-Critical BT928553 LSN64 with hairpinning can lead to a tmm core in rare circumstances 14.1.4, 15.1.3, 16.0.1.1
966681-2 3-Major BT966681 NAT translation failures while using SP-DAG in a multi-blade chassis 14.1.4, 15.1.3, 16.0.1.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
943889-1 2-Critical BT943889 Reopening the publisher after a failed publishing attempt 13.1.3.5, 14.1.4


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
932737-1 2-Critical BT932737 DNS & BADOS high-speed logger messages are mixed 14.1.4, 15.1.3, 16.0.1.2
922597-1 3-Major BT922597 BADOS default sensitivity of 50 creates false positive attack on some sites 14.1.4, 15.1.3
915489-1 4-Minor BT915489 LTM Virtual Server Health is not affected by iRule Requests dropped 14.1.4, 15.1.2.1, 16.0.1.1


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
768085-3 4-Minor BT768085 Error in python script /usr/libexec/iAppsLX_save_pre line 79 14.1.4, 15.1.3, 16.0.1.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
964585-4 3-Major BT964585 "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update 14.1.4, 15.1.3, 16.0.1.2
825501-1 3-Major BT825501 IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.&start; 14.1.4, 15.1.3, 16.0.1.1



Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
950077-3 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT950077 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
943125-3 CVE-2021-23010 K18570111, BT943125 ASM bd may crash while processing WebSocket traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
941449-4 CVE-2021-22993 K55237223, BT941449 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
935029-1 CVE-2020-27720 K04048104, BT935029 TMM may crash while processing IPv6 NAT traffic 14.1.3.1, 15.1.1, 16.0.1
932065-3 CVE-2021-22978 K87502622, BT932065 iControl REST vulnerability CVE-2021-22978 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
931513-2 CVE-2021-22977 K14693346, BT931513 TMM vulnerability CVE-2021-22977 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1
928321-3 CVE-2020-27719 K19166530, BT928321 K19166530: XSS vulnerability CVE-2020-27719 14.1.3.1, 15.1.1, 16.0.1
921337-3 CVE-2021-22976 K88230177, BT921337 BIG-IP ASM WebSocket vulnerability CVE-2021-22976 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
917509-5 CVE-2020-27718 K58102101, BT917509 BIG-IP ASM vulnerability CVE-2020-27718 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
916821-4 CVE-2021-22974 K68652018, BT916821 iControl REST vulnerability CVE-2021-22974 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
908673-3 CVE-2020-27717 K43850230, BT908673 TMM may crash while processing DNS traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904165-3 CVE-2020-27716 K51574311, BT904165 BIG-IP APM vulnerability CVE-2020-27716 13.1.5, 14.1.3.1, 15.1.1
882189-5 CVE-2020-5897 K20346072, BT882189 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
882185-5 CVE-2020-5897 K20346072, BT882185 BIG-IP Edge Client Windows ActiveX 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881317-4 CVE-2020-5896 K15478554, BT881317 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881293-5 CVE-2020-5896 K15478554, BT881293 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
754855-2 CVE-2020-27714 K60344652, BT754855 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile 13.1.4, 14.1.3.1, 15.1.1
939845-3 CVE-2021-23004 K31025212, BT939845 BIG-IP MPTCP vulnerability CVE-2021-23004 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
939841-3 CVE-2021-23003 K43470422, BT939841 BIG-IP MPTCP vulnerability CVE-2021-23003 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
928037-3 CVE-2020-27729 K15310332, BT928037 APM Hardening 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
919841-1 CVE-2020-27728 K45143221, BT919841 AVRD may crash while processing Bot Defense traffic 14.1.3.1, 15.1.1, 16.0.1
912969-4 CVE-2020-27727 K50343630, BT912969 iAppsLX REST vulnerability CVE-2020-27727 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
905125-3 CVE-2020-27726 K30343902, BT905125 Security hardening for APM Webtop 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904937-4 CVE-2020-27725 K25595031, BT904937 Excessive resource consumption in zxfrd 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
898949-3 CVE-2020-27724 K04518313, BT898949 APM may consume excessive resources while processing VPN traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
881445-5 CVE-2020-5898 K69154630, BT881445 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
880361-3 CVE-2021-22973 K13323323, BT880361 iRules LX vulnerability CVE-2021-22973 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
842829-3 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730, BT842829 Multiple tcpdump vulnerabilities 13.1.4.1, 14.1.3.1, 15.1.3
842717-4 CVE-2020-5855 K55102004, BT842717 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
832757-5 CVE-2017-18551 K48073202, BT832757 Linux kernel vulnerability CVE-2017-18551 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3
831777-3 CVE-2020-27723 K42933418, BT831777 Tmm crash in Ping access use case 13.1.3.5, 14.1.3.1
811965-2 CVE-2020-27722 K73657294, BT811965 Some VDI use cases can cause excessive resource consumption 13.1.3.5, 14.1.3.1, 15.0.1.4
778049-4 CVE-2018-13405 K00854051, BT778049 Linux Kernel Vulnerability: CVE-2018-13405 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
693360-4 CVE-2020-27721 K52035247, BT693360 A virtual server status changes to yellow while still available 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
639773-1 CVE-2021-22983 K76518456 BIG-IP AFM vulnerability CVE-2021-22983 14.1.3.1, 16.0.1
852929-7 CVE-2020-5920 K25160703, BT852929 AFM WebUI Hardening 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1
825413-2 CVE-2021-23053 K36942191, BT825413 ASM may consume excessive resources when matching signatures 13.1.3.6, 14.1.3.1, 15.1.3
818213-2 CVE-2019-10639 K32804955, BT818213 CVE-2019-10639: KASLR bypass using connectionless protocols 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
773693-5 CVE-2020-5892 K15838353, BT773693 CVE-2020-5892: APM Client Vulnerability 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
834533-2 CVE-2019-15916 K57418558, BT834533 Linux kernel vulnerability CVE-2019-15916 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
920961-3 3-Major BT920961 Devices incorrectly report 'In Sync' after an incremental sync 14.1.3.1, 15.1.2, 16.0.1.1
756139-1 3-Major BT756139 Inconsistent logging of hostname files when hostname contains periods 14.1.3.1, 15.1.2, 16.0.1.1
921421-1 4-Minor BT921421 iRule support to get/set UDP's Maximum Buffer Packets 14.1.3.1, 15.1.2, 16.0.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
809553 1-Blocking BT809553 ONAP Licensing - Cipher negotiation fails 14.1.3.1
957337-4 2-Critical BT957337 Tab complete in 'mgmt' tree is broken 14.1.3.1, 15.1.2, 16.0.1.1
954025 2-Critical BT954025 "switchboot -b HD1.1" fails to reboot chassis 14.1.3.1
933409-4 2-Critical BT933409 Tomcat upgrade via Engineering Hotfix causes live-update files removal&start; 14.1.3.1, 15.1.2, 16.0.1.1
927033-1 2-Critical BT927033 Installer fails to calculate disk size of destination volume&start; 14.1.3.1, 15.1.2, 16.0.1.1
910201-1 2-Critical BT910201 OSPF - SPF/IA calculation scheduling might get stuck infinitely 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
896217-4 2-Critical BT896217 BIG-IP GUI unresponsive 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
860517-3 2-Critical BT860517 MCPD may crash on startup with many thousands of monitors on a system with many CPUs. 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
829277-1 2-Critical BT829277 A Large /config folder can cause memory exhaustion during live-install&start; 14.1.3.1, 15.1.2.1
796601-4 2-Critical BT796601 Invalid parameter in errdefsd while processing hostname db_variable 13.1.3.5, 14.1.3.1, 15.1.2
787285 2-Critical BT787285 Configuration fails to load after install of v14.1.0 or v14.1.2 on BIG-IP 800&start; 14.1.3.1
770989 2-Critical BT770989 Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.&start; 13.1.3.5, 14.1.3.1
769817-3 2-Critical BT769817 BFD fails to propagate sessions state change during blade restart 11.6.5.1, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4
706521-4 2-Critical K21404407, BT706521 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
934941-3 3-Major BT934941 Platform FIPS power-up self test failures not logged to console 14.1.3.1, 15.1.3
930741-1 3-Major BT930741 Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot 13.1.3.6, 14.1.3.1, 15.1.2
920301-2 3-Major BT920301 Unnecessarily high number of JavaScript Obfuscator instances when device is busy 14.1.3.1, 15.1.2
915825-4 3-Major BT915825 Configuration error caused by Drafts folder in a deleted custom partition while upgrading. 13.1.3.5, 14.1.3.1, 15.1.1
915497-3 3-Major BT915497 New Traffic Class Page shows multiple question marks. 14.1.3.1, 15.1.0.5, 16.0.1.1
911809-1 3-Major BT911809 TMM might crash when sending out oversize packets. 14.1.3.1, 15.1.2
908021-2 3-Major BT908021 Management and VLAN MAC addresses are identical 13.1.3.5, 14.1.3.1, 15.1.3
904845-3 3-Major BT904845 VMware guest OS customization works only partially in a dual stack environment. 14.1.3.1, 15.1.1, 16.0.1
902401-3 3-Major BT902401 OSPFd SIGSEGV core when 'ospf clear' is done on remote device 14.1.3.1, 15.1.2, 16.0.1.1
898705-3 3-Major BT898705 IPv6 static BFD configuration is truncated or missing 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
898461-4 3-Major BT898461 Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' 14.1.3.1, 15.1.1, 16.0.1.1
889041-1 3-Major BT889041 Failover scripts fail to access resolv.conf due to permission issues 14.1.3.1, 15.1.2, 16.0.1.1
886689-4 3-Major BT886689 Generic Message profile cannot be used in SCTP virtual 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
867181-3 3-Major BT867181 ixlv: double tagging is not working 13.1.3.6, 14.1.3.1, 15.1.2
865241-3 3-Major BT865241 Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" 13.1.3.6, 14.1.3.1, 15.1.2
865177-2 3-Major BT865177 Cert-LDAP returning only first entry in the sequence that matches san-other oid 14.1.3.1, 15.1.2.1, 16.0.1.1
860317-1 3-Major BT860317 JavaScript Obfuscator can hang indefinitely 14.1.3.1, 15.1.2
851733-1 3-Major BT851733 Tcpdump messages (warning, error) are sent to stdout instead of stderr 14.1.3.1
850777-1 3-Major BT850777 BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config 14.1.3.1, 15.1.1
846441-1 3-Major BT846441 Flow-control is reset to default for secondary blade's interface 13.1.3.5, 14.1.3.1, 15.1.2
846137-3 3-Major BT846137 The icrd returns incorrect route names in some cases 13.1.3.5, 14.1.3.1, 15.1.2
843597-3 3-Major BT843597 Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle 13.1.3.6, 14.1.3.1, 15.1.2
829193-2 3-Major BT829193 REST system unavailable due to disk corruption 13.1.3.6, 14.1.3.1, 15.1.0.4
826905-1 3-Major BT826905 Host traffic via IPv6 route pool uses incorrect source address 14.1.3.1, 15.1.2
806073-3 3-Major BT806073 MySQL monitor fails to connect to MySQL Server v8.0 14.1.3.1, 15.1.2.1, 16.0.1.1
795649-3 3-Major BT795649 Loading UCS from one iSeries model to another causes FPGA to fail to load 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3
788577-4 3-Major BT788577 BFD sessions may be reset after CMP state change 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
783113-4 3-Major BT783113 BGP sessions remain down upon new primary slot election 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.1
767737-2 3-Major BT767737 Timing issues during startup may make an HA peer stay in the inoperative state 13.1.3.5, 14.1.3.1, 15.1.2.1
755197-3 3-Major BT755197 UCS creation might fail during frequent config save transactions 13.1.3.5, 14.1.3.1, 15.1.2
754971-2 3-Major BT754971 OSPF inter-process redistribution might break OSPF route redistribution of various types. 13.1.3.5, 14.1.3.1
751584-1 3-Major BT751584 Custom MIB actions can be blocked by SELINUX permissions 14.1.3.1
740589-1 3-Major BT740589 Mcpd crash with core after 'tmsh edit /sys syslog all-properties' 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
737098-2 3-Major BT737098 ASM Sync does not work when the configsync IP address is an IPv6 address 13.1.3.5, 14.1.3.1, 15.1.2
652502-3 3-Major BT652502 SNMP queries return 'No Such Object available' error for LTM OIDs 13.1.1.4, 14.1.3.1
933461-3 4-Minor BT933461 BGP multi-path candidate selection does not work properly in all cases. 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
924429-3 4-Minor BT924429 Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values 14.1.3.1, 15.1.2, 16.0.1.1
892677-4 4-Minor BT892677 Loading config file with imish adds the newline character 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
882713-1 4-Minor BT882713 BGP SNMP trap has the wrong sysUpTime value 14.1.3.1, 15.1.2
864757-2 4-Minor BT864757 Traps that were disabled are enabled after configuration save 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
722230-3 4-Minor BT722230 Cannot delete FQDN template node if another FQDN node resolves to same IP address 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2
591732-5 4-Minor BT591732 Local password policy not enforced when auth source is set to a remote type. 12.1.5.1, 13.1.3.5, 14.1.3.1, 15.0.1.4
583084-8 4-Minor K15101680, BT583084 iControl produces 404 error while creating records successfully 13.1.3.5, 14.1.3.1, 15.1.2
849085-3 5-Cosmetic BT849085 Lines with only asterisks filling message and user.log file 14.1.3.1, 15.1.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941089 2-Critical BT941089 TMM core when using Multipath TCP 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
911041-2 2-Critical BT911041 Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash 14.1.3.1, 15.1.2.1, 16.0.1.2
891849-2 2-Critical BT891849 Running iRule commands while suspending iRule commands that are running can lead to a crash 14.1.3.1, 15.1.2
879409-2 2-Critical BT879409 TMM core with mirroring traffic due to unexpected interface name length 14.1.3.1, 15.1.1
851857-3 2-Critical BT851857 HTTP 100 Continue handling does not work when it arrives in multiple packets 13.1.3.5, 14.1.3.1, 15.1.1
851345-2 2-Critical BT851345 The TMM may crash in certain rare scenarios involving HTTP/2 14.1.3.1, 15.1.2
850873-1 2-Critical BT850873 LTM global SNAT sets TTL to 255 on egress. 14.1.3.1, 15.1.2
824881-2 2-Critical BT824881 A rare TMM crash cause by the fix for ID 816625 14.1.3.1, 15.0.1.1
811161-1 2-Critical BT811161 Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992 14.1.3.1
766509-1 2-Critical BT766509 Strict internal checking might cause tmm crash 14.1.3.1
705768-1 2-Critical BT705768 The dynconfd process may core and restart with multiple DNS name servers configured 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
951033-2 3-Major BT951033 Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' 13.1.3.5, 14.1.3.1
949145-4 3-Major BT949145 Improve TCP's response to partial ACKs during loss recovery 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
948757-3 3-Major BT948757 A snat-translation address responds to ARP requests but not to ICMP ECHO requests. 14.1.3.1, 15.1.2, 16.0.1
915689-4 3-Major BT915689 HTTP/2 dynamic header table may fail to identify indexed headers on the response side. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915605-1 3-Major K56251674, BT915605 Image install fails if iRulesLX is provisioned and /usr mounted read-write&start; 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
913249-4 3-Major BT913249 Restore missing UDP statistics 14.1.3.1, 15.1.2, 16.0.1.1
901929-4 3-Major BT901929 GARPs not sent on virtual server creation 14.1.3.1, 15.1.2, 16.0.1.1
892385-2 3-Major BT892385 HTTP does not process WebSocket payload when received with server HTTP response 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
879413-3 3-Major BT879413 Statsd fails to start if one or more of its *.info files becomes corrupted 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
862597-5 3-Major BT862597 Improve MPTCP's SYN/ACK retransmission handling 13.1.3.5, 14.1.3.1, 15.1.0.2
860005-3 3-Major BT860005 Ephemeral nodes/pool members may be created for wrong FQDN name 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
857845-6 3-Major BT857845 TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule 13.1.3.6, 14.1.3.1, 15.1.2
851477-3 3-Major BT851477 Memory allocation failures during proxy initialization are ignored leading to TMM cores 14.1.3.1, 15.1.1
851045-3 3-Major BT851045 LTM database monitor may hang when monitored DB server goes down 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1
850145-3 3-Major BT850145 Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed 14.1.3.1, 15.1.2
823921-2 3-Major BT823921 FTP profile causes memory leak 14.1.3.1
820333-3 3-Major BT820333 LACP working member state may be inconsistent when blade is forced offline 14.1.3.1, 15.1.2
819329-2 3-Major BT819329 Specific FIPS device errors will not trigger failover 13.1.5, 14.1.3.1, 15.1.4, 16.0.1.2
818853-3 3-Major BT818853 Duplicate MAC entries in FDB 13.1.3.5, 14.1.3.1, 15.1.0.2
809701-2 3-Major BT809701 Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist 14.1.3.1, 15.0.1.3, 15.1.2
805017-2 3-Major BT805017 DB monitor marks pool member down if no send/recv strings are configured 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.3
803233-3 3-Major BT803233 Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
796993-1 3-Major BT796993 Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs 12.1.5.3, 13.1.3.4, 14.1.3.1
787853-2 3-Major BT787853 BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps. 14.1.3.1
786517-3 3-Major BT786517 Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address 13.1.3.5, 14.1.3.1, 15.1.0.5
783617-1 3-Major BT783617 Virtual server resets connections when all pool members are marked disabled 13.1.3.5, 14.1.3.1
776229-2 3-Major BT776229 iRule 'pool' command no longer accepts pool members with ports that have a value of zero 13.1.3.4, 14.1.3.1
759480-3 3-Major BT759480 HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash 12.1.5, 13.1.3.4, 14.1.3.1
759056-2 3-Major BT759056 stpd memory leak on secondary blades in a multi-blade system 13.1.3.6, 14.1.3.1
753805-3 3-Major BT753805 BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. 12.1.5.3, 13.1.3.4, 14.1.3.1
753594-2 3-Major BT753594 In-TMM monitors may have duplicate instances or stop monitoring 13.1.3, 14.1.3.1
750278-4 3-Major K25165813, BT750278 A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases 14.1.3.1, 15.0.1.3
745682-1 3-Major BT745682 Failed to parse X-Forwarded-For header in HTTP requests 13.1.3.6, 14.1.3.1
724824-3 3-Major BT724824 Ephemeral nodes on peer devices report as unknown and unchecked after full config sync 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
722707-2 3-Major BT722707 mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall 12.1.5.3, 13.1.3.6, 14.1.3.1
720440-4 3-Major BT720440 Radius monitor marks pool members down after 6 seconds 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5
718790-1 3-Major BT718790 Virtual server reports unavailable and resets connection erroneously. 14.1.3.1
710930-3 3-Major BT710930 Enabling BigDB key bigd.tmm may cause SSL monitors to fail 13.1.3.5, 14.1.3.1
935593-3 4-Minor BT935593 Incorrect SYN re-transmission handling with FastL4 timestamp rewrite 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1
932937-3 4-Minor BT932937 HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. 14.1.3.1, 15.1.1, 16.0.1
895153-2 4-Minor BT895153 HTTP::has_responded returns incorrect values when using HTTP/2 14.1.3.1, 15.1.2
895141 4-Minor BT895141 HTTP::has_responded returns incorrect values when using HTTP/2 14.1.3.1
822025-2 4-Minor BT822025 HTTP response not forwarded to client during an early response 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2
808409-3 4-Minor BT808409 Unable to specify if giaddr will be modified in DHCP relay chain 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
801705-4 4-Minor BT801705 When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC 13.1.3.6, 14.1.3.1, 15.1.5.1
781225-2 4-Minor BT781225 HTTP profile Response Size stats incorrect for keep-alive connections 12.1.5.3, 13.1.3.5, 14.1.3.1
726983-2 4-Minor BT726983 Inserting multi-line HTTP header not handled correctly 12.1.5.3, 13.1.3.5, 14.1.3.1
859717-3 5-Cosmetic BT859717 ICMP-limit-related warning messages in /var/log/ltm 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
919553-3 2-Critical BT919553 GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
837637-2 2-Critical K02038650, BT837637 Orphaned bigip_gtm.conf can cause config load failure after upgrading&start; 14.1.3.1, 15.1.2, 16.0.1.1
788465-2 2-Critical BT788465 DNS cache idx synced across HA group could cause tmm crash 14.1.3.1, 15.1.1, 16.0.1
926593-3 3-Major BT926593 GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' 14.1.3.1, 15.1.2, 16.0.1.1
852101-3 3-Major BT852101 Monitor fails. 13.1.3.6, 14.1.3.1, 15.1.2
844689-3 3-Major BT844689 Possible temporary CPU usage increase with unusually large named.conf file 14.1.3.1, 15.1.2
781829-1 3-Major BT781829 GTM TCP monitor does not check the RECV string if server response string not ending with \n 13.1.3.5, 14.1.3.1
644192-4 3-Major K23022557, BT644192 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN 11.6.5.3, 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
940249-3 2-Critical BT940249 Sensitive data is not masked after "Maximum Array/Object Elements" is reached 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
927617-3 2-Critical BT927617 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
941853-2 3-Major BT941853 Logging Profiles do not disassociate from virtual server when multiple changes are made 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
940897-2 3-Major BT940897 Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
893061-1 3-Major BT893061 Out of memory for restjavad 14.1.3.1, 15.1.2, 16.0.1.1
884425-1 3-Major   Creation of new allowed HTTP URL is not possible 14.1.3.1, 15.1.3
868053-1 3-Major BT868053 Live Update service indicates update available when the latest update was already installed 14.1.3.1, 15.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910097-3 2-Critical BT910097 Changing per-request policy while tmm is under traffic load may drop heartbeats 14.1.3.1, 15.1.2, 16.0.1.1
896709-2 2-Critical BT896709 Add support for Restart Desktop for webtop in VMware VDI 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
760130-3 2-Critical BT760130 [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK 13.1.3, 14.1.3.1
748572-2 2-Critical BT748572 Occasionally ramcache might crash when data is sent without the corresponding event. 14.1.3.1
924929-1 3-Major BT924929 Logging improvements for VDI plugin 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
914649-2 3-Major BT914649 Support USB redirection through VVC (VMware virtual channel) with BlastX 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
771961-1 3-Major BT771961 While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core 14.1.3.1, 15.1.1
760629-3 3-Major BT760629 Remove Obsolete APM keys in BigDB 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
759356-2 3-Major BT759356 Access session data cache might leak if there are multiple TMMs 14.1.3.1
747020-1 3-Major BT747020 Requests that evaluate to same subsession can be processed concurrently 14.1.3.1, 15.1.1, 16.0.1
739570-3 3-Major BT739570 Unable to install EPSEC package&start; 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
904373-1 3-Major BT904373 MRF GenericMessage: Implement limit to message queues size 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
891385-4 3-Major BT891385 Add support for URI protocol type "urn" in MRF SIP load balancing 14.1.3.1, 15.1.1, 16.0.1
924349-1 4-Minor   DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP 14.1.3.1, 15.1.1, 16.0.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
938165-2 2-Critical BT938165 TMM Core after attempted update of IP geolocation database file 14.1.3.1, 15.1.2, 16.0.1.1
747225-1 2-Critical BT747225 PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart 14.1.3.1
872645 3-Major BT872645 Protected Object Aggregate stats are causing elevated CPU usage 14.1.3.1, 15.1.1
813301 3-Major BT813301 LSN_PB_UPDATE logs are not generated when subscriber info changes 14.1.3.1, 15.1.0
781425 3-Major BT781425 Firewall rule list configuration causes config load failure 14.1.3.1
920361-4 4-Minor BT920361 Standby device name sent in Traffic Statistics syslog/Splunk messages 14.1.3.1, 15.1.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
783289-1 2-Critical BT783289 PEM actions not applied in VE bigTCP. 13.1.3.5, 14.1.3.1


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
815001-1 2-Critical BT815001 TMM Crash with inbound traffic during high availability (HA) failover 14.1.3.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
940401-3 5-Cosmetic BT940401 Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
944785-1 3-Major BT944785 Admd restarting constantly. Out of memory due to loading malformed state file 14.1.3.1, 15.1.2, 16.0.1.2
923125-1 3-Major BT923125 Huge amount of admd processes caused oom 14.1.3.1, 15.1.2
818465-2 3-Major BT818465 Unnecessary memory allocation in AVR module 14.1.3.1


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
767613-2 3-Major BT767613 Restjavad can keep partially downloaded files open indefinitely 13.1.3.5, 14.1.3.1



Cumulative fixes from BIG-IP v14.1.3 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
928029 2-Critical BT928029 Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis 14.1.3, 15.1.4
905849 3-Major BT905849 FastL4 UDP flows might not get offloaded to hardware 14.1.3
829317-6 3-Major BT829317 Memory leak in icrd_child due to concurrent REST usage 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
943101 2-Critical BT943101 Tmm crash in cipher group delete. 14.1.3, 15.1.4
934461 2-Critical BT934461 Connection error with server with TLS1.3 single-dh-use. 14.1.3, 15.1.4
915957 2-Critical BT915957 The wocplugin may get into a restart loop when AAM is provisioned 14.1.3, 15.1.2
939209-3 3-Major BT939209 FIPS 140-2 SP800-56Arev3 compliance 14.1.3
930385 3-Major BT930385 SSL filter does not re-initialize when an OCSP object is modified 14.1.3, 15.1.4
921721-2 3-Major BT921721 FIPS 140-2 SP800-56Arev3 compliance 14.1.3, 15.1.3
809597-3 3-Major BT809597 Memory leak in icrd_child observed during REST usage 13.1.4, 14.1.3, 15.1.0.2
629787-1 3-Major BT629787 vCMP hypervisor version mismatch may cause connection mirroring problems. 14.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
934393 1-Blocking BT934393 APM authentication fails due to delay in sessionDB readiness 14.1.3, 15.1.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
697331-3 3-Major BT697331 Some TMOS tools for querying various DBs fail when only a single TMM is running 14.1.3, 14.1.3.1, 15.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
892621-2 3-Major BT892621 Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software 14.1.3, 15.1.0.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
927993-4 1-Blocking K97501254, BT927993 Built-in SSL Orchestrator RPM installation failure 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1



Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
935721-4 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291, BT935721 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1
933741-4 CVE-2021-22979 K63497634, BT933741 BIG-IP FPS XSS vulnerability CVE-2021-22979 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
911761-4 CVE-2020-5948 K42696541, BT911761 F5 TMUI XSS vulnerability CVE-2020-5948 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
879745-1 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
917469-4 CVE-2020-5946 K53821711, BT917469 TMM may crash while processing FPS traffic 14.1.2.8, 15.1.1, 16.0.1
910017-4 CVE-2020-5945 K21540525, BT910017 Security hardening for the TMUI Interface page 14.1.2.8, 15.1.1, 16.0.1
907201-1 CVE-2021-23039 K66782293, BT907201 TMM may crash when processing IPSec traffic 13.1.5, 14.1.2.8, 15.1.3, 16.0.1.2
889557-2 CVE-2019-11358 K20455158, BT889557 jQuery Vulnerability CVE-2019-11358 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
870273-3 CVE-2020-5936 K44020030, BT870273 TMM may consume excessive resources when processing SSL traffic 12.1.5.2, 13.1.5, 14.1.2.8, 15.1.1
856961-2 CVE-2018-12207 K17269881, BT856961 INTEL-SA-00201 MCE vulnerability CVE-2018-12207 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5
751036-1 CVE-2020-27721 K52035247, BT751036 Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8
818177-4 CVE-2019-12295 K06725231, BT818177 CVE-2019-12295 Wireshark Vulnerability 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1
717276-7 CVE-2020-5930 K20622530, BT717276 TMM Route Metrics Hardening 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5
858537-3 CVE-2019-1010204 K05032915, BT858537 CVE-2019-1010204: Binutilis Vulnerability 14.1.2.8, 15.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
890229-3 3-Major BT890229 Source port preserve setting is not honored 13.1.3.5, 14.1.2.8, 15.1.1
747013-3 3-Major BT747013 Add OCSP server support to IKEv2 negotiation for IPsec peer authentication 14.1.2.8
617929-2 3-Major BT617929 Support non-default route domains 13.1.3.4, 14.1.2.8, 15.0.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
920481 2-Critical BT920481 REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase 14.1.2.8
871561-3 2-Critical BT871561 Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'&start; 14.1.2.8, 15.1.1, 16.0.1
860349-1 2-Critical BT860349 Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication 14.1.2.8, 15.1.3
856713-1 2-Critical BT856713 IPsec crash during rekey 14.1.2.8, 16.0.1.2
854493-3 2-Critical BT854493 Kernel page allocation failures messages in kern.log 14.1.2.8, 15.1.0.2
842865-1 2-Critical BT842865 Add support for Auto MAC configuration (ixlv) 14.1.2.8, 15.0.1.4, 15.1.0.5
841953-5 2-Critical BT841953 A tunnel can be expired when going offline, causing tmm crash 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
841333-5 2-Critical BT841333 TMM may crash when tunnel used after returning from offline 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
818253-1 2-Critical BT818253 Generate signature files for logs 14.1.2.8, 15.1.1, 16.0.1.1
817709-2 2-Critical BT817709 IPsec: TMM cored with SIGFPE in racoon2 13.1.5, 14.1.2.8, 15.1.0.2
811149-1 2-Critical BT811149 Remote users are unable to authenticate via serial console. 14.1.2.8, 15.0.1.4, 15.1.0.2
807453-1 2-Critical BT807453 IPsec works inefficiently with a second blade in one chassis 14.1.2.8
777229-1 2-Critical BT777229 IPsec improvements to internal pfkey messaging between TMMs on multi-blade 14.1.2.8
774361-2 2-Critical BT774361 IPsec High Availability sync during multiple failover via RFC6311 messages 14.1.2.8
769357-1 2-Critical   IPsec debug logging needs more organization and is missing HA-related logging 14.1.2.8
755716-1 2-Critical BT755716 IPsec connection can fail if connflow expiration happens before IKE encryption 14.1.2.8
749249-1 2-Critical BT749249 IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP 14.1.2.8
741676-2 2-Critical BT741676 Intermittent crash switching between tunnel mode and interface mode 13.1.5, 14.1.2.8
593536-7 2-Critical K64445052, BT593536 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations 14.1.2.8, 15.1.1
924493-4 3-Major BT924493 VMware EULA has been updated 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
904705-3 3-Major BT904705 Cannot clone Azure marketplace instances. 14.1.2.8, 15.1.1, 16.0.1
888497-4 3-Major BT888497 Cacheable HTTP Response 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
887089-3 3-Major BT887089 Upgrade can fail when filenames contain spaces 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
880625-2 3-Major BT880625 Check-host-attr enabled in LDAP system-auth creates unusable config 14.1.2.8, 15.1.1, 16.0.1
880165-1 3-Major BT880165 Auto classification signature update fails 14.1.2.8, 15.1.1, 16.0.1
858197-1 3-Major BT858197 Merged crash when memory exhausted 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1
856953-2 3-Major BT856953 IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 13.1.5, 14.1.2.8, 15.1.4.1
844085-3 3-Major BT844085 GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address 14.1.2.8, 15.1.0.5, 16.0.1
838297-1 3-Major BT838297 Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication 14.1.2.8, 15.1.1
828789-3 3-Major BT828789 Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters 14.1.2.8, 15.1.1
820213-2 3-Major BT820213 'Application Service List' empty after UCS restore 14.1.2.8
814585-3 3-Major BT814585 PPTP profile option not available when creating or modifying virtual servers in GUI 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1
810381-4 3-Major BT810381 The SNMP max message size check is being incorrectly applied. 13.1.3.5, 14.1.2.8, 15.1.0.4
807337-3 3-Major BT807337 Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. 14.1.2.8, 15.1.1, 16.0.1.1
804537-1 3-Major BT804537 Check SAs in context callbacks 14.1.2.8
802889 3-Major BT802889 Problems establishing HA connections on chassis platforms 14.1.2.8, 14.1.3
797829-5 3-Major BT797829 The BIG-IP system may fail to deploy new or reconfigure existing iApps 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
783753-1 3-Major BT783753 Increase vCPU amount guests can use on i11800-DS platforms. 14.1.2.8
761753-2 3-Major BT761753 BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs 14.1.2.8
759564-4 3-Major BT759564 GUI not available after upgrade 14.1.2.8, 15.1.1, 16.0.1
758517-1 3-Major BT758517 Callback for Diffie Hellman crypto is missing defensive coding 14.1.2.8
758516-1 3-Major BT758516 IKEv2 auth encryption is missing defensive coding that checks object validity 14.1.2.8
757862-1 3-Major BT757862 IKEv2 debug logging an uninitialized variable leading to core 14.1.2.8
748443-1 3-Major BT748443 HiGig MAC recovery mechanism may fail continuously at runtime 14.1.2.8
746704-2 3-Major BT746704 Syslog-ng Memory Leak 13.1.3.5, 14.1.2.8
745261-2 3-Major BT745261 The TMM process may crash in some tunnel cases 12.1.5.3, 13.1.3.5, 14.1.2.8
726416-3 3-Major BT726416 Physical disk HD1 not found for logical disk create 14.1.2.8
489572-4 3-Major K60934489, BT489572 Sync fails if file object is created and deleted before sync to peer BIG-IP 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
431503-3 3-Major K14838, BT431503 TMSH crashes in rare initial tunnel configurations 13.1.3.5, 14.1.2.8, 15.1.1
919745-4 4-Minor BT919745 CSV files downloaded from the Dashboard have the first row with all 'NaN 14.1.2.8, 15.1.0.5, 16.0.1
918209-1 4-Minor BT918209 GUI Network Map icons color scheme is not section 508 compliant 14.1.2.8, 15.1.0.5, 16.0.1
914761-1 4-Minor BT914761 Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. 14.1.2.8, 15.1.1, 16.0.1.1
906889-1 4-Minor BT906889 Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. 14.1.2.8, 15.1.1, 16.0.1
902417-4 4-Minor BT902417 Configuration error caused by Drafts folder in a deleted custom partition&start; 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1
890277-2 4-Minor BT890277 Full config sync to a device group operation takes a long time when there are a large number of partitions. 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
822377-2 4-Minor   CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability 14.1.2.8, 15.1.1
779857-1 4-Minor BT779857 Misleading GUI error when installing a new version in another partition&start; 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
777237-1 4-Minor   IPsec high availability (HA) for failover confused by runtime changes in blade count 14.1.2.8
751103-4 4-Minor BT751103 TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop 14.1.2.8, 15.1.1, 16.0.1
767269-2 5-Cosmetic   Linux kernel vulnerability: CVE-2018-16884 14.1.2.8, 15.1.0.5
714176-3 5-Cosmetic BT714176 UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
858429 2-Critical BT858429 BIG-IP system sends ICMP packets on both virtual wire interfaces. 14.1.2.8, 15.0.1.4, 15.1.1
851581-1 2-Critical BT851581 Server-side detach may crash TMM 14.1.2.8, 15.1.1
839749-2 2-Critical BT839749 Virtual server with specific address list might fail to create via GUI 14.1.2.8, 15.0.1.1, 15.1.0.5
813561-3 2-Critical BT813561 MCPD crashes when assigning an iRule that uses a proc 13.1.3.4, 14.1.2.8, 15.0.1.3
726518-3 2-Critical BT726518 Tmsh show command terminated with CTRL-C can cause TMM to crash. 13.1.3.6, 14.1.2.8, 15.1.2
915281-1 3-Major BT915281 Do not rearm TCP Keep Alive timer under certain conditions 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
816881-1 3-Major BT816881 Serverside conection may use wrong VLAN when virtual wire is configured 14.1.2.8, 15.1.1
810445-2 3-Major BT810445 PEM: ftp-data not classified or reported 13.1.3.5, 14.1.2.8
800101-1 3-Major BT800101 BIG-IP chassis system may send out duplicated UDP packets to the server side 14.1.2.8
788753-4 3-Major BT788753 GATEWAY_ICMP monitor marks node down with wrong error code 13.1.3.4, 14.1.2.8, 15.1.0.5
785701-1 3-Major BT785701 Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile 14.1.2.8
785481-2 3-Major BT785481 A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached 12.1.5.3, 14.1.2.8, 15.0.1.1
781753-3 3-Major BT781753 WebSocket traffic is transmitted with unknown opcodes 13.1.3.2, 14.1.2.8
766169-2 3-Major BT766169 Replacing all VLAN interfaces resets VLAN MTU to a default value 12.1.5.2, 13.1.3.5, 14.1.2.8
758437-6 3-Major BT758437 SYN w/ data disrupts stat collection in Fast L4 13.1.3.5, 14.1.2.8
758436-4 3-Major BT758436 Optimistic ACKs degrade Fast L4 statistics 13.1.3.5, 14.1.2.8
745663-3 3-Major BT745663 During traffic forwarding, nexthop data may be missed at large packet split 13.1.3.5, 14.1.2.8
726734-4 3-Major BT726734 DAGv2 port lookup stringent may fail 13.1.3.2, 14.1.2.8
814037-4 4-Minor BT814037 No virtual server name in Hardware Syncookie activation logs. 13.1.3.5, 14.1.2.8, 15.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
783125-2 2-Critical BT783125 iRule drop command on DNS traffic without Datagram-LB may cause TMM crash 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
800265-2 3-Major BT800265 Undefined subroutine in bigip_add_appliance_helper message 14.1.2.8


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
911629 2-Critical BT911629 Manual upload of LiveUpdate image file results in NULL response 14.1.2.8, 15.0.1.4
918933-3 3-Major K88162221, BT918933 The BIG-IP ASM system may not properly perform signature checks on cookies 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
901061-4 3-Major BT901061 Safari browser might be blocked when using Bot Defense profile and related domains. 14.1.2.8, 15.1.1, 16.0.1
888285-3 3-Major K18304067, BT888285 Sensitive positional parameter not masked in 'Referer' header value 14.1.2.8, 15.1.1
848445-3 3-Major K86285055, BT848445 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer&start; 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
919001-1 4-Minor BT919001 Live Update: Update Available notification is shown twice in rare conditions 14.1.2.8, 15.1.2, 16.0.1.1
879777 4-Minor BT879777 Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge 14.1.2.8, 15.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
908065-4 3-Major BT908065 Logrotation for /var/log/avr blocked by files with .1 suffix 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
866613-1 4-Minor BT866613 Missing MaxMemory Attribute 13.1.3.5, 14.1.2.8, 15.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
891505-1 2-Critical BT891505 TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. 14.1.2.8, 15.1.4
579219-3 2-Critical BT579219 Access keys missing from SessionDB after multi-blade reboot. 13.1.5, 14.1.2.8, 15.1.1
706782-3 3-Major BT706782 Inefficient APM processing in large configurations. 14.1.2.8, 15.0.1.3, 15.1.0.2
679751-1 4-Minor BT679751 Authorization header can cause a connection reset 13.1.3.5, 14.1.2.8, 15.1.1
602396-1 4-Minor BT602396 EPSEC Upload Package Button Is Greyed Out 14.1.2.8
478450-2 4-Minor BT478450 Improve log details when "Detection invalid host header ()" is logged 14.1.2.8


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
763121-3 2-Critical BT763121 Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. 13.1.3, 14.1.2.8
870385-3 3-Major BT870385 TMM may restart under very heavy traffic load 14.1.2.8, 15.1.2.1
811157-2 3-Major BT811157 Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself 14.1.2.8
757555-2 3-Major BT757555 Network DoS Logging Profile does not work with other logging profiles together 14.1.2.8
757279-1 3-Major BT757279 LDAP authenticated Firewall Manager role cannot edit firewall policies 13.1.1.5, 14.1.2.8, 15.1.0.5
746483-2 3-Major BT746483 The autodosd process consumes a lot of memory and continuously restarts. 14.1.2.8
703165-4 3-Major BT703165 shared memory leakage 13.1.3.5, 14.1.2.8
803149-1 4-Minor BT803149 Flow Inspector cannot filter on IP address with non-default route_domain 14.1.2.8
906885 5-Cosmetic BT906885 Spelling mistake on AFM GUI Flow Inspector screen 14.1.2.8, 15.1.2.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
741213-2 3-Major BT741213 Modifying disabled PEM policy causes coredump 14.1.2.8


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
837269 3-Major BT837269 Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic 14.1.2.8, 15.1.0


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
876581-4 3-Major BT876581 JavaScript engine file is empty if the original HTML page cached for too long 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
891729-4 4-Minor BT891729 Errors in datasyncd.log&start; 14.1.2.8, 15.1.1, 16.0.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
797277-2 3-Major BT797277 URL categorization fails when multiple segments present in URL path and belong to different categories. 14.1.2.8
761273-2 3-Major BT761273 wr_urldbd creates sparse log files by writing from the previous position after logrotate. 13.1.1.5, 14.1.2.8



Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
912221-2 CVE-2020-12662
CVE-2020-12663
K37661551, BT912221 CVE-2020-12662 & CVE-2020-12663 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5
900905-1 CVE-2020-5926 K42830212, BT900905 TMM may crash while processing SIP data 14.1.2.7, 15.0.1.4, 15.1.0.5
891457-4 CVE-2020-5939 K75111593, BT891457 NIC driver may fail while transmitting data 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1
888417-4 CVE-2020-8840 K15320518, BT888417 Apache Vulnerability: CVE-2020-8840 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
846917-3 CVE-2019-10744 K47105354, BT846917 lodash Vulnerability: CVE-2019-10744 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2
841577-4 CVE-2020-5922 K20606443, BT841577 iControl REST hardening 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
839453-4 CVE-2019-10744 K47105354, BT839453 lodash library vulnerability CVE-2019-10744 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1
788057-5 CVE-2020-5921 K00103216, BT788057 MCPD may crash while processing syncookies 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
917005-4 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1
909837-2 CVE-2020-5950 K05204103, BT909837 TMM may consume excessive resources when AFM is provisioned 13.1.3.5, 14.1.2.7, 15.1.0.5
888489-4 CVE-2020-5927 K55873574, BT888489 ASM UI hardening 14.1.2.7, 15.0.1.4, 15.1.0.5
886085-3 CVE-2020-5925 K45421311, BT886085 BIG-IP TMM vulnerability CVE-2020-5925 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
832885-3 CVE-2020-5923 K05975972, BT832885 Self-IP hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
816413-2 CVE-2019-1125 K31085564, BT816413 CVE-2019-1125: Spectre SWAPGS Gadget 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
888493-4 CVE-2020-5928 K40843345, BT888493 ASM GUI Hardening 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
839145-2 CVE-2019-10744 K47105354, BT839145 CVE-2019-10744: lodash vulnerability 14.1.2.7, 15.1.0.5, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
816233-3 2-Critical BT816233 Session and authentication cookies should use larger character set 14.1.2.7, 15.0.1.4, 15.1.0.5
724556-3 2-Critical BT724556 icrd_child spawns more than maximum allowed times (zombie processes) 12.1.5.3, 13.1.3.2, 14.1.2.7
858189-1 3-Major BT858189 Make restnoded/restjavad/icrd timeout configurable with sys db variables. 12.1.5.2, 14.1.2.7, 15.1.1
802977-2 3-Major BT802977 PEM iRule crashes when more than 10 policies are tried to be set for a subscriber 14.1.2.7
691499-3 3-Major BT691499 GTP::ie primitives in iRule to be certified 13.1.3.4, 14.1.2.7, 15.1.0.5
745465-1 4-Minor BT745465 The tcpdump file does not provide the correct extension 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
864513-3 1-Blocking K48234609, BT864513 ASM policies may not load after upgrading to 14.x or later from a previous major version&start; 14.1.2.7, 15.1.1
891477 2-Critical BT891477 No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server 14.1.2.7, 15.0.1.4, 15.1.0.5
829677-1 2-Critical BT829677 .tmp files in /var/config/rest/ may cause /var directory exhaustion 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1
811701-1 2-Critical BT811701 AWS instance using xnet driver not receiving packets on an interface. 14.1.2.7, 15.0.1.4, 15.1.0.2
810593-2 2-Critical K10963690, BT810593 Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade&start; 13.1.3.5, 14.1.2.7
805417-1 2-Critical BT805417 Unable to enable LDAP system auth profile debug logging 14.1.2.7, 15.1.1
769581-1 2-Critical BT769581 Timeout when sending many large iControl Rest requests 13.1.3.5, 14.0.0.5, 14.1.2.7
758604-2 2-Critical BT758604 Deleting a port from a single-port trunk does not work. 14.1.2.7
891721-1 3-Major BT891721 Anti-Fraud Profile URLs with query strings do not load successfully 14.1.2.7, 15.0.1.4, 15.1.0.5
871657-2 3-Major BT871657 Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
867013-1 3-Major BT867013 Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout 13.1.3.5, 14.1.2.7, 15.1.1
842189-2 3-Major BT842189 Tunnels removed when going offline are not restored when going back online 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1
821309-3 3-Major BT821309 After an initial boot, mcpd has a defunct child "systemctl" process 14.1.2.7, 15.1.0.5
812929-2 3-Major BT812929 mcpd may core when resetting a DSC connection 14.1.2.7, 15.0.1.4
811053-2 3-Major BT811053 REBOOT REQUIRED prompt appears after failover and clsh reboot 14.1.2.7, 15.1.2
810821-1 3-Major BT810821 Management interface flaps after rebooting the device. 13.1.3.5, 14.1.2.7, 15.1.2
807005-1 3-Major BT807005 Save-on-auto-sync is not working as expected with large configuration objects 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
806985 3-Major BT806985 Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package&start; 14.1.2.7
802685-3 3-Major BT802685 Unable to configure performance HTTP virtual server via GUI 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
793121-3 3-Major BT793121 Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2
788949-3 3-Major BT788949 MySQL Password Initialization Loses Already Written Password 14.1.2.7
760950-4 3-Major BT760950 Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment 12.1.5.3, 13.1.5, 14.1.2.7
756153-3 3-Major BT756153 Add diskmonitor support for MySQL /var/lib/mysql 12.1.4.1, 13.1.3, 14.1.2.7
753860-3 3-Major BT753860 Virtual server config changes causing incorrect route injection. 13.1.3.4, 14.1.2.7
720610-2 3-Major BT720610 Automatic Update Check logs false 'Update Server unavailable' message on every run 13.1.3, 14.1.2.7
701529-2 3-Major BT701529 Configuration may not load or not accept vlan or tunnel names as "default" or "all" 13.1.3.4, 14.1.2.7
688399-2 3-Major BT688399 HSB failure results in continuous TMM restarts 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4
683135-1 3-Major BT683135 Hardware syncookies number for virtual server stats is unrealistically high 13.1.3.2, 14.1.2.7
605675-4 3-Major BT605675 Sync requests can be generated faster than they can be handled 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2
831293-3 4-Minor BT831293 SNMP address-related GET requests slow to respond. 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2
804309-2 4-Minor BT804309 [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument 13.1.3.5, 14.1.2.7, 15.1.0.5
755018-2 4-Minor BT755018 Egress traffic processing may be stopped on one or more VE trunk interfaces 13.1.3.2, 14.1.2.7, 15.0.1.1
743815-2 4-Minor BT743815 vCMP guest observes connflow reset when a CMP state change occurs. 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7
484683-2 4-Minor BT484683 Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. 13.1.3.2, 14.1.2.7


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
842937-4 2-Critical BT842937 TMM crash due to failed assertion 'valid node' 12.1.5.3, 14.1.2.7, 15.1.1
751589-1 2-Critical BT751589 In BIG-IP VE, some IP rules may not be created during the first boot up. 14.1.2.7
893281-1 3-Major BT893281 Possible ssl stall on closed client handshake 14.1.2.7, 15.1.0.5
852873 3-Major BT852873 Proprietary Multicast PVST+ packets are forwarded instead of dropped 14.1.2.7, 15.1.0.2
848777-1 3-Major BT848777 Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. 14.1.2.7, 15.1.0.4
828601-3 3-Major BT828601 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.1.0.3
813701-3 3-Major BT813701 Proxy ARP failure 14.1.2.7, 15.1.0.5
810533-4 3-Major BT810533 SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile 14.1.2.7
802245-1 3-Major BT802245 When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected. 14.1.2.7
790205-3 3-Major BT790205 Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.2.7, 15.0.1.1
781041-1 3-Major BT781041 SIP monitor in non default route domain is not working. 14.1.2.7
778517-1 3-Major K91052217, BT778517 Large number of in-TMM monitors results in delayed processing 13.1.3.4, 14.1.2.7
760050-2 3-Major BT760050 "cwnd too low" warning message seen in logs 13.1.4.1, 14.1.2.7, 15.1.4
758599-1 3-Major BT758599 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3
758041-3 3-Major BT758041 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. 13.1.3.5, 14.1.2.7, 15.1.4.1
757446-2 3-Major BT757446 Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. 13.1.5, 14.1.2.7
756494-3 3-Major BT756494 For in-tmm monitoring: multiple instances of the same agent are running on the Standby device 13.1.3.4, 14.1.2.7
752530-1 3-Major BT752530 TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. 13.1.4.1, 14.1.2.7
752334-1 3-Major BT752334 Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation 13.1.4.1, 14.1.2.7
750473-4 3-Major BT750473 VA status change while 'disabled' are not taken into account after being 'enabled' again 11.6.5.2, 12.1.5.3, 14.1.2.7
746922-6 3-Major BT746922 When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. 12.1.4.1, 13.1.3, 14.0.1.1, 14.1.2.7
714502-2 3-Major BT714502 bigd restarts after loading a UCS for the first time 14.1.2.7, 15.1.0.5
686059-4 3-Major BT686059 FDB entries for existing VLANs may be flushed when creating a new VLAN. 12.1.5.3, 13.1.3.4, 14.1.2.7
608952-3 3-Major BT608952 MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5
522241-1 3-Major BT522241 Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918169-2 2-Critical BT918169 The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
744743-1 2-Critical BT744743 Rolling DNSSEC Keys may stop generating after BIG-IP restart 14.1.2.7
803645-3 3-Major BT803645 GTMD daemon crashes 13.1.3.3, 14.1.2.7
789421-2 3-Major BT789421 Resource-administrator cannot create GTM server object through GUI 14.1.2.7, 15.1.0.5, 16.0.1
778365-2 3-Major BT778365 dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service 13.1.3.4, 14.1.2.7
774481-2 3-Major BT774481 DNS Virtual Server creation problem with Dependency List 13.1.3.4, 14.1.2.7
769385-1 3-Major BT769385 GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message 14.0.0.5, 14.1.2.7
758772-3 3-Major BT758772 DNS Cache RRSET Evictions Stat not increasing 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
757464-1 3-Major BT757464 DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7
746348-2 3-Major BT746348 On rare occasions, gtmd fails to process probe responses originating from the same system. 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2
712335-3 4-Minor BT712335 GTMD may intermittently crash under unusual conditions. 12.1.6, 13.1.4, 14.1.2.7
774257-2 5-Cosmetic BT774257 tmsh show gtm pool and tmsh show gtm wideip print duplicate object types 14.1.2.7, 15.1.0.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
904593-2 2-Critical BT904593 Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled 14.1.2.7, 15.1.0.5
868641-1 2-Critical BT868641 Possible TMM crash when disabling bot profile for the entire connection 14.1.2.7, 15.1.1
865461-3 2-Critical BT865461 BD crash on specific scenario 14.1.2.7, 15.1.0.5
843801-1 2-Critical BT843801 Like-named previous Signature Update installations block Live Update usage after upgrade&start; 14.1.2.7, 15.1.1
813409-1 2-Critical BT813409 BD crash under certain circumstances 14.1.2.7
803813-2 2-Critical BT803813 TMM may experience high latency when processing WebSocket traffic 13.1.3.4, 14.1.2.7
903357-3 3-Major BT903357 Bot defense Profile list is loads too slow when there are 750 or more Virtual servers 14.1.2.7, 15.1.1, 16.0.1.1
900797-4 3-Major BT900797 Brute Force Protection (BFP) hash table entry cleanup 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900793-2 3-Major K32055534, BT900793 APM Brute Force Protection resources do not scale automatically 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900789-4 3-Major BT900789 Alert before Brute Force Protection (BFP) hash are fully utilized 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
898825-4 3-Major BT898825 Attack signatures are enforced on excluded headers under some conditions 14.1.2.7
898741-4 3-Major BT898741 Missing critical files causes FIPS-140 system to halt upon boot 14.1.2.7, 15.1.1
892653-2 3-Major BT892653 Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI 14.1.2.7, 15.1.0.5, 16.0.1
880789-1 3-Major BT880789 ASMConfig Handler undergoes frequent restarts 14.1.2.7, 15.1.0.5
880753-1 3-Major K38157961, BT880753 Possible issues when using DoSL7 and Bot Defense profile on the same virtual server 14.1.2.7, 15.0.1.4, 15.1.1
874753-1 3-Major   Filtering by Bot Categories on Bot Requests Log shows 0 events 14.1.2.7, 15.1.0.5
868721-3 3-Major BT868721 Transactions are held for a long time on specific server related conditions 14.1.2.7, 15.1.0.5
863609-2 3-Major BT863609 Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies 14.1.2.7, 15.1.0.5
850677-2 3-Major BT850677 Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy 14.1.2.7, 15.1.0.5
833685-3 3-Major BT833685 Idle async handlers can remain loaded for a long time doing nothing 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5
809125-2 3-Major BT809125 CSRF false positive 12.1.5.1, 14.1.2.7, 15.1.0.5
802873-1 3-Major BT802873 Manual changes to policy imported as XML may introduce corruption for Login Pages 14.1.2.7, 15.1.4
799749-1 3-Major BT799749 Asm logrotate fails to rotate 14.1.2.7, 15.1.0.5
793149-3 3-Major BT793149 Adding the Strict-transport-Policy header to internal responses 12.1.5.1, 14.1.2.7
785529-1 3-Major BT785529 ASM unable to handle ICAP responses which length is greater then 10K 11.6.5.2, 14.1.2.7
783165-3 3-Major BT783165 Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile 14.1.2.7, 15.1.0.5
772165-1 3-Major BT772165 Sync Failed due to Bot Defense profile not found. 14.1.2.7
759449-1 3-Major BT759449 Unable to modify the application language with 'Copy ASM Policy' 14.1.2.7
751430-1 3-Major BT751430 Unnecessary reporting of errors with complex denial-of-service policies 14.1.2.7
745324-1 3-Major BT745324 MCP crash or blocked for a long time when loading configuration 14.1.2.7
742549-2 3-Major BT742549 Cannot create non-ASCII entities in non-UTF ASM policy using REST 13.1.3.6, 14.1.2.7, 15.1.0.5
726401-1 3-Major BT726401 ASM cannot complete initial startup with modified management interface on VE 14.1.2.7
722337-1 3-Major BT722337 Always show violations in request log when post request is large 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1
640842-3 3-Major BT640842 ASM end user using mobile might be blocked when CSRF is enabled 14.1.2.7, 15.1.0.5
896285-4 4-Minor BT896285 No parent entity in suggestion to add predefined-filetype as allowed filetype 14.1.2.7, 15.1.2, 16.0.1.1
882769-3 4-Minor BT882769 Request Log: wrong filter applied when searching by Response contains or Response does not contain 13.1.3.5, 14.1.2.7, 15.1.2
852613-1 4-Minor   Connection Mirroring and ASM Policy not supported on the same virtual server 14.1.2.7


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
902485-2 3-Major BT902485 Incorrect pool member concurrent connection value 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
838685-2 3-Major BT838685 DoS report exist in per-widget but not under individual virtual 13.1.3.5, 14.1.2.7, 15.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
838861-2 2-Critical BT838861 TMM might crash once after upgrading SSL Orchestrator&start; 14.1.2.7, 15.1.1
895313 3-Major BT895313 Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2 14.1.2.7
831517-1 3-Major BT831517 TMM may crash when Network Access tunnel is used 14.1.2.7, 15.1.3
799149-2 3-Major BT799149 Authentication fails with empty password 13.1.3.2, 14.1.2.7
750631-2 3-Major BT750631 There may be a latency between session termination and deletion of its associated IP address mapping 13.1.3, 14.1.2.7
600985-1 3-Major BT600985 Network access tunnel data stalls 13.1.3, 14.1.2.7
719589-2 4-Minor BT719589 GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic 13.1.3.2, 14.1.2.7


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
814097-2 2-Critical BT814097 Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. 11.6.5.2, 13.1.3.4, 14.1.2.7
898997-4 3-Major BT898997 GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes 14.1.2.7, 15.1.1, 16.0.1
842625-3 3-Major BT842625 SIP message routing remembers a 'no connection' failure state forever 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2
825013-3 3-Major BT825013 GENERICMESSAGE::message's src and dst may get cleared in certain scenarios 14.1.2.7, 15.0.1.1, 15.1.0.2
815529-2 3-Major BT815529 MRF outbound messages are dropped in per-peer mode 13.1.3.4, 14.1.2.7
803809-2 3-Major BT803809 SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. 13.1.3.4, 14.1.2.7, 15.1.0.2
782353-6 3-Major BT782353 SIP MRF via header shows TCP Transport when TLS is enabled 13.1.3.4, 14.1.2.7
754658-2 3-Major BT754658 Improved matching of response messages uses end-to-end ID 13.1.3.4, 14.1.2.7
754617-2 3-Major BT754617 iRule 'DIAMETER::avp read' command does not work with 'source' option 13.1.3.4, 14.1.2.7
746731-1 3-Major BT746731 BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set 13.1.3.4, 14.1.2.7
696348-3 3-Major BT696348 "GTP::ie insert" and "GTP::ie append" do not work without "-message" option 13.1.3.4, 14.1.2.7, 15.1.0.5
788513-2 4-Minor BT788513 Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
786981-3 4-Minor BT786981 Pending GTP iRule operation maybe aborted when connection is expired 13.1.3.4, 14.1.2.7
793005-3 5-Cosmetic BT793005 'Current Sessions' statistic of MRF/Diameter pool may be incorrect 13.1.3.4, 14.1.2.7, 15.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
802421 2-Critical BT802421 The /var partition may become 100% full requiring manual intervention to clear space 14.1.2.7, 15.1.0.5
755721-1 3-Major BT755721 A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper 14.1.2.7


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753014-4 3-Major BT753014 PEM iRule action with RULE_INIT event fails to attach to PEM policy 12.1.5.3, 13.1.3.2, 14.1.2.7


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
888625-2 3-Major BT888625 CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks 14.1.2.7, 15.1.0.3
806825 3-Major BT806825 Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool 14.1.2.7
761517-1 4-Minor BT761517 nat64 and ltm pool conflict 14.1.2.7


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
787965-1 3-Major BT787965 URLCAT by URI does not work if it contains port number 14.1.2.7
754257-2 3-Major BT754257 URL lookup queries not working 12.1.5, 14.1.2.7



Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
900757-4 CVE-2020-5902 K52145254, BT900757 TMUI RCE vulnerability CVE-2020-5902 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895525-4 CVE-2020-5902 K52145254, BT895525 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909237-4 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909233-4 CVE-2020-8616 K97810133, BT909233 DNS Hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
905905-3 CVE-2020-5904 K31301245, BT905905 TMUI CSRF vulnerability CVE-2020-5904 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895993-4 CVE-2020-5902 K52145254, BT895993 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895981-4 CVE-2020-5902 K52145254, BT895981 TMUI RCE vulnerability CVE-2020-5902 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895881-3 CVE-2020-5903 K43638305, BT895881 BIG-IP TMUI XSS vulnerability CVE-2020-5903 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
726407 CVE-2017-6001 K24578092, BT726407 CVE-2017-6001: Race condition in kernel/events/core.c 14.1.2.6


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
742628-3 3-Major BT742628 A tmsh session initiation adds increased control plane pressure 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
897229 3-Major BT897229 TLS session ticket resumption SNI check 14.1.2.6



Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
883717-3 CVE-2020-5914 K37466356, BT883717 BD crash on specific server cookie scenario 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
879025-4 CVE-2020-5913 K72752002, BT879025 When processing TLS traffic, LTM may not enforce certificate chain restrictions 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2
866013 CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
K78234183, BT866013 Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 14.1.2.5
852445-3 CVE-2019-6477 K15840535, BT852445 Big-IP : CVE-2019-6477 BIND Vulnerability 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.5
838677-3 CVE-2019-10744 K47105354, BT838677 lodash library vulnerability CVE-2019-10744 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
837773-2 CVE-2020-5912 K12936322, BT837773 Restjavad Storage and Configuration Hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
834257-3 CVE-2020-5931 K25400442, BT834257 TMM may crash when processing HTTP traffic 13.1.3.6, 14.1.2.5, 15.1.1
830401-3 CVE-2020-5877 K54200228, BT830401 TMM may crash while processing TCP traffic with iRules 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
819197-4 CVE-2019-13135 K20336394, BT819197 BIGIP: CVE-2019-13135 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
819189-3 CVE-2019-13136 K03512441, BT819189 BIGIP: CVE-2019-13136 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
814953-3 CVE-2020-5940 K43310520, BT814953 TMUI dashboard hardening 14.1.2.5, 15.1.1, 16.0.1
805837-2 CVE-2019-6657 K22441651, BT805837 REST does not follow current design best practices 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1
802261-2 CVE-2020-5875 K65372933, BT802261 TMM may crash while processing SSL traffic via an HTTP/2 full-proxy 14.1.2.5, 15.0.1.1
794561-1 CVE-2020-5874 K46901953, BT794561 TMM may crash while processing JWT/OpenID traffic. 13.1.4.1, 14.0.1.1, 14.1.2.5, 15.0.1.3
780601-2 CVE-2020-5873 K03585731, BT780601 SCP file transfer hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.1.2.5, 15.0.1.1
769589-2 CVE-2019-6974 K11186236, BT769589 CVE-2019-6974: Linux Kernel Vulnerability 13.1.3.2, 14.1.2.5
767373-1 CVE-2019-8331 K24383845, BT767373 CVE-2019-8331: Bootstrap Vulnerability 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.4
762453-2 CVE-2020-5872 K63558580, BT762453 Hardware cryptography acceleration may fail 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.5
745377-1 CVE-2020-5871 K43450419, BT745377 TMM cores in certain scenarios with HTTP virtual server 14.1.2.5
739971 CVE-2018-5391 K74374841, BT739971 Linux kernel vulnerability: CVE-2018-5391 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.5
873469-1 CVE-2020-5889 K24415506, BT873469 APM Portal Access: Base URL may be set to incorrectly 14.1.2.5, 15.0.1.3, 15.1.0.2
872673-3 CVE-2020-5918 K26464312, BT872673 TMM can crash when processing SCTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
868349-3 CVE-2020-5935 K62830532, BT868349 TMM may crash while processing iRules with MQTT commands 13.1.3.4, 14.1.2.5, 15.1.1
864109-3 CVE-2020-5889 K24415506, BT864109 APM Portal Access: Base URL may be set to incorrectly 14.1.2.5, 15.0.1.3, 15.1.0.2
859089-5 CVE-2020-5907 K00091341, BT859089 TMSH allows SFTP utility access 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
858349-1 CVE-2020-5934 K44808538, BT858349 TMM may crash while processing SAML SLO traffic 14.1.2.5, 15.1.1
858025-3 CVE-2021-22984 K33440533, BT858025 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
848405-4 CVE-2020-5933 K26244025, BT848405 TMM may consume excessive resources while processing compressed HTTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1
838881-3 CVE-2020-5853 K73183618, BT838881 APM Portal Access Vulnerability: CVE-2020-5853 11.6.5.2, 12.1.5.2, 14.1.2.5, 15.0.1.3, 15.1.0.2
837837-3 CVE-2020-5917 K43404629, BT837837 F5 SSH server key size vulnerability CVE-2020-5917 12.1.5.2, 14.1.2.5, 15.0.1.4, 15.1.0.5
832021-1 CVE-2020-5888 K73274382, BT832021 Port lockdown settings may not be enforced as configured 14.1.2.5, 15.0.1.3, 15.1.0.2
832017-1 CVE-2020-5887 K10251014, BT832017 Port lockdown settings may not be enforced as configured 14.1.2.5, 15.0.1.3, 15.1.0.2
829121-3 CVE-2020-5886 K65720640, BT829121 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
829117-3 CVE-2020-5885 K17663061, BT829117 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
811789-2 CVE-2020-5915 K57214921, BT811789 Device trust UI hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
810537-2 CVE-2020-5883 K12234501, BT810537 TMM may consume excessive resources while processing iRules 13.1.3.2, 14.0.1.1, 14.1.2.5, 15.0.1.1
805557-2 CVE-2020-5882 K43815022, BT805557 TMM may crash while processing crypto data 12.1.5.1, 14.1.2.5
789921-2 CVE-2020-5881 K03386032, BT789921 TMM may restart while processing VLAN traffic 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
775833-2 CVE-2020-5880 K94325657, BT775833 Administrative file transfer may lead to excessive resource consumption 14.1.2.5, 15.0.1.4
887637-1 CVE-2019-3815 K22040951, BT887637 Systemd-journald Vulnerability: CVE-2019-3815 14.1.2.5, 15.0.1.4, 15.1.1
868097-1 CVE-2020-5891 K58494243, BT868097 TMM may crash while processing HTTP/2 traffic 14.1.2.5, 15.0.1.3, 15.1.0.2
823893-2 CVE-2020-5890 K03318649, BT823893 Qkview may fail to completely sanitize LDAP bind credentials 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
748122-1 CVE-2018-15333 K53620021, BT748122 BIG-IP Vulnerability CVE-2018-15333 14.1.2.5, 15.0.1.4, 15.1.0.5
746091-1 CVE-2019-19151 K21711352, BT746091 TMSH Vulnerability: CVE-2019-19151 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
760723-2 CVE-2015-4037 K64765350, BT760723 Qemu Vulnerability 12.1.5.2, 14.1.2.5, 15.0.1.4


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
870389-1 3-Major BT870389 Increase size of /var logical volume to 1.5 GiB for LTM-only VE images 14.1.2.5, 15.1.0.2
858229-3 3-Major K22493037, BT858229 XML with sensitive data gets to the ICAP server 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
738330-3 3-Major BT738330 /mgmt/toc endpoint issue after configuring remote authentication 13.1.3.5, 14.1.2.5, 15.0.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
819009-3 2-Critical BT819009 Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol. 14.1.2.5
792285-2 2-Critical BT792285 TMM crashes if the queuing message to all HSL pool members fails 13.1.3.4, 14.1.2.5
777993-2 2-Critical BT777993 Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same 14.1.2.5
775897-1 2-Critical BT775897 High Availability failover restarts tmipsecd when tmm connections are closed 13.1.5, 14.1.2.5
769169-3 2-Critical BT769169 BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring 13.1.3.6, 14.0.0.5, 14.1.2.5
767689-1 2-Critical BT767689 F5optics_install using different versions of RPM&start; 14.1.2.5
749388-3 2-Critical BT749388 'table delete' iRule command can cause TMM to crash 12.1.5.2, 13.1.3.2, 14.1.2.5
748205-3 2-Critical BT748205 SSD bay identification incorrect for RAID drive replacement&start; 12.1.5, 13.1.3, 14.1.2.5
699515-2 2-Critical   nsm cores during update of nexthop for ECMP recursive route 13.1.1.5, 14.1.2.5
882557-4 3-Major BT882557 TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
873877 3-Major BT873877 Kernel page allocation failure seen on VIPRION blades&start; 14.1.2.5
866925-3 3-Major BT866925 The TMM pages used and available can be viewed in the F5 system stats MIB 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
852001-3 3-Major BT852001 High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously 14.1.2.5, 15.0.1.3, 15.1.0.2
849405-1 3-Major BT849405 LTM v14.1.2.1 does not log after upgrade&start; 14.1.2.5, 15.1.0.5
842125-4 3-Major BT842125 Unable to reconnect outgoing SCTP connections that have previously aborted 13.1.3.4, 14.1.2.5, 15.1.0.5
812981-4 3-Major BT812981 MCPD: memory leak on standby BIG-IP device 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
810957-2 3-Major BT810957 Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core 12.1.5.3, 14.1.2.5, 15.0.1.4
802281-1 3-Major BT802281 Gossip shows active even when devices are missing 13.1.3.5, 14.1.2.5, 15.1.0.2
800185-4 3-Major BT800185 Saving a large encrypted UCS archive may fail and might trigger failover 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4
795685-2 3-Major BT795685 Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer 14.1.2.5
772117-3 3-Major BT772117 Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card 14.1.2.5
762073-2 3-Major BT762073 Continuous TMM restarts when HSB drops off the PCI bus 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4
759735-2 3-Major BT759735 OSPF ASE route calculation for new external-LSA delayed 13.1.3.2, 14.1.2.5
759172-1 3-Major BT759172 Read Access Denied: user (gu, guest) type (Certificate Order Manager) 14.1.2.5
758387-2 3-Major BT758387 BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it 14.0.0.5, 14.1.2.5, 15.0.1.3
751573-1 3-Major BT751573 Updates to HSL pool members may not take effect 14.1.2.5
749785-2 3-Major BT749785 nsm can become unresponsive when processing recursive routes 12.1.5.3, 13.1.3, 14.1.2.5
749690-1 3-Major BT749690 MOS_Image2Disk_Installation- kjournald service error&start; 14.1.2.5
746861-1 3-Major BT746861 SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated&start; 14.1.2.5, 15.1.4
641450-7 3-Major K30053855, BT641450 A transaction that deletes and recreates a virtual may result in an invalid configuration 12.1.5.1, 13.1.3.4, 14.1.2.5
755317-1 4-Minor BT755317 /var/log logical volume may run out of space due to agetty error message in /var/log/secure 14.1.2.5, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
715032-2 1-Blocking K73302459, BT715032 iRulesLX Hardening 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
860881-1 2-Critical BT860881 TMM can crash when handling a compressed response from HTTP server 14.1.2.5, 15.0.1.3, 15.1.0.2
853329-4 2-Critical BT853329 HTTP explicit proxy can crash TMM when used with classification profile 11.6.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3
839401-3 2-Critical BT839401 Moving a virtual-address from one floating traffic-group to another does not send GARPs out. 14.1.2.5, 15.0.1.4, 15.1.0.2
831325-2 2-Critical K10701310, BT831325 HTTP PSM detects more issues with Transfer-Encoding headers 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.1
799649-2 2-Critical BT799649 TMM crash 14.1.2.5
757391-2 2-Critical BT757391 Datagroup iRule command class can lead to memory corruption 12.1.5, 13.1.3, 14.1.2.5
755134-1 2-Critical BT755134 HTTP/2 connections may leak memory if server-side connection not established 14.1.2.5
868889 3-Major BT868889 BIG-IP may reset a stream with an empty DATA frame as END_STREAM 14.1.2.5
853613-2 3-Major BT853613 Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp 14.1.2.5, 15.0.1.3, 15.1.0.2
851789-3 3-Major BT851789 SSL monitors flap with client certs with private key stored in FIPS 12.1.5.3, 14.1.2.5, 15.1.1
847325-1 3-Major BT847325 Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. 14.1.2.5, 15.0.1.3, 15.1.0.2
843105-1 3-Major BT843105 Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP) 14.1.2.5
809729-2 3-Major BT809729 When HTTP/2 stream is reset by a client, BIG-IP may not respond properly 14.1.2.5, 15.0.1.1
795261-2 3-Major BT795261 LTM policy does not properly evaluate condition when an operand is missing 14.1.2.5, 15.0.1.1
788741-2 3-Major BT788741 TMM cores in the MQTT proxy under rare conditions 14.1.2.5
777269-1 3-Major BT777269 Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup 14.1.2.5
770477-2 3-Major BT770477 SSL aborted when client_hello includes both renegotiation info extension and SCSV 12.1.5.3, 13.1.3.2, 14.1.2.5
761030-2 3-Major BT761030 tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route 13.1.3.2, 14.1.2.5
758631-4 3-Major BT758631 ec_point_formats extension might be included in the server hello even if not specified in the client hello 12.1.5, 13.1.3.5, 14.0.1.1, 14.1.2.5
757827-1 3-Major BT757827 Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution 13.1.3.2, 14.1.2.5, 15.0.1.3
755997-2 3-Major BT755997 Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address 12.1.5.3, 14.1.2.5
755727-2 3-Major BT755727 Ephemeral pool members not created after DNS flap and address record changes 12.1.5.2, 13.1.3.2, 14.1.2.5, 15.0.1.3
755213-1 3-Major BT755213 TMM cores in certain scenarios with HTTP/2 virtual server 14.1.2.5
751052-1 3-Major BT751052 HTTP iRule event HTTP_REJECT broken 14.1.2.5
746078-1 3-Major BT746078 Upgrades break existing iRulesLX workspaces that use node version 6 14.1.2.5
745923-2 3-Major BT745923 Connection flow collision can cause packets to be sent with source and/or destination port 0 13.1.3.5, 14.1.2.5, 15.0.1.4
743257-3 3-Major BT743257 Fix block size insecurity init and assign 13.1.3.2, 14.0.0.5, 14.1.2.5
705112-4 3-Major BT705112 DHCP server flows are not re-established after expiration 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2
636842-2 3-Major K51472519, BT636842 A FastL4 virtual server may drop a FIN packet when mirroring is enabled 12.1.5.1, 13.1.3.2, 14.1.2.5
601189-4 3-Major BT601189 The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode 12.1.5.1, 13.1.3.2, 14.1.2.5
599567-4 3-Major BT599567 APM assumes SNAT automap, does not use SNAT pool 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.2.5
859113-3 4-Minor BT859113 Using "reject" iRules command inside "after" may causes core 14.1.2.5, 15.1.0.2
852373-2 4-Minor BT852373 HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error 14.1.2.5, 15.0.1.4, 15.1.1
839245-1 4-Minor BT839245 IPother profile with SNAT sets egress TTL to 255 14.1.2.5, 15.1.0.2
830833-2 4-Minor BT830833 HTTP PSM blocking resets should have better log messages 13.1.4.1, 14.1.2.5, 15.0.1.1
760683-1 4-Minor BT760683 RST from non-floating self-ip may use floating self-ip source mac-address 13.1.3.2, 14.1.2.5
757777-3 4-Minor BT757777 bigtcp does not issue a RST in all circumstances 13.1.5, 14.1.2.5
746077-4 4-Minor BT746077 If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified 12.1.5.3, 13.1.1.5, 14.1.2.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
807177-2 2-Critical BT807177 HTTPS monitoring is not caching SSL sessions correctly 13.1.3.4, 14.1.2.5
704198-4 2-Critical K29403988, BT704198 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance 12.1.5.2, 13.1.3.4, 14.1.2.5
802961-2 3-Major BT802961 The 'any-available' prober selection is not as random as in earlier versions 13.1.3.4, 14.1.2.5
772233-4 3-Major BT772233 IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. 13.1.3.2, 14.1.2.5, 15.0.1.3
754901-1 3-Major BT754901 Frequent zone update notifications may cause TMM to restart 13.1.3, 14.1.2.5
750213-4 3-Major K25351434, BT750213 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. 12.1.5, 13.1.3, 14.1.2.5
744280-2 4-Minor BT744280 Enabling or disabling a Distributed Application results in a small memory leak 13.1.3.4, 14.0.0.5, 14.1.2.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
852437-1 2-Critical K25037027, BT852437 Overly aggressive file cleanup causes failed ASU installation 14.1.2.5, 15.1.0.2
882377-1 3-Major BT882377 ASM Application Security Editor Role User can update/install ASU 14.1.2.5, 15.1.4.1
871905-1 3-Major K02705117, BT871905 Incorrect masking of parameters in event log 13.1.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
854177-3 3-Major BT854177 ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5
850673-3 3-Major BT850673 BD sends bad ACKs to the bd_agent for configuration 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
681010-3 3-Major K33572148, BT681010 'Referer' is not masked when 'Query String' contains sensitive parameter 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
838709-1 2-Critical BT838709 Enabling DoS stats also enables page-load-time 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
828937-3 2-Critical K45725467, BT828937 Some systems can experience periodic high IO wait due to AVR data aggregation 13.1.3.4, 14.1.2.5, 15.1.0.5
870957-1 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
863161-3 3-Major BT863161 Scheduled reports are sent via TLS even if configured as non encrypted 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
835381-1 3-Major BT835381 HTTP custom analytics profile 'not found' when default profile is modified 14.1.2.5, 15.0.1.3, 15.1.0.2
830073-3 3-Major BT830073 AVRD may core when restarting due to data collection device connection timeout 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
817649-2 3-Major BT817649 AVR statistics for NAT cannot be shown on multi-bladed machine 14.1.2.5, 15.0.1.3
865053-1 4-Minor BT865053 AVRD core due to a try to load vip lookup when AVRD is down 14.1.2.5, 15.0.1.3, 15.1.0.2
863069-3 4-Minor BT863069 Avrmail timeout is too small 14.1.2.5, 15.0.1.3, 15.1.0.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
879401-3 2-Critical K90423190, BT879401 Memory corruption during APM SAML SSO 14.1.2.5, 15.1.3
871761-4 2-Critical BT871761 Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
788593-2 2-Critical K43404365, BT788593 APM logs may contain additional data 14.1.2.5, 15.0.1.3
884797-2 3-Major BT884797 Portal Access: in some cases data is not delivered via WebSocket connection 14.1.2.5, 15.1.0.5
866685-3 3-Major BT866685 Empty HSTS headers when HSTS mode for HTTP profile is disabled 14.1.2.5, 15.0.1.3, 15.1.0.2
866161-3 3-Major BT866161 Client port reuse causes RST when the security service attempts server connection reuse. 14.1.2.5, 15.0.1.3, 15.1.0.2
852313-2 3-Major BT852313 VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured 14.1.2.5, 15.0.1.3, 15.1.0.2
832569-2 3-Major BT832569 APM end-user connection reset 14.1.2.5, 15.0.1.3, 15.1.0.2
831781-5 3-Major BT831781 AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode 14.1.2.5, 15.0.1.3, 15.1.0.2
798261-2 3-Major BT798261 APMD fails to create session variables if spanning is enabled on SWG transparent virtual server 13.1.3.2, 14.1.2.5, 15.0.1.3
771905-2 3-Major BT771905 JWT token rejected due to unknown JOSE header parameters 14.1.2.5
768025-4 3-Major BT768025 SAML requests/responses fail with "failed to find certificate" 13.1.3.2, 14.1.2.5, 15.0.1.3
749036-2 3-Major BT749036 Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM 14.1.2.5
747725-3 3-Major BT747725 Kerberos Auth agent may override settings that manually made to krb5.conf 12.1.4.1, 13.1.3, 14.1.2.5
747624-2 3-Major BT747624 RADIUS Authentication over RSA SecureID is not working in challenge mode 14.1.2.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
811105-1 2-Critical BT811105 MRF SIP-ALG drops SIP 183 and 200 OK messages 13.1.3.4, 14.1.2.5, 15.0.1.4
781725-2 2-Critical BT781725 BIG-IP systems might not complete a short ICAP request with a body beyond the preview 14.1.2.5
882273 3-Major BT882273 MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow 13.1.3.4, 14.1.2.5
876077-3 3-Major BT876077 MRF DIAMETER: stale pending retransmission entries may not be cleaned up 14.1.2.5, 15.0.1.4, 15.1.0.5
868381-3 3-Major BT868381 MRF DIAMETER: Retransmission queue unable to delete stale entries 14.1.2.5, 15.0.1.4, 15.1.0.5
866021-3 3-Major BT866021 Diameter Mirror connection lost on the standby due to "process ingress error" 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
853545-3 3-Major BT853545 MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event 14.1.2.5, 15.1.0.2
824149-3 3-Major BT824149 SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
815877-1 3-Major BT815877 Information Elements with zero-length value are rejected by the GTP parser 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
811033-2 3-Major BT811033 MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used 13.1.3.4, 14.1.2.5
788093 3-Major BT788093 MRF iRule command MR::restore with no argument causes tmm to crash 14.1.2.5
859721-3 4-Minor BT859721 Using GENERICMESSAGE create together with reject inside periodic after may cause core 14.1.2.5, 15.1.0.2
836357-3 4-Minor BT836357 SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
788005-2 4-Minor BT788005 Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP) 14.1.2.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
778869-3 2-Critical K72423000, BT778869 ACLs and other AFM features (e.g., IPI) may not function as designed 13.1.3.2, 14.0.1.1, 14.1.2.5
751292-1 2-Critical BT751292 mcpd core after changing parent netflow to use version9 14.1.2.5
852289-2 3-Major K23278332, BT852289 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector 13.1.3.4, 14.1.2.5, 15.1.1
771173-3 3-Major BT771173 FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.&start; 13.1.3, 14.1.2.5, 15.0.1.3


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
857725 3-Major BT857725 Anti-Fraud/DataSafe Logging Settings page not found 14.1.2.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
761199-1 2-Critical BT761199 Wr_urldbd might crash while system is in a restarting loop. 14.1.2.5
816529-2 3-Major BT816529 If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart. 12.1.5.2, 14.1.2.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
839597-4 3-Major BT839597 Restjavad fails to start if provision.extramb has a large value 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
815649-1 3-Major BT815649 Named.config entry getting overwriting on SSL Orchestrator deployment 14.1.2.5, 15.0.1.3


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
852557-1 2-Critical BT852557 Tmm core while using service chaining for SSL Orchestrator 14.1.2.5, 15.0.1.3, 15.1.0.2
759191-1 2-Critical BT759191 While using explicit or transparent http type service on SSL Orchestrator, TMM cores. 14.1.2.5
864329-1 3-Major BT864329 Client port reuse causes RST when the backend server-side connection is open 14.1.2.5, 15.0.1.3, 15.1.0.2
852481-1 3-Major BT852481 Failure to check virtual-server context when closing server-side connection 14.1.2.5, 15.0.1.3, 15.1.0.2
852477-1 3-Major BT852477 Tmm core when SSL Orchestrator is enabled 14.1.2.5, 15.0.1.3, 15.1.0.2
886713-3 4-Minor BT886713 Error log seen in case of SSL Orchestrator configured with http service during connection close. 14.1.2.5, 15.1.0.5



Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release


Functional Change Fixes

None


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
867413-2 2-Critical BT867413 The allow-only-in-enterprise LAN feature on Mac OS not working after reboot 14.1.2.4



Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
849761-1 CVE-2019-6675 K55655944, BT849761 CVE-2019-6675: LDAP vulnerability 14.1.2.3, 15.1.0
846365-3 CVE-2020-5878 K35750231, BT846365 TMM may crash while processing IP traffic 14.1.2.3, 15.0.1.2, 15.1.0.2
818709-2 CVE-2020-5858 K36814487, BT818709 TMSH does not follow current best practices 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.4
818429-4 CVE-2020-5857 K70275209, BT818429 TMM may crash while processing HTTP traffic 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1
808301-2 CVE-2019-6678 K04897373, BT808301 TMM may crash while processing IP traffic 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
757357-3 CVE-2019-6676 K92002212, BT757357 TMM may crash while processing traffic 13.1.3.2, 14.1.2.3, 15.0.1.1
782529-2 CVE-2019-6685 K30215839, BT782529 iRules does not follow current design best practices 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3
761144-4 CVE-2019-6684 K95117754, BT761144 Broadcast frames may be dropped 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
761112-3 CVE-2019-6683 K76328112, BT761112 TMM may consume excessive resources when processing FastL4 traffic 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.3, 15.0.1.4
725551-2 CVE-2019-6682 K40452417, BT725551 ASM may consume excessive resources 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.4
846157-3 CVE-2020-5862 K01054113, BT846157 TMM may crash while processing traffic on AWS 14.1.2.3, 15.0.1.2, 15.1.0.2
817917-1 CVE-2020-5856 K00025388, BT817917 TMM may crash when sending TCP packets 14.1.2.3, 15.0.1.2
789893-2 CVE-2019-6679 K54336216, BT789893 SCP file transfer hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
749324-1 CVE-2012-6708 K62532311, BT749324 jQuery Vulnerability: CVE-2012-6708 12.1.5.2, 13.1.3.2, 14.1.2.3
738236-7 CVE-2019-6688 K25607522, BT738236 UCS does not follow current best practices 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
819397-1 1-Blocking K50375550, BT819397 TMM does not enforce RFC compliance when processing HTTP traffic 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
769193-5 3-Major BT769193 Added support for faster congestion window increase in slow-start for stretch ACKs 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.3
760234-1 4-Minor BT760234 Configuring Advanced shell for Resource Administrator User has no effect 12.1.5.3, 14.1.2.3, 15.0.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
806093-1 2-Critical BT806093 Unwanted LDAP referrals slow or prevent administrative login 14.1.2.3, 15.0.1.1
789169-2 2-Critical BT789169 Unable to create virtual servers with port-lists from the GUI&start; 14.1.2.3, 15.0.1.4
780817-5 2-Critical BT780817 TMM can crash on certain vCMP hosts after modifications to VLANs and guests. 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
762385 2-Critical BT762385 Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later&start; 14.1.2.3
762205-2 2-Critical BT762205 IKEv2 rekey fails to recognize VENDOR_ID payload when it appears 13.1.3.4, 14.1.2.3, 15.0.1.4
809205 3-Major   CVE-2019-3855: libssh2 Vulnerability 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2
794501-2 3-Major BT794501 Duplicate if_indexes and OIDs between interfaces and tunnels 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
785741-1 3-Major K19131357, BT785741 Unable to login using LDAP with 'user-template' configuration 14.1.2.3, 15.0.1.4, 15.1.0.5
778125-1 3-Major BT778125 LDAP remote authentication passwords are limited to fewer than 64 bytes 14.1.2.3, 15.0.1.4
760439-4 3-Major BT760439 After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
760259-3 3-Major BT760259 Qkview silently fails to capture qkviews from other blades 14.1.2.3
759654-1 3-Major BT759654 LDAP remote authentication with remote roles and user-template failing 14.1.2.3, 15.0.1.4
759499-2 3-Major BT759499 Upgrade from version 12.1.x to version 13.1.x and later failing with error&start; 14.1.2.3, 15.0.1.1
758781-3 3-Major BT758781 iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates 13.1.3.2, 14.1.2.3, 15.0.1.1
758527-2 3-Major K39604784, BT758527 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.0.5, 14.1.2.3, 15.0.1.3
757519-1 3-Major K92525101, BT757519 Unable to logon using LDAP authentication with a user-template 14.1.2.3, 15.0.1.4
756450-1 3-Major BT756450 Traffic using route entry that's more specific than existing blackhole route can cause core 11.6.5.1, 12.1.5, 13.1.3, 14.1.2.3
754691-1 3-Major BT754691 During failover, an OSPF routing daemon may crash. 14.1.2.3, 15.0.1.4
750318-3 3-Major BT750318 HTTPS monitor does not appear to be using cert from server-ssl profile 13.1.1.5, 14.1.2.3
746266-3 3-Major BT746266 A vCMP guest VLAN MAC mismatch across blades. 12.1.5, 13.1.3, 14.1.2.3
738943-3 3-Major BT738943 imish command hangs when ospfd is enabled 12.1.5.3, 13.1.3.4, 14.1.2.3, 15.0.1.1
705037-7 3-Major K32332000, BT705037 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart 12.1.4, 13.1.3, 14.0.1.1, 14.1.2.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
816273-2 1-Blocking BT816273 L7 Policies may execute CONTAINS operands incorrectly. 13.1.3.4, 14.1.2.3, 15.0.1.1
826601-5 2-Critical BT826601 Prevent receive window shrinkage for looped flows that use a SYN cookie 11.6.5.2, 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.3
817417-1 2-Critical BT817417 Blade software installation stalled at Waiting for product image&start; 14.1.2.3, 15.0.1.4
816625-1 2-Critical BT816625 The TMM may crash in a rare scenario involving HTTP unchunking, and plugins. 14.1.2.3, 15.0.1.1
800369-2 2-Critical BT800369 The fix for ID 770797 may cause a TMM crash 14.1.2.3, 15.0.1.1
800305-2 2-Critical BT800305 VDI::cmp_redirect generates flow with random client port 13.1.3.2, 14.1.2.3, 15.0.1.1
791057-1 2-Critical BT791057 MCP may crash when traffic matching criteria is updated 14.1.2.3, 15.0.1.3
770797-1 2-Critical BT770797 HTTP2 streams may get stuck in rare situations 14.1.2.3
836661 3-Major BT836661 Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet. 14.1.2.3, 15.1.0.2
834373-3 3-Major BT834373 Possible handshake failure with TLS 1.3 early data 14.1.2.3, 15.0.1.1
830797-2 3-Major BT830797 Standby high availability (HA) device passes traffic through virtual wire 14.1.2.3, 15.0.1.1, 15.1.1
815449-2 3-Major BT815449 BIG-IP closes connection when an unsized response is served to a HEAD request 14.1.2.3, 15.0.1.1
814761-2 3-Major BT814761 PostgreSQL monitor fails on second ping with count != 1 12.1.5.3, 13.1.3.6, 14.1.2.3, 15.0.1.3
797977-1 3-Major BT797977 Self-IP traffic does not preserve the TTL from the Linux host 14.1.2.3, 15.0.1.4
789365-1 3-Major BT789365 pkcs11d CPU usage increases after running nethsm self validation test 14.1.2.3
772545-3 3-Major BT772545 Tmm core in SSLO environment 13.1.3.6, 14.1.2.3, 15.0.1.1
765517-1 3-Major BT765517 Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN 14.1.2.3, 15.0.1.4
761185-2 3-Major K50375550, BT761185 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic 12.1.5.1, 13.1.3.4, 14.1.2.3, 15.0.1.1
760771-1 3-Major BT760771 FastL4-steered traffic might cause SSL resume handshake delay 13.1.3, 14.1.2.3
758992-2 3-Major BT758992 The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address 13.1.3.2, 14.1.2.3, 15.0.1.3
758872-3 3-Major BT758872 TMM memory leak 12.1.5, 13.1.3.4, 14.1.2.3
758655-1 3-Major BT758655 TMC does not allow inline addresses with non-zero Route-domain. 14.1.2.3
753514-3 3-Major BT753514 Large configurations containing LTM Policies load slowly 13.1.3, 14.0.1.1, 14.1.2.3
749689-2 3-Major BT749689 HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart 13.1.1.5, 14.1.2.3
726176-2 3-Major BT726176 Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve 13.1.3.2, 14.1.2.3, 15.0.1.1
712919-2 3-Major K54802336, BT712919 Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. 13.1.3, 14.0.1.1, 14.1.2.3
687887-3 3-Major BT687887 Unexpected result from multiple changes to a monitor-related object in a single transaction 12.1.5.3, 13.1.3.2, 14.1.2.3
824365-3 4-Minor BT824365 Need informative messages for HTTP iRule runtime validation errors 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2
806085-2 4-Minor BT806085 In-TMM MQTT monitor is not working as expected 14.1.2.3, 15.0.1.1
791337-1 4-Minor BT791337 Traffic matching criteria fails when using shared port-list with virtual servers 14.1.2.3
769309-2 4-Minor BT769309 DB monitor reconnects to server on every probe when count = 0 12.1.5.3, 13.1.3.2, 14.1.2.3, 15.0.1.1
754003-3 4-Minor K73202036, BT754003 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate 13.1.3.2, 14.1.2.3, 15.0.1.3
747628-1 4-Minor BT747628 BIG-IP sends spurious ICMP PMTU message to server 13.1.3.2, 14.1.2.3, 15.0.1.1
744210-2 4-Minor BT744210 DHCPv6 does not have the ability to override the hop limit from the client. 13.1.3.2, 14.1.2.3


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
776133-1 2-Critical BT776133 RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices 14.1.2.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
761032-2 3-Major K36328238, BT761032 TMSH displays TSIG keys 13.1.3.2, 14.0.1.1, 14.1.2.3
760471-3 3-Major BT760471 GTM iQuery connections may be reset during SSL key renegotiation. 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
813945-3 2-Critical BT813945 PB core dump while processing many entities 13.1.3.2, 14.1.2.3
813389-1 2-Critical BT813389 TMM Crashes upon failure in Bot Defense Client-Side code 14.1.2.3
791669 2-Critical BT791669 TMM might crash when Bot Defense is configured for multiple domains 14.1.2.3, 15.1.4, 16.0.1.2
790349-2 2-Critical BT790349 merged crash with a core file 14.1.2.3
756108-1 2-Critical BT756108 BD crash on specific cases 14.1.2.3
754109-1 2-Critical BT754109 ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive 13.1.3.4, 14.1.2.3
832857 3-Major BT832857 Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log 14.1.2.3
832205 3-Major BT832205 ASU cannot be completed after Signature Systems database corruption following binary Policy import 12.1.5.1, 14.1.2.3
831661-2 3-Major BT831661 ASMConfig Handler undergoes frequent restarts 12.1.5.1, 14.1.2.3
824101-1 3-Major BT824101 Request Log export file is not visible for requests including binary data 14.1.2.3
824037-2 3-Major BT824037 Bot Defense whitelists do not apply for IP 'Any' when using route domains 14.1.2.3
812341-2 3-Major BT812341 Patch or Delete commands take a long time to complete when modifying an ASM signature set. 13.1.3.2, 14.1.2.3
805353-1 3-Major BT805353 ASM reporting for WebSocket frames has empty username field 14.1.2.3
800453-3 3-Major K72252057, BT800453 False positive virus violations 13.1.3.2, 14.1.2.3, 15.0.1.3
793017-1 3-Major BT793017 Files left behind by failed Attack Signature updates are not cleaned 14.1.2.3, 15.1.0.2
786913-2 3-Major BT786913 Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7 14.1.2.3
783513-2 3-Major BT783513 ASU is very slow on device with hundreds of policies due to logging profile handling 13.1.3.2, 14.1.2.3
781021-2 3-Major BT781021 ASM modifies cookie header causing it to be non-compliant with RFC6265 14.1.2.3
778681-2 3-Major BT778681 Factory-included Bot Signature update file cannot be installed without subscription&start; 14.1.2.3, 15.0.1.1
754841-1 3-Major BT754841 Policy updates stall and never complete 14.1.2.3
754425-1 3-Major BT754425 Exported requests cannot be opened in Internet Explorer or Edge browser 14.1.2.3
739618-2 3-Major BT739618 When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy 13.1.3.2, 14.1.2.3, 15.1.0.2
734228 3-Major BT734228 False-positive illegal-length violation can appear 13.1.1.4, 14.0.1.1, 14.1.2.3
795769-3 4-Minor BT795769 Incorrect value of Systems in system-supplied signature sets 14.1.2.3, 15.0.1.1
789817-1 4-Minor BT789817 In rare conditions info fly-out not shown 14.1.2.3, 15.0.1.4
760462-1 4-Minor BT760462 Live update notification is shown only for provisioned/licensed modules 14.1.2.3
758459-1 4-Minor BT758459 Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection 14.1.2.3
620301-1 4-Minor BT620301 Policy import fails due to missing signature System in associated Signature Set 12.1.5.1, 14.1.2.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
781581-3 3-Major BT781581 Monpd uses excessive memory on requests for network_log data 13.1.3.2, 14.1.2.3, 15.0.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757782-1 2-Critical BT757782 OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default 14.0.1.1, 14.1.2.3
825805-1 3-Major BT825805 NTLM Auth may fail due to incorrect handling of EPM response&start; 14.1.2.3, 15.0.1.3
766577-2 3-Major BT766577 APMD fails to send response to client and it already closed connection. 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.3, 15.0.1.1
756363-1 3-Major BT756363 SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset 14.1.2.3
741222-2 3-Major BT741222 Install epsec1.0.0 into software partition.&start; 14.1.2.3, 15.0.1.3
643935-4 3-Major BT643935 Rewriting may cause an infinite loop while processing some objects 13.1.3.2, 14.0.1.1, 14.1.2.3


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
833213-3 3-Major BT833213 Conditional requests are served incorrectly with AAM policy in webacceleration profile 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
802865-1 3-Major BT802865 The iControl REST query request returning empty list for DoS Protected Objects 14.1.2.3
761345-3 3-Major BT761345 Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode 13.1.3.2, 14.1.2.3
738284-2 3-Major BT738284 Creating or deleting rule list results in warning message: Schema object encode failed 13.1.3.2, 14.1.2.3, 15.0.1.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
821133-2 3-Major BT821133 Wrong wildcard URL matching when none of the configured URLS include QS 14.0.1.1, 14.1.2.3, 15.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748813-3 2-Critical BT748813 tmm cores under stress test on virtual server with DoS profile with admd enabled 13.1.1.4, 14.0.0.5, 14.1.2.3
767045-2 3-Major BT767045 TMM cores while applying policy 13.1.3.2, 14.1.2.3


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
787845 4-Minor BT787845 Tmsh command 'show running-config' fails when Protocol Inspection is not licensed. 14.1.2.3


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
777241-2 3-Major BT777241 smtps partial_conncount issues and unexpected resets 14.1.2.3



Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
741163-3 CVE-2018-3693 K54252492, BT741163 RHEL7: Kernel CVE-2018-3693 14.1.2.2
740755-6 CVE-2018-3620 K95275140, BT740755 Kernel vulnerability: CVE-2018-3620 14.1.2.2
721319-1 CVE-2018-3639 K29146534, BT721319 CVE-2018-3639 14.1.2.2


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
815689-3 3-Major BT815689 Azure walinuxagent has been updated to v2.2.42. 14.1.2.2
760574 3-Major BT760574 Updating BIG-IP 14.1.x Linux kernel to RHEL7.5 14.1.2.2
760468 3-Major BT760468 Route domains cause diskmonitor errors in logs 14.1.2.2



Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
795437-4 CVE-2019-6677 K06747393, BT795437 Improve handling of TCP traffic for iRules 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
795197-1 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426, BT795197 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
781377-2 CVE-2019-6681 K93417064, BT781377 tmrouted may crash while processing Multicast Forwarding Cache messages 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
778077-3 CVE-2019-6680 K53183580, BT778077 Virtual to virtual chain can cause TMM to crash 11.6.5.1, 12.1.5.1, 13.1.3.4, 14.0.1.1, 14.1.2.1, 15.0.1.1
771873-5 CVE-2019-6642 K40378764, BT771873 TMSH Hardening 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
767653-1 CVE-2019-6660 K23860356, BT767653 Malformed HTTP request can result in endless loop in an iRule script 13.1.3, 14.0.1.1, 14.1.2.1
636400-3 CVE-2019-6665 K26462555, BT636400 CPB (BIG-IP->BIGIQ log node) Hardening 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2
810657-2 CVE-2019-6674 K21135478, BT810657 Tmm core while using service chaining for SSLO 14.1.2.1, 15.0.1.1
809165-2 CVE-2020-5854 K50046200, BT809165 TMM may crash will processing connector traffic 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
808525-2 CVE-2019-6686 K55812535, BT808525 TMM may crash while processing Diameter traffic 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.4
795797-2 CVE-2019-6658 K21121741, BT795797 AFM WebUI Hardening 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
788773-2 CVE-2019-9515 K50233772, BT788773 HTTP/2 Vulnerability: CVE-2019-9515 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
788769-2 CVE-2019-9514 K01988340, BT788769 HTTP/2 Vulnerability: CVE-2019-9514 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
788033 CVE-2020-5851 K91171450, BT788033 tpm-status may return "Invalid" after engineering hotfix installation 14.0.1.1, 14.1.2.1, 15.0.1.1
781449-2 CVE-2019-6672 K14703097, BT781449 Increase efficiency of sPVA DoS protection on wildcard virtual servers 13.1.3.2, 14.1.2.1, 15.0.1.1
777737-3 CVE-2019-6671 K39225055, BT777737 TMM may consume excessive resources when processing IP traffic 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
773673-2 CVE-2019-9512 K98053339, BT773673 HTTP/2 Vulnerability: CVE-2019-9512 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
768981-2 CVE-2019-6670 K05765031, BT768981 VCMP Hypervisor Hardening 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
761014-2 CVE-2019-6669 K11447758, BT761014 TMM may crash while processing local traffic 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
758018-5 CVE-2019-6661 K61705126, BT758018 APD/APMD may consume excessive resources 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
756458-3 CVE-2018-18559 K28241423, BT756458 Linux kernel vulnerability: CVE-2018-18559 13.1.3.4, 14.1.2.1, 15.0.1.4
756218-1 CVE-2019-6654 K45644893, BT756218 Improve default management port firewall 14.1.2.1
751152-1 CVE-2018-5407 K49711130, BT751152 OpenSSL Vulnerability: CVE-2018-5407 14.1.2.1
751143-1 CVE-2018-5407 K49711130, BT751143 OpenSSL Vulnerability: CVE-2018-5407 14.1.2.1
745103-6 CVE-2018-7159 K27228191, BT745103 NodeJS Vulnerability: CVE-2018-7159 13.1.3.4, 14.1.2.1, 15.0.1.3
798249-2 CVE-2019-6673 K81557381, BT798249 TMM may crash while processing HTTP/2 requests 14.1.2.1, 15.0.1.1
779177-2 CVE-2019-19150 K37890841, BT779177 Apmd logs "client-session-id" when access-policy debug log level is enabled 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3
759536-2 CVE-2019-8912 K31739796, BT759536 Linux kernel vulnerability: CVE-2019-8912 13.1.3.4, 14.1.2.1, 15.0.1.1
757617-1 CVE-2018-16864
CVE-2018-16865
K06044762, BT757617 Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865 14.1.2.1, 15.0.1.4


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
759135-2 3-Major BT759135 AVR report limits are locked at 1000 transactions 13.1.3.2, 14.1.2.1, 15.0.1.1
714292-3 3-Major BT714292 Transparent forwarding mode across multiple VLAN groups or virtual-wire 14.1.2.1
788269-3 4-Minor BT788269 Adding toggle to disable AVR widgets on device-groups 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
793045-2 2-Critical BT793045 File descriptor leak in net-snmpd while reading /shared/db/cluster.conf 14.1.2.1, 15.0.1.1
770953 2-Critical BT770953 'smbclient' executable does not work 14.1.2.1
767877-3 2-Critical BT767877 TMM core with Bandwidth Control on flows egressing on a VLAN group 14.1.2.1, 15.0.1.1
765533-2 2-Critical K58243048, BT765533 Sensitive information logged when DEBUG logging enabled 11.6.5.2, 12.1.5.1, 13.1.3.2, 14.1.2.1
760475-1 2-Critical BT760475 Apache spawns more processes than the configured limit, causing system low memory condition 14.1.2.1
755575-1 2-Critical BT755575 In MOS, the 'image2disk' utility with the '-format' option does not function properly 14.1.2.1
726240-1 2-Critical BT726240 'Cannot find disk information' message when running Configuration Utility&start; 14.1.2.1
788557-5 3-Major BT788557 BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior 11.6.5.2, 13.1.3.2, 14.1.2.1, 15.0.1.1
788301-5 3-Major K58243048, BT788301 SNMPv3 Hardening 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777261-4 3-Major BT777261 When SNMP cannot locate a file it logs messages repeatedly 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
766873 3-Major BT766873 Omission of lower-layer types from sFlow packet samples 14.1.2.1
761993-2 3-Major BT761993 The nsm process may crash if it detects a nexthop mismatch 13.1.3.2, 14.1.2.1, 15.0.1.1
761933-1 3-Major BT761933 Reboot with 'tmsh reboot' does not log message in /var/log/audit 14.1.2.1
761160-2 3-Major   OpenSSL vulnerability: CVE-2019-1559 14.1.2.1, 15.0.1.1
760998-1 3-Major BT760998 F5.ip_forwarding iAPP fails to deploy 14.1.2.1
759814-1 3-Major BT759814 Unable to view iApp component view&start; 14.1.2.1
758119-6 3-Major K58243048, BT758119 qkview may contain sensitive information 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
747592-1 3-Major   PHP vulnerability CVE-2018-17082 11.6.5.1, 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1
724109-2 3-Major BT724109 Manual config-sync fails after pool with FQDN pool members is deleted 12.1.5.3, 13.1.3.2, 14.1.2.1, 15.0.1.1
680917-5 3-Major BT680917 Invalid monitor rule instance identifier 12.1.5.3, 13.1.3.2, 14.1.2.1
648621-6 3-Major BT648621 SCTP: Multihome connections may not expire 11.6.5.3, 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.4
776073-1 4-Minor BT776073 OOM killer killing tmm in system low memory condition as process OOM score is high 14.1.2.1, 15.0.1.1
760680-1 4-Minor K36350541, BT760680 TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed. 14.1.2.1, 15.0.1.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759968-3 1-Blocking BT759968 Distinct vCMP guests are able to cluster with each other. 12.1.5, 13.1.3, 14.1.2.1, 15.0.1.1
803845-2 2-Critical BT803845 When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown 14.1.2.1
787825-2 2-Critical K58243048, BT787825 Database monitors debug logs have plaintext password printed in the log file 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
774913-1 2-Critical BT774913 IP-based bypass can fail if SSL ClientHello is not accepted 14.1.2.1, 15.0.1.3
760078-1 2-Critical BT760078 Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet. 14.1.2.1
758714-1 2-Critical BT758714 Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports. 14.1.2.1
757578-2 2-Critical BT757578 RAM cache is not compatible with verify-accept 12.1.5.2, 13.1.3.4, 14.1.2.1, 15.0.1.1
757441-4 2-Critical BT757441 Specific sequence of packets causes Fast Open to be effectively disabled 13.1.3, 14.0.1.1, 14.1.2.1
755585-1 2-Critical BT755585 mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction 13.1.3, 14.1.2.1
747858-2 2-Critical BT747858 OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires 14.1.2.1
746710-1 2-Critical BT746710 Use of HTTP::cookie after HTTP:disable causes TMM core 13.1.3, 14.1.2.1
737985-2 2-Critical BT737985 BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode. 14.1.2.1
734551-3 2-Critical BT734551 L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server 14.1.2.1
801497-2 3-Major BT801497 Virtual wire with LACP pinning to one link in trunk. 14.1.2.1, 15.1.1
798105-1 3-Major BT798105 Node Connection Limit Not Honored 14.1.2.1, 15.0.1.4
794581 3-Major BT794581 Transfer might stall for an object served from WAM cache 14.1.2.1
788325-2 3-Major K39794285, BT788325 Header continuation rule is applied to request/response line 11.6.5.1, 12.1.5.1, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
787433-3 3-Major BT787433 SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed 14.1.2.1
784713-3 3-Major BT784713 When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct 14.1.2.1
773821-1 3-Major BT773821 Certain plaintext traffic may cause SSLO to hang 14.1.2.1, 15.0.1.3
773421-1 3-Major BT773421 Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied 12.1.5.1, 13.1.3.2, 14.1.2.1, 15.0.1.1
769801-1 3-Major BT769801 Internal tmm UDP filter does not set checksum 14.1.2.1, 15.0.1.1, 15.0.1.3
761385-1 3-Major BT761385 Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire. 14.1.2.1
761381-1 3-Major BT761381 Incorrect MAC Address observed in L2 asymmetric virtual wire 14.1.2.1
754525-1 3-Major BT754525 Disabled virtual server accepts and serves traffic after restart 14.1.2.1, 15.0.1.1
748891-2 3-Major BT748891 Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system. 14.1.2.1
742237-4 3-Major BT742237 CPU spikes appear wider than actual in graphs 12.1.5, 13.1.3.2, 14.1.2.1
719300-3 3-Major BT719300 ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address 14.1.2.1
689361-4 3-Major BT689361 Configsync can change the status of a monitored pool member 12.1.5.2, 13.1.3.2, 14.1.2.1
751586 4-Minor BT751586 Http2 virtual does not honour translate-address disabled 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4
747585-3 4-Minor BT747585 TCP Analytics supports ANY protocol number 12.1.5, 13.1.3.4, 14.1.2.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
783849-2 3-Major BT783849 DNSSEC Key Generations are not imported to secondary FIPS card 14.1.2.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
781637-2 3-Major BT781637 ASM brute force counts unnecessary failed logins for NTLM 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
781605-3 3-Major BT781605 Fix RFC issue with the multipart parser 11.6.5.3, 12.1.6, 13.1.3, 14.1.2.1, 15.0.1.1
781069-2 3-Major BT781069 Bot Defense challenge blocks requests with long Referer headers 13.1.3, 14.1.2.1, 15.0.1.1
773553-2 3-Major BT773553 ASM JSON parser false positive. 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
769997-1 3-Major BT769997 ASM removes double quotation characters on cookies 14.1.2.1, 15.0.1.1
769981-2 3-Major BT769981 bd crashes in a specific scenario 13.1.3, 14.1.2.1, 15.0.1.1
764373-3 3-Major BT764373 'Modified domain cookie' violation with multiple enforced domain cookies with different paths 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
753711-1 3-Major BT753711 Copied policy does not retain signature staging 14.1.2.1
751710-4 3-Major BT751710 False positive cookie hijacking violation 13.1.1.5, 14.0.0.5, 14.1.2.1
746394-1 3-Major BT746394 With ASM CORS set to 'Disabled' it strips all CORS headers in response. 14.0.1.1, 14.1.2.1
745802-1 3-Major BT745802 Brute Force CAPTCHA response page truncates last digit in the support id 13.1.1.4, 14.0.0.5, 14.1.2.1
727107-4 3-Major BT727107 Request Logs are not stored locally due to shmem pipe blockage 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
803445-3 4-Minor BT803445 When adding several mitigation exceptions, the previously configured actions revert to the default action 14.1.2.1, 15.0.1.1
772473-3 4-Minor BT772473 Request reconstruct issue after challenge 14.0.1.1, 14.1.2.1, 15.0.1.1
761088-1 4-Minor BT761088 Remove policy editing restriction in the GUI while auto-detect language is set 14.1.2.1, 15.0.1.1
695878-2 4-Minor BT695878 Signature enforcement issue on specific requests 11.5.6, 12.1.5, 13.1.3, 14.0.1.1, 14.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
761749-2 2-Critical BT761749 Security pages unavailable after switching RT mode on off few times 14.1.2.1
797785-2 3-Major BT797785 AVR reports no ASM-Anomalies data. 13.1.3.2, 14.1.2.1, 15.0.1.3
792265-3 3-Major BT792265 Traffic logs does not include the BIG-IQ tags 13.1.3.2, 14.1.2.1, 15.0.1.3
773925-2 3-Major BT773925 Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files 14.1.2.1
765785-3 3-Major BT765785 Monpd core upon "bigstart stop monpd" while Real Time reporting is running 14.1.2.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
811145-2 2-Critical BT811145 VMware View resources with SAML SSO are not working 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
797541-1 2-Critical BT797541 NTLM Auth may fail when user's information contains SIDS array 14.1.2.1, 15.0.1.1
784989-2 2-Critical BT784989 TMM may crash with panic message: Assertion 'cookie name exists' failed 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
777173-2 2-Critical BT777173 Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
821369 3-Major BT821369 Incomplete Action 'Deny' does not take effect for HTTP-Connect 14.1.2.1
788417-2 3-Major BT788417 Remote Desktop client on macOS may show resource auth token on credentials prompt 13.1.3.2, 14.1.2.1, 15.0.1.1
787477-2 3-Major BT787477 Export fails from partitions with '-' as second character 13.1.3.2, 14.1.2.1
786173-1 3-Major BT786173 UI becomes unresponsive when accessing Access active session information 14.1.2.1, 15.0.1.1
783817-2 3-Major BT783817 UI becomes unresponsive when accessing Access active session information 13.1.3, 14.0.1.1, 14.1.2.1, 15.0.1.1
782569-1 3-Major BT782569 SWG limited session limits on SSLO deployments 14.1.2.1, 15.0.1.1
775621-2 3-Major BT775621 urldb memory grows past the expected ~3.5GB 13.1.3, 14.1.2.1, 15.0.1.3
769853-2 3-Major K24241590, BT769853 Access Profile option to restrict connections from a single client IP is not honored for native RDP resources 14.0.1.1, 14.1.2.1, 15.0.1.1
756777-1 3-Major BT756777 VDI plugin might crash on process shutdown during RDG connections handling 14.1.2.1
750823-1 3-Major BT750823 Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD 13.1.3, 14.1.2.1
749161-2 3-Major   Problem sync policy contains non-ASCII characters 13.1.3, 14.1.2.1
746768-4 3-Major BT746768 APMD leaks memory if access policy policy contains variable/resource assign policy items 12.1.4.1, 13.1.1.4, 14.1.2.1
697590-2 3-Major BT697590 APM iRule ACCESS::session remove fails outside of Access events 13.1.3.2, 14.1.2.1, 15.0.1.1
781445-1 4-Minor BT781445 Named or dnscached cannot bind to IPv6 address 14.1.2.1
759579-1 4-Minor BT759579 Full Webtop: 'URL Entry' field is available again 14.1.2.1
756019-1 4-Minor BT756019 OAuth JWT Issuer claim requires URI format 14.1.2.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
811745-2 3-Major BT811745 Failover between clustered DIAMETER devices can cause mirror connections to be disconnected 13.1.3.2, 14.1.2.1, 15.0.1.1
804313-2 3-Major BT804313 MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. 13.1.3.4, 14.1.2.1, 15.0.1.2
761685-3 3-Major BT761685 Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set 14.0.1.1, 14.1.2.1, 15.0.1.4
750431-1 3-Major BT750431 Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout' 14.1.2.1
748253-1 3-Major BT748253 Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection 13.1.3, 14.1.2.1
786565-2 4-Minor BT786565 MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded 14.1.2.1, 15.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
938149-3 3-Major BT938149 Port Block Update log message is missing the "Start time" field 14.1.2.1, 15.1.2, 16.0.1.1
800209-1 3-Major BT800209 The tmsh recursive list command includes DDoS GUI-specific data info 14.1.2.1
780837-1 3-Major BT780837 Firewall rule list configuration causes config load failure 14.1.2.1, 15.0.1.4
761234-2 3-Major BT761234 Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached 14.1.2.1, 15.0.1.1
760355 4-Minor BT760355 Firewall rule to block ICMP/DHCP from 'required' to 'default'&start; 14.1.2.1, 15.0.1.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
760438-3 3-Major BT760438 PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions 13.1.3, 14.1.2.1
759192-3 3-Major BT759192 TMM core during display of PEM session under some specific conditions 13.1.3, 14.0.1.1, 14.1.2.1
756311-4 3-Major BT756311 High CPU during erroneous deletion 13.1.3, 14.0.1.1, 14.1.2.1
753163-4 3-Major BT753163 PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days 13.1.3, 14.1.2.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
804185-2 3-Major BT804185 Some WebSafe request signatures may not work as expected 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1
783565-2 3-Major BT783565 Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP 14.1.2.1, 15.0.1.1
775013-2 3-Major BT775013 TIME EXCEEDED alert has insufficient data for analysis 13.1.3, 14.1.2.1, 15.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
803477-2 3-Major BT803477 BaDoS State file load failure when signature protection is off 13.1.3.2, 14.1.2.1, 15.0.1.1


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
759439-1 2-Critical BT759439 Unable to attach default SSL and FTP profiles to virtual server 14.0.1.1, 14.1.2.1, 15.0.1.1
781313-1 3-Major BT781313 AVR dashboard displays incorrect client/server bytes-in/bytes-out stats 14.1.2.1, 15.0.1.3



Cumulative fixes from BIG-IP v14.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
773649-6 CVE-2019-6656 K23876153, BT773649 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.2, 15.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
771705-1 3-Major BT771705 You may not be able to log into BIG-IP Cloud Edition if FSCK fails 14.1.2
754875-1 3-Major BT754875 Enable FIPS 140-2 Level 1 Compliant Mode in PAYG VE images on first boot 14.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
808129-1 2-Critical BT808129 Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS. 14.1.2, 15.0.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
753485-1 2-Critical K50285521, BT753485 AVR global settings are being overridden by high availability (HA) peers 13.1.3, 14.1.2, 15.0.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757306-3 3-Major BT757306 SNMP MIBS for AFM NAT do not yet exist 13.1.3, 14.1.2, 15.0.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
794285 1-Blocking K36191493, BT794285 BIG-IQ reading AFM configuration fails with status 400 14.1.2



Cumulative fixes from BIG-IP v14.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
807477-10 CVE-2019-6650 K04280042, BT807477 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
797885-2 CVE-2019-6649 K05123525, BT797885 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
796469-6 CVE-2019-6649 K05123525, BT796469 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
810557-8 CVE-2019-6649 K05123525, BT810557 ASM ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
809377-6 CVE-2019-6649 K05123525 AFM ConfigSync Hardening 13.1.3, 14.0.1, 14.1.2, 15.0.1
799617-2 CVE-2019-6649 K05123525, BT799617 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
799589-2 CVE-2019-6649 K05123525, BT799589 ConfigSync Hardening 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
794389-6 CVE-2019-6651 K89509323, BT794389 iControl REST endpoint response inconsistency 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
794413-2 CVE-2019-6471 K10092301, BT794413 BIND vulnerability CVE-2019-6471 11.5.10, 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1
793937-1 CVE-2019-6664 K03126093, BT793937 Management Port Hardening 14.1.2, 15.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
744937-8 3-Major K00724442, BT744937 BIG-IP DNS and GTM DNSSEC security exposure 11.6.5, 12.1.5, 13.1.3, 14.0.1, 14.1.2, 15.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
798949-3 3-Major BT798949 Config-Sync fails when Config-Sync IP configured to management IP 14.1.2, 15.0.1
760622-3 3-Major BT760622 Allow Device Certificate renewal from BIG-IP Configuration Utility 15.1.0.5
760363-1 3-Major BT760363 Update Alias Address field with default placeholder text 13.1.3.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
811333-2 3-Major BT811333 Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile&start; 14.1.2, 15.0.1



Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
769361-2 CVE-2019-6630 K33444350, BT769361 TMM may crash while processing SSLO traffic 14.0.0.5, 14.1.0.6
767401-1 CVE-2019-6629 K95434410, BT767401 TMM may crash while processing TLS traffic 14.1.0.6
759343-6 CVE-2019-6668 K49827114, BT759343 MacOS Edge Client installer does not follow best security practices 11.6.5.1, 12.1.5.1, 14.0.0.5, 14.1.0.6, 15.0.1.1
758909-1 CVE-2019-6628 K04730051, BT758909 TMM may crash will processing PEM traffic 14.0.0.5, 14.1.0.6
758065-4 CVE-2019-6667 K82781208, BT758065 TMM may consume excessive resources while processing FIX traffic 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
757084-2 CVE-2019-6627 K00432398, BT757084 Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled 14.1.0.6
757023-2 CVE-2018-5743 K74009656, BT757023 BIND vulnerability CVE-2018-5743 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
756538-4 CVE-2019-6645 K15759349, BT756538 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
754944-1 CVE-2019-6626 K00432398, BT754944 AVR reporting UI does not follow best practices 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754345-2 CVE-2019-6625 K79902360, BT754345 WebUI does not follow best security practices 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
754103-1 CVE-2019-6644 K75532331, BT754103 iRulesLX NodeJS daemon does not follow best security practices 12.1.4.1, 13.1.3, 14.0.0.5, 14.1.0.6
753975-2 CVE-2019-6666 K92411323, BT753975 TMM may crash while processing HTTP traffic with webacceleration profile 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1
753776-2 CVE-2019-6624 K07127032, BT753776 TMM may consume excessive resources when processing UDP traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
748502-1 CVE-2019-6623 K72335002, BT748502 TMM may crash when processing iSession traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
737731-6 CVE-2019-6622 K44885536, BT737731 iControl REST input sanitization 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
737574-6 CVE-2019-6621 K20541896, BT737574 iControl REST input sanitization&start; 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
737565-6 CVE-2019-6620 K20445457, BT737565 iControl REST input sanitization 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
726393-2 CVE-2019-6643 K36228121, BT726393 DHCPRELAY6 can lead to a tmm crash 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
726327 CVE-2018-12120 K37111863, BT726327 NodeJS debugger accepts connections from any host 13.1.1.5, 14.1.0.6
757455-2 CVE-2019-6647 K87920510, BT757455 Excessive resource consumption when processing REST requests 11.6.5.1, 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
753796-1 CVE-2019-6640 K40443301 SNMP does not follow best security practices 11.5.9, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750460-1 CVE-2019-6639 K61002104, BT750460 Subscriber management configuration GUI 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750298-1 CVE-2019-6638 K67825238, BT750298 iControl REST may fail while processing requests 14.0.0.5, 14.1.0.6
750187-1 CVE-2019-6637 K29149494, BT750187 ASM REST may consume excessive resources 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
745371-1 CVE-2019-6636 K68151373, BT745371 AFM GUI does not follow best security practices 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
745257-1 CVE-2018-14634 K20934447, BT745257 Linux kernel vulnerability: CVE-2018-14634 11.6.4, 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
742226-6 CVE-2019-6635 K11330536, BT742226 TMSH platform_check utility does not follow best security practices 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
710857-5 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
702469-7 CVE-2019-6633 K73522927, BT702469 Appliance mode hardening in scp 11.6.5.1, 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
673842-6 CVE-2019-6632 K01413496, BT673842 VCMP does not follow best security practices 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
773653-6 CVE-2019-6656 K23876153, BT773653 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
773641-6 CVE-2019-6656 K23876153, BT773641 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
773637-6 CVE-2019-6656 K23876153, BT773637 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
773633-6 CVE-2019-6656 K23876153, BT773633 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
773621-6 CVE-2019-6656 K23876153, BT773621 APM Client Logging 12.1.5.1, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
749704-2 4-Minor BT749704 GTPv2 Serving-Network field with mixed MNC digits 13.1.3, 14.0.1.1, 14.1.0.6


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
774445-1 1-Blocking K74921042, BT774445 BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 13.1.3, 14.0.0.5, 14.1.0.6
789993-1 2-Critical BT789993 Failure when upgrading to 15.0.0 with config move and static management-ip. 14.1.0.6, 15.0.1.4
773677-1 2-Critical K72255850, BT773677 BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase&start; 14.1.0.6
769809-4 2-Critical BT769809 The vCMP guests 'INOPERATIVE' after upgrade 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6
765801 2-Critical BT765801 WCCP service info field corrupted in upgrade to 14.1.0 final&start; 14.1.0.6
760573-1 2-Critical K00730586, BT760573 TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0&start; 14.1.0.6
760508-1 2-Critical K91444000, BT760508 On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist&start; 14.1.0.6
760408-3 2-Critical BT760408 System Integrity Status: Invalid after BIOS update&start; 13.1.3, 14.0.0.5, 14.1.0.6
760164-1 2-Critical BT760164 BIG-IP VE Compression Offload HA action requires modification of db variable 14.1.0.6, 15.0.1.1
757722-2 2-Critical BT757722 Unknown notify message types unsupported in IKEv2 13.1.3, 14.0.1.1, 14.1.0.6
756402-2 2-Critical BT756402 Re-transmitted IPsec packets can have garbled contents 13.1.3, 14.0.1.1, 14.1.0.6
756071-3 2-Critical BT756071 MCPD crash 13.1.3, 14.0.1.1, 14.1.0.6
755254-1 2-Critical K54339562, BT755254 Remote auth: PAM_LDAP buffer too small errors&start; 14.1.0.6
753650-2 2-Critical BT753650 The BIG-IP system reports frequent kernel page allocation failures. 13.1.3, 14.0.1.1, 14.1.0.6
750586-2 2-Critical BT750586 HSL may incorrectly handle pending TCP connections with elongated handshake time. 12.1.5, 13.1.1.5, 14.1.0.6
743803-1 2-Critical BT743803 IKEv2 potential double free of object when async request queueing fails 12.1.5, 13.1.1.4, 14.0.0.3, 14.1.0.6
741503-1 2-Critical BT741503 The BIG-IP system fails to load base config file when upgrading with static IPv4&start; 14.1.0.6
726487-4 2-Critical BT726487 MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
648270-1 2-Critical BT648270 mcpd can crash if viewing a fast-growing log file through the GUI 11.6.5.2, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6
766365-1 3-Major BT766365 Some trunks created on VE platform stay down even when the trunk's interfaces are up 14.1.0.6
766329-2 3-Major BT766329 SCTP connections do not reflect some SCTP profile settings 14.1.0.6, 15.0.1.3
765033 3-Major BT765033 Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions&start; 11.6.5.1, 14.1.0.6
760597-1 3-Major BT760597 System integrity messages not logged 14.1.0.6
760594 3-Major BT760594 On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details. 14.1.0.6
758879 3-Major BT758879 BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot 14.1.0.6
748206-1 3-Major BT748206 Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position 13.1.1.4, 14.1.0.6
748187-4 3-Major BT748187 'Transaction Not Found' Error on PATCH after Transaction has been Created 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.6
746657-1 3-Major BT746657 tmsh help for FQDN node or pool member shows incorrect default for fqdn interval 14.1.0.6
745809-2 3-Major BT745809 The /var partition may become 100% full, requiring manual intervention to clear space 13.1.1.4, 14.0.0.5, 14.1.0.6
740543-1 3-Major BT740543 System hostname not display in console 14.1.0.6
725791-6 3-Major K44895409, BT725791 Potential HW/HSB issue detected 11.6.5.2, 12.1.5.2, 13.1.1.5, 14.1.0.6
718405-2 3-Major BT718405 RSA signature PAYLOAD_AUTH mismatch with certificates 13.1.1.4, 14.1.0.6
581921-5 3-Major K22327083, BT581921 Required files under /etc/ssh are not moved during a UCS restore 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.1.1, 14.1.0.6
754500-2 4-Minor BT754500 GUI LTM Policy options disappearing 14.1.0.6
726317-6 4-Minor BT726317 Improved debugging output for mcpd 12.1.5, 13.1.3.4, 14.1.0.6


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759723-1 2-Critical BT759723 Abnormally terminated connections on server side may cause client side streams to stall 14.1.0.6
758465-1 2-Critical BT758465 TMM may crash or iRule processing might be incorrect 14.1.0.6
756356-2 2-Critical BT756356 External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long 14.1.0.6
753912-4 2-Critical K44385170, BT753912 UDP flows may not be swept 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
752930-3 2-Critical BT752930 Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state 12.1.5, 13.1.1.5, 14.0.1.1, 14.1.0.6
747727-1 2-Critical BT747727 HTTP Profile Request Header Insert Tcl error 14.1.0.6
747239-1 2-Critical BT747239 TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection 14.1.0.6
745533-6 2-Critical   NodeJS Vulnerability: CVE-2016-5325 13.1.1.5, 14.0.0.5, 14.1.0.6
741048-1 2-Critical BT741048 iRule execution order could change after editing the scripts 14.1.0.6
766293-1 3-Major BT766293 Monitor logging fails on v14.1.0.x releases 14.1.0.6
760550-5 3-Major BT760550 Retransmitted TCP packet has FIN bit set 11.6.5.1, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
758311-1 3-Major BT758311 Policy Compilation may cause MCPD to crash 14.1.0.6
757985-1 3-Major K79562045, BT757985 TMM memory leak 14.1.0.6
757698-1 3-Major BT757698 TMM crashes in certain situations of which iRule execution interleaves client side and server side flows 14.1.0.6
756270-4 3-Major BT756270 SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle 11.5.9, 11.6.4, 12.1.5, 13.1.1.5, 14.1.0.6
754985-1 3-Major BT754985 Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic 14.1.0.6
752078-2 3-Major BT752078 Header Field Value String Corruption 13.1.1.4, 14.1.0.6
749414-4 3-Major BT749414 Invalid monitor rule instance identifier error 11.6.5.2, 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.6
747907-2 3-Major BT747907 Persistence records leak while the high availability (HA) mirror connection is down 13.1.3.2, 14.1.0.6
742078-6 3-Major BT742078 Incoming SYNs are dropped and the connection does not time out. 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
740959-4 3-Major BT740959 User with manager rights cannot delete FQDN node on non-Common partition 12.1.5, 14.1.0.6
740345-3 3-Major BT740345 TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. 13.1.1.5, 14.0.0.5, 14.1.0.6
696755-3 3-Major BT696755 HTTP/2 may truncate a response body when served from cache 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2
696735-2 3-Major BT696735 TCP ToS Passthrough mode does not work correctly 14.1.0.6
504522-4 3-Major BT504522 Trailing space present after 'tmsh ltm pool members monitor' attribute value 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.6
747968-3 4-Minor BT747968 DNS64 stats not increasing when requests go through DNS cache resolver 11.6.5.3, 12.1.4.1, 13.1.1.5, 14.1.0.6


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
777937-3 1-Blocking BT777937 AWS ENA: packet drops due to bad checksum 14.1.0.6, 15.0.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
759721-2 3-Major K03332436, BT759721 DNS GUI does not follow best practices 13.1.3, 14.0.0.5, 14.1.0.6
749508-1 3-Major BT749508 LDNS and DNSSEC: Various OOM conditions need to be handled properly 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
749222-1 3-Major BT749222 dname compression offset overflow causes bad compression pointer 13.1.1.5, 14.0.0.5, 14.1.0.6
748902-5 3-Major BT748902 Incorrect handling of memory allocations while processing DNSSEC queries 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
746877-1 3-Major BT746877 Omitted check for success of memory allocation for DNSSEC resource record 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
744707-2 3-Major BT744707 Crash related to DNSSEC key rollover 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
723288-4 3-Major BT723288 DNS cache replication between TMMs does not always work for net dns-resolver 11.6.5.3, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.6
748177-1 4-Minor BT748177 Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character 12.1.4.1, 13.1.1.5, 14.1.0.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759360-2 2-Critical BT759360 Apply Policy fails due to policy corruption from previously enforced signature 13.1.1.5, 14.1.0.6
749912-1 2-Critical BT749912 [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement 14.1.0.6
723790-3 2-Critical BT723790 Idle asm_config_server handlers consumes a lot of memory 12.1.5, 13.1.1.5, 14.0.0.5, 14.1.0.6
765449-1 3-Major   Update availability status may be inaccurate 14.1.0.6
763001-1 3-Major K70312000, BT763001 Web-socket enforcement might lead to a false negative 13.1.3, 14.0.1.1, 14.1.0.6
761941-1 3-Major BT761941 ASM does not remove CSRT token query parameter before forwarding a request to the backend server 13.1.3, 14.0.1.1, 14.1.0.6
761194-2 3-Major BT761194 param data type violation on an Integer parameter, if an integer value is sent via websocket JSON 14.1.0.6
760878-3 3-Major BT760878 Incorrect enforcement of explicit global parameters 12.1.5, 13.1.1.5, 14.1.0.6
759483-1 3-Major BT759483 Message about HTTP status code which are set by default disappeared from the UI 14.0.0.5, 14.1.0.6
758085-1 3-Major BT758085 CAPTCHA Custom Response fails when using certain characters 14.1.0.6
756418-1 3-Major BT756418 Live Update does not authenticate remote users 14.1.0.6
742558-1 3-Major BT742558 Request Log export document fails to show some UTF-8 characters 14.1.0.6
687759-3 3-Major BT687759 bd crash 12.1.3.6, 13.1.0.8, 14.0.0.5, 14.1.0.6
774941-1 4-Minor BT774941 GUI misspelling in Bot Defense logging profile 14.1.0.6
768761-2 4-Minor BT768761 Improved accept action description for suggestions to disable signature/enable metacharacter in policy 13.1.3, 14.0.1.1, 14.1.0.6
766357-1 4-Minor BT766357 Two simultaneously manual installations can cause live-update inconsistency 14.1.0.6
765413-1 4-Minor BT765413 ASM cluster syncs caused by PB ignored suggestions updates 14.0.0.5, 14.1.0.6, 15.0.1.1
761921-1 4-Minor BT761921 avrd high CPU utilization due to perpetual connection attempts 13.1.1.5, 14.0.0.5, 14.1.0.6
761553-2 4-Minor BT761553 Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic 13.1.3, 14.0.1.1, 14.1.0.6
761549-2 4-Minor BT761549 Traffic Learning: Accept and Stage action is shown only in case entity is not in staging 13.1.3, 14.0.1.1, 14.1.0.6
761231-2 4-Minor K79240502, BT761231 Bot Defense Search Engines getting blocked after configuring DNS correctly 12.1.5, 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.1
759462-1 4-Minor BT759462 Site names and vulnerabilities cannot be retrieved from WhiteHat server 14.1.0.6
755005-1 4-Minor BT755005 Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations 12.1.5.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
750689-3 4-Minor BT750689 Request Log: Accept Request button available when not needed 13.1.3, 14.0.1.1, 14.1.0.6
749184-2 4-Minor BT749184 Added description of subviolation for the suggestions that enabled/disabled them 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.3
747560-5 4-Minor BT747560 ASM REST: Unable to download Whitehat vulnerabilities 12.1.5.1, 13.1.3, 14.1.0.6
769061-2 5-Cosmetic BT769061 Improved details for learning suggestions to enable violation/sub-violation 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
763349-3 2-Critical BT763349 AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out 13.1.1.5, 14.0.0.5, 14.1.0.6
756205-1 2-Critical BT756205 TMSTAT offbox statistics are not continuous 13.1.1.5, 14.0.0.5, 14.1.0.6
756102-2 2-Critical BT756102 TMM can crash with core on ABORT signal due to non-responsive AVR code 13.1.3.2, 14.1.0.6, 15.0.1.1
771025-3 3-Major BT771025 AVR send domain names as an aggregate 13.1.3, 14.0.0.5, 14.1.0.6, 15.0.1.3
764665-2 3-Major BT764665 AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change 13.1.1.5, 14.0.0.5, 14.1.0.6
763005-3 3-Major BT763005 Aggregated Domain Names in DNS statistics are shown as random domain name 13.1.1.5, 14.0.0.5, 14.1.0.6
760356-2 3-Major BT760356 Users with Application Security Administrator role cannot delete Scheduled Reports 13.1.1.5, 14.0.0.5, 14.1.0.6, 15.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
770557-3 2-Critical BT770557 Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one 14.0.0.5, 14.1.0.6
769281-1 2-Critical BT769281 Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English 14.0.0.5, 14.1.0.6
755447-1 2-Critical BT755447 SSLO does not deliver content generated/originated from inline device 14.1.0.6
753370-3 2-Critical BT753370 RADIUS auth might not be working as configured when there is change in RADIUS auth config name. 13.1.3, 14.0.0.5, 14.1.0.6
774633-2 3-Major BT774633 Memory leak in tmm when session db variables are not cleaned up 14.1.0.6, 15.0.1.1
774213-1 3-Major BT774213 SWG session limits on SSLO deployments 14.1.0.6, 15.0.1.1
760410-1 3-Major BT760410 Connection reset is seen when Category lookup agent is used in per-req policy 14.1.0.6
760250 3-Major BT760250 'Unsupported SSO Method' error when requests sharing the same TCP session 14.1.0.6
759868-1 3-Major BT759868 TMM crash observed while rendering internal pages (like blocked page) for per-request policy 14.1.0.6
758764-2 3-Major BT758764 APMD Core when CRLDP Auth fails to download revoked certificate 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.6
758701-1 3-Major BT758701 APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install 14.1.0.6
757992-3 3-Major BT757992 RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup 13.1.1.5, 14.0.0.5, 14.1.0.6
757360-1 3-Major BT757360 Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO 14.1.0.6
755475-1 3-Major BT755475 Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync 13.1.1.5, 14.0.0.5, 14.1.0.6
755047-1 3-Major BT755047 Category lookup returns wrong category on CONNECT traffic through SSLO 14.1.0.6
754542-2 3-Major BT754542 TMM may crash when using RADIUS Accounting agent 13.1.3, 14.1.0.6
752875-2 3-Major BT752875 tmm core while using service chaining for SSLO 14.0.1.1, 14.1.0.6
751807-1 3-Major BT751807 SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel 14.1.0.6
751424-1 3-Major BT751424 HTTP Connect Category Lookup not working properly 14.1.0.6
749057-1 3-Major BT749057 VMware Horizon idle timeout is ignored when connecting via APM 13.1.1.5, 14.0.0.5, 14.1.0.6
745574-1 3-Major BT745574 URL is not removed from custom category when deleted 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.6
738430-3 3-Major BT738430 APM is not able to do compliance check on iOS devices running F5 Access VPN client 13.1.1.5, 14.0.0.5, 14.1.0.6
734291-1 3-Major BT734291 Logon page modification fails to sync to standby 13.1.1.5, 14.1.0.6
695985-4 3-Major BT695985 Access HUD filter has URL length limit (4096 bytes) 13.1.1.5, 14.0.0.5, 14.1.0.6
766761-2 4-Minor BT766761 Ant-server does not log requests that are excluded from scanning 14.1.0.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
766405-2 2-Critical BT766405 MRF SIP ALG with SNAT: Fix for potential crash on next-active device 13.1.3.4, 14.1.0.6
754615-2 2-Critical BT754615 Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup. 14.0.1.1, 14.1.0.6
763157-2 3-Major BT763157 MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped 14.0.1.1, 14.1.0.6, 15.0.1.4
760370-2 3-Major BT760370 MRF SIP ALG with SNAT: Next active ingress queue filling 14.0.1.1, 14.1.0.6, 15.0.1.4
759077-2 3-Major BT759077 MRF SIP filter queue sizes not configurable 13.1.3, 14.0.1.1, 14.1.0.6, 15.0.1.4
755630-1 3-Major BT755630 MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes 14.0.1.1, 14.1.0.6
752822-1 3-Major BT752822 SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type 13.1.1.5, 14.0.1.1, 14.1.0.6
751179-1 3-Major BT751179 MRF: Race condition may create to many outgoing connections to a peer 11.6.5.2, 13.1.1.5, 14.1.0.6
746825-1 3-Major BT746825 MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls 14.0.1.1, 14.1.0.6
745947-2 3-Major BT745947 Add log events for MRF SIP registration/deregistration and media flow creation/deletion 14.1.0.6
745590-1 3-Major BT745590 SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added 14.0.1.1, 14.1.0.6
760930-2 4-Minor BT760930 MRF SIP ALG with SNAT: Added additional details to log events 14.0.1.1, 14.1.0.6, 15.0.1.4
747909-5 4-Minor BT747909 GTPv2 MEI and Serving-Network fields decoded incorrectly 11.6.5.1, 12.1.5.3, 13.1.3, 14.0.1.1, 14.1.0.6


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757524 1-Blocking BT757524 Data operation attempt on object that has not been loaded 14.1.0.6
757359-1 2-Critical BT757359 pccd crashes when deleting a nested Address List 13.1.3, 14.1.0.6
754805 2-Critical K97981358, BT754805 Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured 14.1.0.6
753028-2 3-Major BT753028 AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule 13.1.1.4, 14.1.0.6
756477-2 5-Cosmetic BT756477 Drop Redirect tab incorrectly named as 'Redirect Drop' 14.1.0.6


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
744516-4 2-Critical BT744516 TMM panics after a large number of LSN remote picks 12.1.4, 13.1.1.4, 14.1.0.6


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748121-3 2-Critical BT748121 admd livelock under CPU starvation 13.1.1.4, 14.0.0.5, 14.1.0.6
653573-6 2-Critical BT653573 ADMd not cleaning up child rsync processes 13.1.1.4, 14.0.0.5, 14.1.0.6, 14.1.2.3
756877-1 3-Major BT756877 Virtual server created with Guided Configuration is not visible in Grafana 14.0.0.5, 14.1.0.6


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
752803-1 2-Critical BT752803 CLASSIFICATION_DETECTED running reject can lead to a tmm core 13.1.3, 14.1.0.6
752047-1 2-Critical BT752047 iRule running reject in CLASSIFICATION_DETECTED event can cause core 13.1.1.5, 14.1.0.6


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
758818-2 2-Critical BT758818 While using explicit or transparent http type service on SSL Orchestrator, TMM cores. 14.0.1.1, 14.1.0.6
756167-1 3-Major BT756167 No URL category data on SSL Orchestrator dashboard and on SSL Orchestrator statistics page after upgrade&start; 14.1.0.6
748252-2 3-Major BT748252 Connection reset seen with SSL bypass on a L2 wire setup 14.1.0.6



Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
755817 3-Major BT755817 v14.1.0.5 includes Guided Configuration 4.1 14.1.0.5
751824-1 3-Major BT751824 Restore old 'merge' functionally with new tmsh verb 'replace' 14.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
663819-1 3-Major BT663819 APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue) 14.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
761173-1 2-Critical BT761173 tmm crash after extended whitelist modification 14.1.0.5
751869-2 2-Critical BT751869 Possible tmm crash when using manual mode mitigation in DoS Profile 13.1.1.5, 14.1.0.5
760393 3-Major BT760393 GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes 14.1.0.5
750477-1 3-Major BT750477 LTM NAT does not forward ICMP traffic 14.1.0.5
737035-2 3-Major BT737035 New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup. 14.0.0.5, 14.1.0.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
757088-1 2-Critical BT757088 TMM clock advances and cluster failover happens during webroot db nightly updates 12.1.5, 13.1.1.5, 14.1.0.5
758536 3-Major BT758536 Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x 14.1.0.5


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
737558-1 2-Critical BT737558 Protocol Inspection user interface elements are active but do not work 14.1.0.5
774881 3-Major BT774881 Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed. 14.1.0.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
760278 2-Critical BT760278 F5 SSL Orchestrator may fail to install an RPM software package on BIG-IP systems running point release versions&start; 14.1.0.5



Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
745783-1 3-Major BT745783 Anti-fraud: remote logging of login attempts 13.1.1.3, 14.1.0.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
758667-1 2-Critical BT758667 BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs 14.1.0.3
754541-2 2-Critical BT754541 Reconfiguring an iApp that uses a client SSL profile fails 14.1.0.3
760222 3-Major BT760222 SCP fails unexpected when FIPS mode is enabled 13.1.1.5, 14.0.0.5, 14.1.0.3
725625-1 3-Major BT725625 BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK 14.1.0.3



Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
757025-1 CVE-2018-5744 K00040234, BT757025 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
756774-6 CVE-2019-6612 K24401914, BT756774 Aborted DNS queries to a cache may cause a TMM crash 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
750292-2 CVE-2019-6592 K54167061, BT750292 TMM may crash when processing TLS traffic 12.1.5.3, 13.1.3.4, 14.1.0.2
749879-2 CVE-2019-6611 K47527163, BT749879 Possible interruption while processing VPN traffic 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
744035-6 CVE-2018-15332 K12130880, BT744035 APM Client Vulnerability: CVE-2018-15332 11.6.5.1, 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
757027-1 CVE-2019-6465 K01713115, BT757027 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
757026-1 CVE-2018-5745 K25244852, BT757026 BIND Update 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745713-4 CVE-2019-6619 K94563344, BT745713 TMM may crash when processing HTTP/2 traffic 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745387-1 CVE-2019-6618 K07702240, BT745387 Resource-admin user roles can no longer get bash access 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
745165-1 CVE-2019-6617 K38941195, BT745165 Users without Advanced Shell Access are not allowed SFTP access 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
737910-4 CVE-2019-6609 K18535734, BT737910 Security hardening on the following platforms 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
724680-6 CVE-2018-0732 K21665601, BT724680 OpenSSL Vulnerability: CVE-2018-0732 11.5.9, 11.6.3.3, 12.1.4, 13.1.1.2, 14.0.1.1, 14.1.0.2
703835-5 CVE-2019-6616 K82814400, BT703835 When using SCP into BIG-IP systems, you must specify the target filename 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
702472-7 CVE-2019-6615 K87659521, BT702472 Appliance Mode Security Hardening 11.5.9, 11.6.4, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
698376-5 CVE-2019-6614 K46524395, BT698376 Non-admin users have limited bash commands and can only write to certain directories 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
713806-8 CVE-2018-0739 K08044291, BT713806 CVE-2018-0739: OpenSSL Vulnerability 14.1.0.2
699977-3 CVE-2016-7055 K43570545, BT699977 CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX 14.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
755641-1 2-Critical BT755641 Unstable asm_config_server after upgrade, 'Event dispatcher aborted' 14.1.0.2
744685-2 2-Critical BT744685 BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension 13.1.1.4, 14.0.1.1, 14.1.0.2
744188-1 2-Critical BT744188 First successful auth iControl REST requests will now be logged in audit and secure log files 13.1.1.4, 14.0.1.1, 14.1.0.2
739432 3-Major BT739432 F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems 14.1.0.2
738108-1 3-Major BT738108 SCTP multi-homing INIT address parameter doesn't include association's primary address 14.1.0.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
753642-1 2-Critical BT753642 iHealth may report false positive for Critical Malware 14.1.0.2
752835-2 2-Critical K46971044, BT752835 Mitigate mcpd out of memory error with auto-sync enabled. 11.6.5.1, 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
750580-1 2-Critical BT750580 Installation using image2disk --format may fail after TMOS v14.1.0 is installed&start; 14.1.0.2
707013-3 2-Critical BT707013 vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest 13.1.1.5, 14.0.1.1, 14.1.0.2
668041-4 2-Critical K27535157, BT668041 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.&start; 13.1.1.4, 14.0.0.5, 14.1.0.2
621260-2 2-Critical BT621260 mcpd core on iControl REST reference to non-existing pool 11.6.5.1, 12.1.5.1, 13.1.1.5, 14.0.1.1, 14.1.0.2
753564-1 3-Major BT753564 Attempt to change password using /bin/passwd fails 14.1.0.2
751011-3 3-Major BT751011 ihealth.sh script and qkview locking mechanism not working 13.1.1.5, 14.1.0.2
751009-3 3-Major BT751009 Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out 13.1.1.4, 14.0.1.1, 14.1.0.2
750661 3-Major BT750661 URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied. 14.1.0.2
750447-3 3-Major BT750447 GUI VLAN list page loading slowly with 50 records per screen 13.1.1.5, 14.1.0.2
749382-1 3-Major BT749382 Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater 14.1.0.2
746873-1 3-Major BT746873 Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing 14.1.0.2
745825-1 3-Major BT745825 The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading 13.1.3.2, 14.1.0.2
737536-2 3-Major BT737536 Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. 13.1.1.4, 14.0.0.5, 14.1.0.2
721585-1 3-Major BT721585 mcpd core processing ltm monitors with deep level of inheritance 14.1.0.2
639619-7 3-Major BT639619 UCS may fail to load due to Master key decryption failure on EEPROM-less systems&start; 11.6.4, 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
751636-1 4-Minor BT751636 Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership&start; 14.1.0.2
737423-2 4-Minor   Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033 14.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
754143-1 2-Critical K45456231, BT754143 TCP connection may hang after FIN 13.1.4.1, 14.1.0.2
747617-2 2-Critical BT747617 TMM core when processing invalid timer 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
742184-3 2-Critical BT742184 TMM memory leak 13.1.3, 14.1.0.2
738945-4 2-Critical BT738945 SSL persistence does not work when there are multiple handshakes present in a single record 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
716714-4 2-Critical BT716714 OCSP should be configured to avoid TMM crash. 13.1.1.4, 14.0.1.1, 14.1.0.2
750200-3 3-Major BT750200 DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode 13.1.1.5, 14.0.1.1, 14.1.0.2
749294-4 3-Major BT749294 TMM cores when query session index is out of boundary 12.1.5, 13.1.3.2, 14.0.1.1, 14.1.0.2
746131-4 3-Major   OpenSSL Vulnerability: CVE-2018-0732 14.1.0.2
744686-2 3-Major BT744686 Wrong certificate can be chosen during SSL handshake 14.1.0.2
743900-1 3-Major BT743900 Custom DIAMETER monitor requests do not have their 'request' flag set 14.1.0.2
739963-4 3-Major BT739963 TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup 12.1.5, 13.1.1.4, 14.0.1.1, 14.1.0.2
739349-3 3-Major BT739349 LRO segments might be erroneously VLAN-tagged. 13.1.1.4, 14.0.1.1, 14.1.0.2
724327-2 3-Major BT724327 Changes to a cipher rule do not immediately have an effect 13.1.1.4, 14.1.0.2
720219-3 3-Major K13109068, BT720219 HSL::log command can fail to pick new pool member if last picked member is 'checking' 12.1.5, 13.1.3, 14.0.1.1, 14.1.0.2
717896-4 3-Major BT717896 Monitor instances deleted in peer unit after sync 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
717100-1 3-Major BT717100 FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member 12.1.4.1, 13.1.1.4, 14.0.1.1, 14.1.0.2
716167-2 3-Major BT716167 The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp 13.1.3.4, 14.1.0.2
704450-5 3-Major BT704450 bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration 12.1.5.2, 13.1.3.2, 14.1.0.2
703593-1 3-Major BT703593 TMSH tab completion for adding profiles to virtual servers is not working as expected 14.1.0.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
756094-2 2-Critical BT756094 DNS express in restart loop, 'Error writing scratch database' in ltm log 12.1.4.1, 13.1.1.5, 14.1.0.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
752942-1 2-Critical BT752942 Live Update cannot be used by Administrator users other than 'admin' and 'root' 14.1.0.2
750922-1 2-Critical BT750922 BD crash when content profile used for login page has no parse parameters set 13.1.1.4, 14.0.0.5, 14.1.0.2
749136-1 2-Critical BT749136 Disk partition /var/log is low on free disk space 14.1.0.2
748321-1 2-Critical BT748321 bd crash with specific scenario 14.1.0.2
744347-4 2-Critical BT744347 Protocol Security logging profiles cause slow ASM upgrade and apply policy 12.1.4, 13.1.1.4, 14.0.0.5, 14.1.0.2
721741-4 2-Critical BT721741 BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative 12.1.3.7, 13.1.1.2, 14.1.0.2
754420-1 3-Major BT754420 Missing policy name in exported ASM request details 14.0.0.5, 14.1.0.2
754066-1 3-Major BT754066 Newly added Systems are not added as part of installing a Server Technologies update file 14.1.0.2
753295-1 3-Major BT753295 ASM REST: All signatures being returned for policy Signatures regardless of signature sets 14.1.0.2
750973-1 3-Major BT750973 Import XML policy error 14.1.0.2
750793-2 3-Major BT750793 Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition 14.0.0.5, 14.1.0.2
750686-1 3-Major BT750686 ASE user cannot create or modify a bot signature. 14.1.0.2
750683-1 3-Major BT750683 REST Backwards Compatibility: Cannot modify enforcementMode of host-name 14.1.0.2
750668-1 3-Major BT750668 Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition 14.1.0.2
750666-1 3-Major BT750666 Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common' 14.1.0.2
750356-2 3-Major BT750356 Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted 13.1.1.4, 14.0.0.5, 14.1.0.2
749500-1 3-Major BT749500 Improved visibility for Accept on Microservice action in Traffic Learning 14.1.0.2
749109-3 3-Major BT749109 CSRF situation on BIGIP-ASM GUI 13.1.1.5, 14.0.0.5, 14.1.0.2
748999-3 3-Major BT748999 invalid inactivity timeout suggestion for cookies 13.1.1.4, 14.0.0.5, 14.1.0.2
748848-2 3-Major BT748848 Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers 14.0.0.5, 14.1.0.2
748409-2 3-Major BT748409 Illegal parameter violation when json parsing a parameter on a case-insensitive policy 14.0.0.5, 14.1.0.2
747977-1 3-Major BT747977 File manually uploaded information is not synced correctly between blades 14.1.0.2
747777-3 3-Major BT747777 Extractions are learned in manual learning mode 13.1.1.4, 14.0.0.5, 14.1.0.2
747550-3 3-Major BT747550 Error 'This Logout URL already exists!' when updating logout page via GUI 13.1.1.4, 14.0.0.5, 14.1.0.2
746750-1 3-Major BT746750 Search Engine get Device ID challenge when using the predefined profiles 14.1.0.2
746298-1 3-Major BT746298 Server Technologies logos all appear as default icon 14.1.0.2
745813-1 3-Major BT745813 Requests are reported to local log even if only Bot Defense remote log is configured 14.1.0.2
745624-1 3-Major BT745624 Tooltips for OWASP Bot Categories and Anomalies were added 14.1.0.2
745607-1 3-Major BT745607 Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly 14.1.0.2
745531-2 3-Major BT745531 Puffin Browser gets blocked by Bot Defense 13.1.1.4, 14.1.0.2
742852-1 3-Major BT742852 Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header 14.1.0.2
739945-4 3-Major BT739945 JavaScript challenge on POST with 307 breaks application 12.1.4, 13.1.1.5, 14.0.1.1, 14.1.0.2
738676-1 3-Major BT738676 Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests 14.1.0.2
737866-2 3-Major BT737866 Rare condition memory corruption 14.1.0.2
754365-5 4-Minor BT754365 Updated flags for countries that changed their flags since 2010 12.1.4.1, 13.1.1.5, 14.0.0.5, 14.1.0.2
721724-1 4-Minor BT721724 LONG_REQUEST notice print incorrect in BD log 14.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
746941-2 2-Critical BT746941 Memory leak in avrd when BIG-IQ fails to receive stats information 13.1.1.4, 14.0.0.5, 14.1.0.2
753446-2 3-Major BT753446 avrd process crash during shutdown if connected to BIG-IQ 13.1.1.5, 14.0.0.5, 14.1.0.2
749464-2 3-Major BT749464 Race condition while BIG-IQ updates common file 13.1.1.4, 14.0.0.5, 14.1.0.2
749461-2 3-Major BT749461 Race condition while modifying analytics global-settings 13.1.1.4, 14.0.0.5, 14.1.0.2
745027-2 3-Major BT745027 AVR is doing extra activity of DNS data collection even when it should not 13.1.1.4, 14.0.0.5, 14.1.0.2
744595-3 3-Major BT744595 DoS-related reports might not contain some of the activity that took place 13.1.1.4, 14.0.0.5, 14.1.0.2
744589-3 3-Major BT744589 Missing data for Firewall Events Statistics 13.1.1.4, 14.0.0.5, 14.1.0.2
715110-1 3-Major BT715110 AVR should report 'resolutions' in module GtmWideip 13.1.0.8, 14.1.0.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
752592-1 2-Critical BT752592 VMware Horizon PCoIP clients may fail to connect shortly after logout 13.1.1.5, 14.1.0.2
754346-2 3-Major BT754346 Access policy was not found while creating configuration snapshot. 13.1.1.4, 14.0.0.5, 14.1.0.2
746771-3 3-Major BT746771 APMD recreates config snapshots for all access profiles every minute 13.1.1.4, 14.1.0.2
745654-4 3-Major BT745654 Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server 12.1.4.1, 13.1.1.4, 14.0.0.5, 14.1.0.2
743437-3 3-Major BT743437 Portal Access: Issue with long 'data:' URL 13.1.1.4, 14.0.0.5, 14.1.0.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
749603-1 3-Major BT749603 MRF SIP ALG: Potential to end wrong call when BYE received 13.1.1.5, 14.0.1.1, 14.1.0.2
749227-1 3-Major BT749227 MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE 14.0.1.1, 14.1.0.2
748043-2 3-Major BT748043 MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP 13.1.1.5, 14.0.1.1, 14.1.0.2
747187-2 3-Major BT747187 SIP falsely detects media flow collision when SDP is in both 183 and 200 response 12.1.5.2, 13.1.1.5, 14.0.1.1, 14.1.0.2
745715-2 3-Major BT745715 MRF SIP ALG now supports reading SDP from a mime multipart payload 14.1.0.2
745628-1 3-Major BT745628 MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message 13.1.3, 14.0.1.1, 14.1.0.2
745514-1 3-Major BT745514 MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message 13.1.3, 14.0.1.1, 14.1.0.2
745404-4 3-Major BT745404 MRF SIP ALG does not reparse SDP payload if replaced 12.1.5.2, 13.1.3, 14.0.1.1, 14.1.0.2
744949-1 3-Major BT744949 MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix 13.1.1.5, 14.0.1.1, 14.1.0.2
744275-1 3-Major BT744275 BIG-IP system sends Product-Name AVP in CER with Mandatory bit set 13.1.3.4, 14.1.0.2
742829-1 3-Major BT742829 SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 13.1.1.4, 14.0.1.1, 14.1.0.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
747104-1 1-Blocking K52868493, BT747104 LibSSH: CVE-2018-10933 12.1.4.1, 13.1.1.4, 14.1.0.2
752363-2 2-Critical BT752363 Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled 13.1.3, 14.1.0.2
749331-3 2-Critical BT749331 Global DNS DoS vector does not work in certain cases 14.1.0.2
747922-3 2-Critical BT747922 With AFM enabled, during bootup, there is a small possibility of a tmm crash 13.1.3.2, 14.1.0.2
748176-1 3-Major BT748176 BDoS Signature can wrongly match a DNS packet 14.1.0.2
748081-1 3-Major BT748081 Memory leak in Behavioral DoS module 13.1.1.5, 14.1.0.2
747926-2 3-Major BT747926 Rare TMM restart due to NULL pointer access during AFM ACL logging 13.1.1.4, 14.1.0.2


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726647-5 3-Major BT726647 PEM content insertion in a compressed response may truncate some data 12.1.4.1, 13.1.1.2, 14.0.0.3, 14.1.0.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
752782-1 3-Major BT752782 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' 13.1.1.5, 14.0.0.5, 14.1.0.2
741449-3 4-Minor BT741449 alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts 13.1.1.4, 14.0.0.5, 14.1.0.2
738677-1 4-Minor BT738677 Configured name of wildcard parameter is not sent in data integrity alerts 14.1.0.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
755378-1 2-Critical BT755378 HTTPS connection error from Chrome when BADOS TLS signatures configured 14.1.0.2
727136-1 3-Major BT727136 One dataset contains large number of variations of TLS hello messages on Chrome 14.1.0.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
745733-3 3-Major BT745733 TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup 13.1.3.5, 14.1.0.2



Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
745629 2-Critical BT745629 Ordering Symantec and Comodo certificates from BIG-IP 14.1.0.1
713817-1 3-Major BT713817 BIG-IP images are available in Alibaba Cloud 14.1.0.1
738891-1 4-Minor BT738891 TLS 1.3: Server SSL fails to increment key exchange method statistics 14.1.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
746424 2-Critical BT746424 Patched Cloud-Init to support AliYun Datasource 14.1.0.1
745851 3-Major BT745851 Changed Default Cloud-Init log level to INFO from DEBUG 14.1.0.1
742251-1 4-Minor BT742251 Add Alibaba Cloud support to Qkview 14.1.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
745774-1 3-Major BT745774 Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile 14.1.0.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
749774-5 3-Major BT749774 EDNS0 client subnet behavior inconsistent when DNS Caching is enabled 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1
749675-5 3-Major BT749675 DNS cache resolver may return a malformed truncated response with multiple OPT records 11.5.8, 11.6.3.4, 12.1.4, 13.1.1.4, 14.0.0.4, 14.1.0.1

 

Cumulative fix details for BIG-IP v14.1.5.1 that are included in this release

999933-4 : TMM may crash while processing DNS traffic on certain platforms

Links to More Info: K28042514, BT999933


999901-4 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.

Links to More Info: K68816502, BT999901

Component: Local Traffic Manager

Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.

This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).

Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.

Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.

Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.

Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.

Fix:
TMM now loads LTM policies with external data-groups as expected.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


999125-3 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


999097-4 : SSL::profile may select profile with outdated configuration

Links to More Info: BT999097

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


998781 : When large no of feed list URLs are configured, BIG-IP takes long time to sync IP list

Links to More Info: BT998781

Component: Advanced Firewall Manager

Symptoms:
If large numbers of feed URLs are configured in the IPI Policy, it takes a lot of time to fetch the IP lists from the feed server. BIG-IP system performance is significantly degraded.

Conditions:
-- security ip-intelligence policy
-- security ip-intelligence feed-list : add large number of URLs to the list

Impact:
It can take several minutes to multiple hours for the BIG-IP system to fetch updates from the feed server.

Workaround:
None

Fix:
After fix, Performance had improved significantly.

Fixed Versions:
14.1.5


998729 : Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries

Links to More Info: BT998729

Component: TMOS

Symptoms:
If there are hundreds of virtual addresses and hundreds of address entries spanning one or more address lists, mcpd might take seconds to reply to a query for virtual address statistics.

One of the more commonly visible signs of this is high CPU usage by mcpd if it's processing a large number of queries for virtual address statistics. It is also likely that snmpd responses will be severely delayed to SNMP agent requests.

Conditions:
-- Hundreds of virtual servers.
-- Hundreds of address entries spanning one or many address lists.
-- Running SNMP queries for virtual address statistics.

Impact:
-- High CPU usage by mcpd.
-- SNMP requests/polling timeouts occur because mcpd takes hundreds of milliseconds to respond.

Note: If the address lists that contain the entries are not used in traffic-matching-criteria (and therefore do not increase the size of the tmstat virtual_address_stat table), mcpd response time is in the tens of milliseconds.

Workaround:
None

Fix:
Improved performance for query for virtual address statistics when there are hundreds of virtual address and address lists entries.

Fixed Versions:
14.1.4.4


998221-4 : Accessing pool members from configuration utility is slow with large config

Links to More Info: BT998221

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2


997929-4 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic

Links to More Info: BT997929

Component: Local Traffic Manager

Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.

If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.

Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.

-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.

Impact:
The virtual server stops processing traffic.

Workaround:
To recover, you can do either of the following:

-- Restart tmm:
bigstart restart tmm

-- Change the virtual server's port back to 'any' (0).

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


997193-2 : TCP connections may fail when AFM global syncookies are in operation.

Links to More Info: K16101409, BT997193


997137-4 : CSRF token modification may allow WAF bypass on GET requests

Links to More Info: K80945213, BT997137

Component: Application Security Manager

Symptoms:
Under certain conditions a parameter is not processed as expected.

Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter

Impact:
Malicious request will bypass signatures and will not raise any attack signature violation

Workaround:
N/A

Fix:
The parameter is now processed as expected.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1


996593-3 : Password change through REST or GUI not allowed if the password is expired

Links to More Info: BT996593

Component: TMOS

Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:

Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.

Impact:
Expired password cannot be updated through REST or the GUI.

Workaround:
Update password using tmsh:

tmsh modify auth password <username>

Fix:
You can now change an expired password through REST or the GUI.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2


996381-4 : ASM attack signature may not match as expected

Links to More Info: K41503304, BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


996233-3 : Tomcat may crash while processing TMUI requests

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, Tomcat may crash while processing TMUI requests.

Conditions:
- GTM provisioned
- Authenticated administrative user
- TMUI request

Impact:
Access to the TMUI disrupted while Tomcat restarts.

Workaround:
N/A

Fix:
TMUI now processes requests as expected.

Fixed Versions:
14.1.5, 16.1.3


996113-4 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


996001-2 : AVR Inspection Dashboard 'Last Month' does not show all data points

Links to More Info: BT996001

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


995853-3 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.

Links to More Info: BT995853

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.

Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.

Impact:
GSLB Server object creation fails.

Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.

Fix:
GSLB Server object creation no longer fails.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


995629-2 : Loading UCS files may hang if ASM is provisioned&start;

Links to More Info: BT995629

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.

Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html

Fix:
Loading UCS files no longer hangs if ASM is provisioned.

Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2


995433-4 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT

Links to More Info: BT995433

Component: Advanced Firewall Manager

Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.

Conditions:
This is encountered when viewing PPTP log entries.

Impact:
IPV6 addresses in PPTP logs are truncated.

Workaround:
None

Fix:
The full IPv6 address is now logged in PPTP logs.

Fixed Versions:
14.1.4.5, 15.1.4.1


995029 : Configuration is not updated during auto-discovery

Links to More Info: BT995029

Component: Access Policy Manager

Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:

-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token

Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).

Impact:
JWT auto-discovery fails and the configuration is not updated.

Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.

Fix:
Fixed an issue with auto-discovery and JWKs.

Fixed Versions:
14.1.4.2, 15.1.4


994985-1 : CGNAT GUI shows blank page when applying SIP profile

Links to More Info: BT994985

Component: Carrier-Grade NAT

Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.

Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.

Impact:
The virtual server properties page does not display the configuration.

Workaround:
None.

Fix:
The GUI shows virtual server config page with all config values

Fixed Versions:
14.1.4.2, 15.1.4


994801-4 : SCP file transfer system

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.

Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.

Workaround:
None

Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2


993981-4 : TMM may crash when ePVA is enabled

Links to More Info: K52340447, BT993981


993921-1 : TMM SIGSEGV

Links to More Info: BT993921

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use 'pool XXXX member XXXX' iRule command.

Fix:
This rarely occurring issue is now fixed.

Fixed Versions:
14.1.5.1


993913-1 : TMM SIGSEGV core in Message Routing Framework

Links to More Info: BT993913

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


993613-4 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


993517-4 : Loading an upgraded config can result in a file object error in some cases

Links to More Info: BT993517

Component: Local Traffic Manager

Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:

-- 0107134a:3: File object by name (DEFAULT) is missing.

If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.

Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).

Impact:
Other than the error message, there is no impact.

Workaround:
After the initial reboot, save the configuration.

Fixed Versions:
14.1.5, 16.1.2.2


993489-4 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


993457-3 : TMM core with ACCESS::policy evaluate iRule

Links to More Info: BT993457

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


992213-1 : Protocol Any displayed as HOPTOPT in AFM policy view

Links to More Info: BT992213

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.

Fixed Versions:
14.1.4.2, 15.1.4, 16.1.1


992121-2 : REST "/mgmt/tm/services" endpoint is not accessible

Links to More Info: BT992121

Component: TMOS

Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.

Conditions:
When accessing /mgmt/tm/services through REST API

Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.

Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.

Fixed Versions:
14.1.5.1


992097-1 : Incorrect hostname is seen in logging files

Links to More Info: BT992097

Component: TMOS

Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".

Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.

Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.

Workaround:
None

Fixed Versions:
14.1.5


992073-1 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Links to More Info: K93543114, BT992073


991037-1 : MR::message can cause tmm crash

Links to More Info: BT991037

Component: Service Provider

Symptoms:
The iRule command MR::message drop can occasionally trigger a memory corruption and tmm crash.

Conditions:
The iRule command MR::message drop is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.3


990849-3 : Loading UCS with platform-migrate option hangs and requires exiting from the command&start;

Links to More Info: BT990849

Component: TMOS

Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration.

Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html

Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

Workaround:
None.

Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2


990461-2 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade&start;

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

Fixed Versions:
14.1.4.4, 16.1.3


990333-4 : APM may return unexpected content when processing HTTP requests

Links to More Info: K75540265, BT990333


989753-3 : In HA setup, standby fails to establish connection to server

Links to More Info: BT989753

Component: Service Provider

Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:

err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config

Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.

Impact:
Standby BIG-IP system fails to establish a connection to the server.

Workaround:
None.

Fix:
Standby is now able to establish a connection to the server.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


989701-4 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373, BT989701


989637-4 : TMM may crash while processing SSL traffic

Links to More Info: K08476614, BT989637


989009-4 : BD daemon may crash while processing WebSocket traffic

Links to More Info: K05314769, BT989009


988549-4 : CVE-2020-29573: glibc vulnerability

Links to More Info: K27238230, BT988549


988533-3 : GRE-encapsulated MPLS packet support

Links to More Info: BT988533

Component: TMOS

Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).

Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.

Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.

Workaround:
None

Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.

Fixed Versions:
14.1.4.5, 15.1.4.1


988005-3 : Zero active rules counters in GUI

Links to More Info: BT988005

Component: Advanced Firewall Manager

Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).

Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules

Impact:
Incorrect information on active rules count is seen in the UI.

Workaround:
Disable firewall inline editor.

Fix:
The active rules count column now displays the correct number of times a rule has been hit.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


987885-3 : Half-open unclean SSL termination might not close the connection properly

Links to More Info: BT987885

Component: Local Traffic Manager

Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.

Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.

Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.

Workaround:
None.

Fixed Versions:
14.1.5.1


987341-3 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.

Links to More Info: BT987341

Component: Access Policy Manager

Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.

Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.

Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
14.1.5


987113-2 : CMP state degraded while under heavy traffic

Links to More Info: BT987113

Component: TMOS

Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.

Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.

Impact:
System performance drops dramatically.

Workaround:
Lower traffic load.

Fix:
Fixed an inconsistent CMP state.

Fixed Versions:
14.1.5, 15.1.4


987077-4 : TLS1.3 with client authentication handshake failure

Links to More Info: BT987077

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.

Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.

Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.3


985953-2 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


984765-4 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)&start;

Links to More Info: BT984765

Component: Access Policy Manager

Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.

Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.

Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.

Workaround:
To resolve the issue temporarily, use either of the following:

-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.

-- Run the command:
bigstart restart nlad

The problem can reappear after a week, so you must repeat these steps each time the issue occurs.

Fixed Versions:
14.1.4.4, 15.1.4


984593-3 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


982869-3 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0

Links to More Info: BT982869

Component: Service Provider

Symptoms:
Tmm may crash.

Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes under these conditions.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


982757-6 : APM Access Guided Configuration hardening

Links to More Info: K53197140


982697-4 : ICMP hardening

Links to More Info: K41440465, BT982697


982341-4 : iControl REST endpoint hardening

Links to More Info: K53197140, BT982341


981785-2 : Incorrect incident severity in Event Correlation statistics

Links to More Info: BT981785

Component: Application Security Manager

Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".

Conditions:
Usually happens for the first incident after ASM startup.

Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.

Workaround:
Use severity info from the Incidents list.

Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2


981693-2 : TMM may consume excessive resources while processing IPSec ALG traffic

Links to More Info: K54892865, BT981693


981689-1 : TMM memory leak with IPsec ALG

Links to More Info: BT981689

Component: Carrier-Grade NAT

Symptoms:
TMM crash due to out of memory.

Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.

Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm memory leak related to IPsec ALG connections.

Fixed Versions:
14.1.4.2, 15.1.4.1


981461-3 : Unspecified DNS responses cause TMM crash

Links to More Info: K45407662, BT981461


981385-4 : AVRD does not send HTTP events to BIG-IQ DCD

Links to More Info: BT981385

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2


981273-3 : APM webtop hardening

Links to More Info: K41997459, BT981273


981169-3 : F5 TMUI XSS vulnerability CVE-2021-22994

Links to More Info: K66851119, BT981169


980821-1 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.

Links to More Info: BT980821

Component: Local Traffic Manager

Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.

Conditions:
There are two virtual servers configured:
  - One with a specific port and ip-protocol 'any'
  - One with port any and a specific ip-protocol

Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.

Workaround:
Create individual listeners for specific protocols.

For example, given the configuration:
  ltm virtual vs-port80-protoAny {
    destination 10.1.1.1:80
    ip-protocol any
    ...
  }
  ltm virtual vs-portAny-protoTCP {
    destination 10.1.1.1:0
    ip-protocol TCP
    ...
  }

Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
  ltm virtual vs-port80-protoTCP {
    destination 10.1.1.1:80
    ip-protocol TCP
    ...
  }
  ltm virtual vs-port80-protoUDP {
    destination 10.1.1.1:80
    ip-protcol UDP
    ...
  }

Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.

Fixed Versions:
14.1.4.2, 15.1.3.1, 16.0.1.2


980809-3 : ASM REST Signature Rule Keywords Tool Hardening

Links to More Info: K41351250, BT980809


980325-4 : Chmand core due to memory leak from dossier requests.

Links to More Info: BT980325

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


980125-4 : BD Daemon may crash while processing WebSocket traffic

Links to More Info: K42051445, BT980125


979877-6 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information

Component: Access Policy Manager

Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. The OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereferences and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:

1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate

2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)

If an attacker can control both items being compared then that attacker could trigger a crash. For example, if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have to support the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However, it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

Conditions:
The GENERAL_NAME_cmp, a comparison function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME.

Impact:
If the EDIPARTYNAME object or one of the member variables is NULL then the NULL pointer dereferences and a crash may occur leading to a possible denial of service attack.

Workaround:
No workaround

Fix:
The EDITPARTYNAME Comparision is modified by integrating the patch provided in the https://github.com/openssl/openssl/commit/f960d81215ebf3f65e03d4d5d857fb9b666d6920

Fixed Versions:
14.1.5.1


978833-3 : Use of CRL-based Certificate Monitoring Causes Memory Leak

Links to More Info: BT978833

Component: Local Traffic Manager

Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.

Conditions:
CRL certificate validator is configured.

Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.

Workaround:
None.

Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.

Fixed Versions:
14.1.4.4, 15.1.4.1


978393 : GUI screen shows blank screen while importing a certificate&start;

Links to More Info: BT978393

Component: TMOS

Symptoms:
When you click the import button of an existing certificate, the screen goes blank.

Go to:
1. System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: existing_certificate.crt ::
2. Click the 'Import' button at the bottom of the page.

Conditions:
-- Device is upgraded from 13.1.x to 14.1.x.
-- Attempting to import a certificate that was created prior to the upgrade.

Impact:
You are unable to import from a certificate using the GUI.

Workaround:
There are three workarounds:

-- Use the GUI to download and reimport:
1. Download the cert and key.
2. Delete the cert and key from system.
3. Import it back.


-- Use the GUI to rename and save:
1. Rename the cert and key, removing extensions from the file.
2. Update the config file accordingly. The Import button works successfully.

-- Use tmsh to update the certs.

Fix:
Certificates can now be imported via the GUI after upgrade.

Fixed Versions:
14.1.4.1


977657-1 : SELinux errors when deploying a vCMP guest.

Links to More Info: BT977657

Component: TMOS

Symptoms:
An error occurs:
SELinux avc: denied { write } for pid=9292 comm="rpm" name="rpm".

Conditions:
The error occurs when the system is started back up after provisioning VCMP.

Impact:
SELinux avc is denied write permission for rpm_var_lib_t.

Fixed Versions:
14.1.5


977053-3 : TMM crash on standby due to invalid MR router instance

Links to More Info: BT977053

Component: Service Provider

Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.

Conditions:
-- HA environment.
-- Connection mirroring is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM on the standby device no longer crashes under these conditions.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


977005-2 : Network Firewall Policy rules-list showing incorrect 'Any' for source column

Links to More Info: BT977005

Component: Advanced Firewall Manager

Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.

Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.

Impact:
GUI shows 'Any' extra text under the source column

Workaround:
None

Fix:
The GUI no longer shows extra text

Fixed Versions:
14.1.4.2, 15.1.4


976925-3 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT976925


976669-3 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Links to More Info: BT976669

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/

Fix:
Critical files are not deleted during secondary blade reboot.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


976525-2 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled

Links to More Info: BT976525

Component: Local Traffic Manager

Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.

Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.

Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.

Workaround:
Use either of the following workarounds:

-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable

-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.

Fixed Versions:
14.1.5


976505-1 : Rotated restnoded logs will fail logintegrity verification.

Links to More Info: BT976505

Component: TMOS

Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restnoded logs fail logintegrity verification.

Workaround:
None

Fix:
Restnoded logs are now verified successfully by the logintegrity utility.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


976501-3 : Failed to establish VPN connection

Links to More Info: BT976501

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3


976365-1 : Traffic Classification hardening&start;

Links to More Info: BT976365

Component: Traffic Classification Engine

Symptoms:
Traffic Classification IM packages do not follow current best practices.

Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user

Impact:
Traffic Classification IM packages do not follow current best practices.

Workaround:
No Workaround

Fix:
Traffic Classification IM packages now follow current best practices.

Fixed Versions:
14.1.4.3, 15.1.3.1


975809-2 : Rotated restjavad logs fail logintegrity verification.

Links to More Info: BT975809

Component: TMOS

Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restjavad logs fail logintegrity verification.

Workaround:
None

Fix:
Restjavad logs are now verified successfully by the logintegrity utility.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


975593-2 : TMM may crash while processing IPSec traffic

Links to More Info: K06323049, BT975593


975589-2 : CVE-2020-8277 Node.js vulnerability

Links to More Info: K07944249, BT975589


975233-3 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Links to More Info: K52510511, BT975233


974881-1 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic

Links to More Info: BT974881

Component: Service Provider

Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.

Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to handling certain events in an iRule.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


974341-3 : REST API: File upload

Links to More Info: K08402414, BT974341


974205-2 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
12.1.6, 14.1.4.4, 15.1.4


973661 : Two different 'Attack Signature' updates shown as 'Currently Installed'&start;

Links to More Info: BT973661

Component: Application Security Manager

Symptoms:
After upgrade system to version 14.1.x the system shows 2 different 'Attack Signature' update packages as 'Currently Installed'

Conditions:
Upgrade from version 12.1.x to version 14.1.x.

Impact:
Additional BIG-IP system restart is required.

Workaround:
None

Fixed Versions:
14.1.4.6


973409-4 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409


973333-3 : TMM buffer-overflow vulnerability CVE-2021-22991

Links to More Info: K56715231, BT973333


973261-4 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Links to More Info: BT973261

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


973201 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions&start;

Links to More Info: BT973201

Component: TMOS

Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.

Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.

Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.

Workaround:
None

Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.

Fixed Versions:
14.1.4, 15.1.4


972517-3 : Appliance mode hardening

Component: Local Traffic Manager

Symptoms:
Appliance mode license restrictions do not follow current best practices.

Conditions:
- Appliance-mode license
- Authenticated administrative user
- Monitors in use

Impact:
Appliance mode does not follow current best practices.

Workaround:
N/A

Fix:
Appliance mode now follows current best practices.

Fixed Versions:
14.1.5


972489-3 : BIG-IP Appliance Mode iControl hardening

Component: iApp Technology

Symptoms:
When operating in Appliance mode iControl does not follow current best practices.

Conditions:
- Authenticated administrative user
- Appliance mode license
- iControl request

Impact:
Appliance mode iControl does not follow current best practices.

Workaround:
N/A

Fix:
iControl now follows current best practices while operating under and Appliance mode license.

Behavior Change:
Restjavad.disablerpmtasks with default value true and restjavad.disablepackagemanagementtasks with default value false were introduced.

When restjavad.disablerpmtasks is true, /mgmt/shared/rpm-tasks endpoint won't be accessible. Otherwise will be accessible.

When restjavad.disablepackagemanagementtasks is true, /mgmt/shared/package-management-tasks endpoint won't be accessible. Otherwise will be accessible.

Fixed Versions:
14.1.5, 15.1.5.1, 16.1.3


971297-3 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade&start;

Links to More Info: BT971297

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.

Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded

Impact:
The keys are stored locally following the upgrade.

Workaround:
None.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


971217-3 : AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.

Links to More Info: BT971217

Component: Local Traffic Manager

Symptoms:
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.

Conditions:
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check.

-- Client sends HTTP POST request with Content-Length:0

Impact:
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".

Workaround:
None.

Fix:
POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations and will not incorrectly be reported.

Behavior Change:
POST requests containing a Content-Length: 0 header are no longer considered as "Unparsable Request Content" violations within the AFM HTTP protocol security profile.

Fixed Versions:
14.1.5


970829-4 : iSeries LCD incorrectly displays secure mode

Links to More Info: K03310534, BT970829

Component: Device Management

Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.

Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.

Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:

-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.


The restjavad-audit.*.log may contain similar messages

[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}

Workaround:
None

Fix:
The LCD now functions normally, and no authentication errors appear in the logs.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


970329-4 : ASM hardening

Links to More Info: K70134152, BT970329

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


969637-3 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade&start;

Links to More Info: BT969637

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"

Conditions:
-- A small subset of the following BIG-IP platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Configuration load fails and the device does not come online.

Fixed Versions:
14.1.4.4, 15.1.4


969509-3 : Possible memory corruption due to DOS vector reset

Links to More Info: BT969509

Component: Advanced Firewall Manager

Symptoms:
Unpredictable result due to possible memory corruption

Conditions:
DOS vector configuration change

Impact:
Memory corruption

Fix:
Added correct logic to reset DOS vector.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


969317-2 : "Restrict to Single Client IP" option is ignored for vmware VDI

Links to More Info: BT969317

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1


969213-2 : VMware: management IP cannot be customized via net.mgmt.addr property

Links to More Info: BT969213

Component: TMOS

Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.

Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.

Impact:
Management IP cannot be customized in VMware during the VM setup.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


969105-1 : HA failover connections via the management address do not work on vCMP guests running on VIPRION

Links to More Info: BT969105

Component: TMOS

Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.

BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.

HA failover connections using self IPs are unaffected.

Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)

Impact:
Failover state determination over the management port is permanently down.

Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).

To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid


The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.

Add this line to the end of /config/startup:

(sleep 120; touch /var/run/chmand.pid) &

Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.


Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:

#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready

# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.

You may also request an Engineering Hotfix from F5.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


968733-5 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Links to More Info: K42202505, BT968733


968725-4 : Linux Kernel Vulnerability CVE-2017-10661

Links to More Info: K04337834, BT968725


968641-1 : Fix for zero LACP priority

Links to More Info: BT968641

Component: Local Traffic Manager

Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.

Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.

Impact:
BIG-IP may be unable to connect to Cisco trunks.

Workaround:
None.

Fix:
Eliminate LACP priority equal 0

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


968581-3 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description

Links to More Info: BT968581

Component: Local Traffic Manager

Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.

Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.

Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.

Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.

Fixed Versions:
14.1.5, 15.1.5.1, 16.1.2.2


968421-4 : ASM attack signature doesn't matched

Links to More Info: K30291321, BT968421

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2


968349-1 : TMM crashes with unspecified message

Links to More Info: K19012930, BT968349


967905-3 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


967889-2 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)

Links to More Info: BT967889

Component: Advanced Firewall Manager

Symptoms:
Custom signature of virtual server shows incorrect attack information.

Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)

Impact:
GUI shows incorrect information for custom signature

Fix:
GUI shows correct information for custom signature

Fixed Versions:
14.1.4, 15.1.3


967745-2 : Last resort pool error for the modify command for Wide IP

Links to More Info: BT967745

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1


967101-3 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.

Links to More Info: BT967101

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)

Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.

Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


966901-3 : CVE-2020-14364: Qemu Vulnerability

Links to More Info: K09081535, BT966901


966701-3 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP

Links to More Info: BT966701

Component: Service Provider

Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.

Conditions:
-- SCTP transport profile
-- MRF generic msg router profile

Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing

Fix:
Enable the return type in generic msg filter when data received over SCTP transport

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


966681-2 : NAT translation failures while using SP-DAG in a multi-blade chassis

Links to More Info: BT966681

Component: Carrier-Grade NAT

Symptoms:
NAT translation fails

Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans

Impact:
Traffic failure, performance degraded

Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096

Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


966277-3 : BFD down on multi-blade system

Links to More Info: BT966277

Component: TMOS

Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.

Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots

Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


965853-1 : IM package file hardening&start;

Links to More Info: K08510472, BT965853


965785-3 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine

Links to More Info: BT965785

Component: Application Security Manager

Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.

Conditions:
There is no specific condition, the problem occurs rarely.

Impact:
Sync process requires an additional ASM restart

Workaround:
Restart ASM after sync process finished

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


965617-1 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode

Links to More Info: BT965617

Component: Advanced Firewall Manager

Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB

Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support

Impact:
More resources loading during DDoS attack

Fix:
Correct free spot search with offloading to HSB

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


965581 : Statistics are not reported to BIG-IQ

Links to More Info: BT965581

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.

Conditions:
A BIG-IP system is attached to BIG-IQ.

Impact:
No statistics collected.

Fix:
The avrd process no longer fails, and statistics are collected as expected.

Fixed Versions:
14.1.4, 15.1.4


965537 : SSL filter does not re-initialize when OCSP validator is modified

Links to More Info: BT965537

Component: Local Traffic Manager

Symptoms:
The client SSL or server SSL profile can specify an OCSP object for client or server certificate status validation.
After modifying the DNS resolver of the OCSP object, the new nameserver is never picked up. In other words, an incorrect OCSP responder will be contacted.

Conditions:
OCSP object is configured in Client Certificate Constrained Delegation (C3D) client SSL or in server SSL and is later modified.

Impact:
The incorrect (or the original) OCSP responder is contacted to get the peer certificate revocation status.

Workaround:
None

Fix:
When an OCSP validator is modified, the system now reloads the SSL profile to pick up the new DNS resolver.

Fixed Versions:
14.1.4


965485-2 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Links to More Info: K41523201


965229-3 : ASM Load hangs after upgrade&start;

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


965205-3 : BIG-IP dashboard downloads unused widgets

Links to More Info: BT965205

Component: TMOS

Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.

Conditions:
This occurs when viewing the BIG-IP dashboard.

Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1